Merge pull request #3138 from rn/rel_v0.6

Release prep for v0.6
Update CHANGELOG
2026-03-20 09:47:12 +00:00 · 2018-07-27 00:03:32 +01:00 · 2018-07-26 21:10:37 +01:00 · 2018-07-26 21:02:29 +01:00 · 2018-07-26 21:01:59 +01:00 · 2018-07-26 21:00:24 +01:00
2233 changed files with 188139 additions and 31689 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -3,7 +3,7 @@ jobs:
  build:
    working_directory: /go/src/github.com/linuxkit/linuxkit
    docker:
-      - image: circleci/golang:1.9-stretch
+      - image: circleci/golang:1.10-stretch
    steps:
      - checkout
      - run: mkdir -p ./bin
@@ -33,6 +33,12 @@ jobs:
            GOOS: linux
            GOARCH: arm64
          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
+      - run:
+          name: Build s390x/linux
+          environment:
+            GOOS: linux
+            GOARCH: s390x
+          command: make LOCAL_TARGET=bin/linuxkit-$GOOS-$GOARCH local-build
      - run:
          name: Build amd64/darwin
          environment:
--- a/.mailmap
+++ b/.mailmap
@@ -6,6 +6,7 @@
 #
 # For explanation on this file format: man git-shortlog

+Alice Frosi <alice@linux.vnet.ibm.com> <alice@linux.vnet.ibm.comx>
 Amir Chaudhry <amir.chaudhry@docker.com> <amirmc@gmail.com>
 Anil Madhavapeddy <anil.madhavapeddy@docker.com> <anil@recoil.org>
 Dan Finneran <dan@thebsdbox.co.uk> <dan@dev.fnnrn.me>
@@ -20,9 +21,11 @@ Dave Tucker <dt@docker.com> <dave@dtucker.co.uk>
 David Gageot <david.gageot@docker.com> <david@gageot.net>
 David Sheets <david.sheets@docker.com> <dsheets@docker.com>
 David Sheets <david.sheets@docker.com> <sheets@alum.mit.edu>
+Eric Briand <eric.briand@gmail.com>
 Ian Campbell <ian.campbell@docker.com> <ijc25@users.noreply.github.com>
 Ian Campbell <ian.campbell@docker.com> <ijc@docker.com>
 Ian Campbell <ian.campbell@docker.com> <ijc@users.noreply.github.com>
+Ian Campbell <ian.campbell@docker.com> <ijc@lxdeb01.marist.edu>
 Isaac Rodman <isaac@eyz.us> <isaac.rodman@healthtrio.com>
 Isaac Rodman <isaac@eyz.us>
 Istvan Szukacs <l1x@users.noreply.github.com>
@@ -30,10 +33,12 @@ Jeff Wu <jeff.wu.junfei@gmail.com> <JeffWuBJ@users.noreply.github.com>
 Jeremy Yallop <yallop@docker.com> <yallop@gmail.com>
 Justin Cormack <justin.cormack@docker.com> <justin.cormack@unikernel.com>
 Justin Cormack <justin.cormack@docker.com> <justin@specialbusservice.com>
+Justin Barrick <jbarrick@cloudflare.com>
 Ken Cochrane <ken.cochrane@docker.com> <KenCochrane@gmail.com>
 Magnus Skjegstad <magnus.skjegstad@docker.com> <magnus@skjegstad.com>
 Marten Cassel <marten.cassel@gmail.com> <mcpop28@hotmail.com>
 Mindy Preston <mindy.preston@docker.com> <meetup@yomimono.org>
+MinJae Kwon <mingrammer@gmail.com>
 Nathan Dautenhahn <ndd@seas.upenn.edu> <ndd@cis.upenn.edu>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathan.leclaire@gmail.com>
 Nathan LeClaire <nathan.leclaire@docker.com> <nathanleclaire@gmail.com>
@@ -42,12 +47,15 @@ Pierre Gayvallet <pierre.gayvallet@docker.com> <pierre.gayvallet@gmail.com>
 Radu Matei <matei.radu94@gmail.com>
 Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com> <riyazdf@berkeley.edu>
 Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com> <riyazdf@gmail.com>
-Rolf Neugebauer <rolf.neugebauer@docker.com> <rneugeba@users.noreply.github.com>
-Rolf Neugebauer <rolf.neugebauer@docker.com> <rn@users.noreply.github.com>
-Rolf Neugebauer <rolf.neugebauer@docker.com> <rolf.neugebauer@gmail.com>
+Robin Winkelewski <w9ncontact@gmail.com>
+Rolf Neugebauer <rn@rneugeba.io> <rneugeba@users.noreply.github.com>
+Rolf Neugebauer <rn@rneugeba.io> <rn@users.noreply.github.com>
+Rolf Neugebauer <rn@rneugeba.io> <rolf.neugebauer@gmail.com>
+Rolf Neugebauer <rn@rneugeba.io> <rolf.neugebauer@docker.com>
 Sebastiaan van Stijn <sebastiaan.vanstijn@docker.com> <github@gone.nl>
 Simon Ferquel <simon.ferquel@docker.com> <simon.ferquel@hotmail.fr>
 Thomas Gazagnaire <thomas.gazagnaire@docker.com> <thomas@gazagnaire.com>
 Thomas Gazagnaire <thomas.gazagnaire@docker.com> <thomas@gazagnaire.org>
+Tiejun Chen <tiejun.china@gmail.com> <tiejunc@vmware.com>
 Vincent Demeester <Vincent.Demeester@docker.com> <vincent@sbr.pm>
 Vincent Demeester <Vincent.Demeester@docker.com> <vdemeester@docker.com>
--- a/31
+++ b/31
@@ -3,12 +3,19 @@

 Ajeet Singh Raina, Docker Captain, {Code} Catalysts, Dell EMC R&D <ajeetraina@gmail.com>
 Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
+Alan Raison <alanraison@users.noreply.github.com>
+Alex Ellis <alexellis2@gmail.com>
 Alex Johnson <hello@alex-johnson.net>
+Alexander Slesarev <alex.slesarev@nudatasecurity.com>
+Alice Frosi <alice@linux.vnet.ibm.com>
 Amir Chaudhry <amir.chaudhry@docker.com>
 Anil Madhavapeddy <anil.madhavapeddy@docker.com>
 Avi Deitcher <avi@deitcher.net>
 Bill Kerr <bill@generalbill.com>
+Brice Figureau <brice-puppet@daysofwonder.com>
 Carlton-Semple <carlton.semple@ibm.com>
+Chanwit Kaewkasi <chanwit@gmail.com>
+Craig Ingram <cingram@heroku.com>
 Damiano Donati <damiano.donati@gmail.com>
 Dan Finneran <dan@thebsdbox.co.uk>
 Daniel Caminada <daniel.caminada@ergon.ch>
@@ -24,8 +31,12 @@ David Sheets <david.sheets@docker.com>
 Dennis Chen <dennis.chen@arm.com>
 Dieter Reuter <dieter.reuter@me.com>
 Edward Vielmetti <edward.vielmetti@gmail.com>
+Emily Casey <ecasey@pivotal.io>
 Eric Briand <eric.briand@gmail.com>
+Evan Hazlett <ejhazlett@gmail.com>
 French Ben <frenchben@docker.com>
+functor <meehow@gmail.com>
+Garth Bushell <garth.bushell@oracle.com>
 George Papanikolaou <g3orge.app@gmail.com>
 Gianluca Arbezzano <gianarb92@gmail.com>
 Guillaume Rose <guillaume.rose@docker.com>
@@ -34,6 +45,7 @@ Ian Campbell <ian.campbell@docker.com>
 Ilya Dmitrichenko <errordeveloper@gmail.com>
 Isaac Rodman <isaac@eyz.us>
 Istvan Szukacs <l1x@users.noreply.github.com>
+Ivan Markin <sw@nogoegst.net>
 Jason A. Donenfeld <Jason@zx2c4.com>
 Jeff Wu <jeff.wu.junfei@gmail.com>
 Jeffrey Hogan <jeff.hogan1@gmail.com>
@@ -42,8 +54,11 @@ Jes Ferrier <jes.ferrier@gmail.com>
 Jesse Adametz <jesseadametz@gmail.com>
 John Albietz <inthecloud247@gmail.com>
 Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
+Justin Barrick <jbarrick@cloudflare.com>
 Justin Cormack <justin.cormack@docker.com>
+Justin Ko <justin.ko@oracle.com>
 Ken Cochrane <ken.cochrane@docker.com>
+Krister Johansen <krister.johansen@oracle.com>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
 Liqdfire <liqdfire@gmail.com>
 Lorenzo Fontana <lo@linux.com>
@@ -53,6 +68,7 @@ Magnus Skjegstad <magnus.skjegstad@docker.com>
 Marco Mariani <marco.mariani@alterway.fr>
 Marcus van Dam <marcus@marcusvandam.nl>
 marten <marten.cassel@gmail.com>
+Mathieu Champlon <mathieu.champlon@docker.com>
 Mathieu Pasquet <mathieu.pasquet@alterway.fr>
 Matt Bajor <matt.bajor@workday.com>
 Matt Bentley <matt.bentley@docker.com>
@@ -60,38 +76,49 @@ Matt Johnson <matjohn2@cisco.com>
 Michel Courtine <michel.courtine@docker.com>
 Mickaël Salaün <mic@digikod.net>
 Mindy Preston <mindy.preston@docker.com>
+MinJae Kwon <mingrammer@gmail.com>
 Natanael Copa <natanael.copa@docker.com>
 Nathan Dautenhahn <ndd@seas.upenn.edu>
 Nathan LeClaire <nathan.leclaire@docker.com>
 Nick Jones <nick@dischord.org>
 Niclas Mietz <niclas@mietz.io>
 Nico Di Rocco <dirocco.nico@gmail.com>
+Olaf Bergner <olaf.bergner@gmx.de>
 Olaf Flebbe <of@oflebbe.de>
+Patrik Cyvoct <patrik@ptrk.io>
 Phil Estes <estesp@linux.vnet.ibm.com>
 Pierre Gayvallet <pierre.gayvallet@docker.com>
+Pratik Mallya <mallya@us.ibm.com>
 Radu Matei <matei.radu94@gmail.com>
 Richard Mortier <mort@cantab.net>
 Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 Robb Kistler <robb.kistler@docker.com>
-Rolf Neugebauer <rolf.neugebauer@docker.com>
+Robin Winkelewski <w9ncontact@gmail.com>
+Rolf Neugebauer <rn@rneugeba.io>
+Roman Shaposhnik <rvs@zededa.com>
 Rui Lopes <rgl@ruilopes.com>
 Ryoga Saito <proelbtn@gmail.com>
+Scott Coulton <scott.coulton@puppet.com>
 Sebastiaan van Stijn <sebastiaan.vanstijn@docker.com>
 Simon Ferquel <simon.ferquel@docker.com>
 Sotiris Salloumis <sotiris.salloumis@gmail.com>
+Steeve Morin <steeve.morin@gmail.com>
 Stefan Bourlon <stefan.bourlon@ca.com>
 Stephen J Day <stephen.day@docker.com>
 Steve Hiehn <shiehn@pivotal.io>
+Sukchan Lee <acetcom@gmail.com>
 Theo Koulouris <theo.koulouris@hpe.com>
 Thomas Conte <thomas@conte.com>
 Thomas Gazagnaire <thomas.gazagnaire@docker.com>
 Thomas Leonard <thomas.leonard@docker.com>
 Thomas Shaw <tomwillfixit@users.noreply.github.com>
 Tiago Pires <tandrepires@gmail.com>
+Tiejun Chen <tiejun.china@gmail.com>
 Tim Potter <tpot@hpe.com>
+Tobias Gesellchen <tobias@gesellix.de>
 Tobias Klauser <tklauser@distanz.ch>
+Tristan Slominski <tristan.slominski@gmail.com>
 Tycho Andersen <tycho@docker.com>
 Vincent Demeester <Vincent.Demeester@docker.com>
-w9n <w9ncontact@gmail.com>
 Zachery Hostens <zacheryph@gmail.com>
 zlim <zlim.lnx@gmail.com>
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -0,0 +1,94 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
+
+## [v0.6] - 2018-07-26
+### Added
+- `linuxkit build` now works with private repositories and registries.
+- `linuxkit pkg build` can build packages with sources outside the package directory.
+- New `kernel+iso` format for `linuxkit build`.
+
+### Changed
+- `containerd` updated to v1.1.2.
+- WireGuard updated to 0.0.20180718.
+- Fixed SSH key handling on GCP.
+- Changed name of logfiles when memlogd/logwrite is used.
+- `moby/tool` code merged back into `linuxkit/linuxkit`
+- Smaller `mkimage-*` packages.
+
+### Removed
+
+
+
+## [v0.5] - 2018-07-10
+### Added
+- New logging support with log rotation.
+- Scaleway provider.
+- Support for v4.17.x kernels.
+- Kernel source are now included in the kernel packages.
+- Improved documentation about debugging LinuxKit.
+
+### Changed
+- Switched to Alpine Linux 3.8 as the base.
+- `containerd` updated to v1.1.1.
+- `pkg/cadvisor` updated to v0.30.2
+- `pkg/node_exporter` updated to 0.16.0
+- WireGuard updated to 0.0.20180708.
+- Linux firmware binaries update to latest.
+- Improved support for building on Windows.
+- Improved support for AWS/GCP metadata.
+- Better handling of reboot/poweroff.
+
+### Removed
+- Support for v4.16.x. kernels as they have been EOLed.
+
+
+## [v0.4] - 2018-05-12
+### Added
+- Support for v4.16.x kernels.
+- Support for MPLS, USB_STORAGE, and SCTP support in the kernel config.
+- Support for creating and booting from squashfs root filesystems.
+- Super experimental support for crosvm.
+- Support for compiling with go 1.10.
+- Adjusted hyperkit support to be compatible with soon to be released Docker for Mac changes.
+
+### Changed
+- `containerd` updated to v1.1.0.
+- WireGuard updated to 0.0.20180420.
+- Intel CPU microcode update to 20180425.
+
+### Removed
+- Support for v4.15.x. kernels as they have been EOLed.
+- `perf` support for 4.9.x kernels (the compile broke).
+
+
+## [v0.3] - 2018-04-05
+### Added
+- Initial `s390x` support.
+- Support for RealTime Linux kernels (`-rt`) on `x86_64` and `arm64`.
+- Support for booting of `qcow2` disks via EFI.
+- Support for CEPH filesystems in the kernel.
+- Logging for `onboot` containers to `/var/log`
+- Changelog file.
+
+### Changed
+- Switched the default kernel to 4.14.x.
+- Update to `containerd` v1.0.3.
+- Update to `notary` v0.6.0.
+- Update WireGuard to 0.0.20180304.
+
+### Removed
+- Removed support for 4.4.x and 4.9.x kernels for `arm64`.
+
+
+## [v0.2] - 2018-01-25
+- Almost everything
+
+
+## [v0.1] - 2017-??-??
+- Sometime in 2017 we did a mini v0.1 release but we seem to have lost any trace of it :)
+
+
+## [v0.0] - 2017-04-18
+- Initial open sourcing of LinuxKit
--- a/2
+++ b/2
@@ -195,5 +195,5 @@ on disputes for technical matters."

 	[people.rn]
 	Name = "Rolf Neugebauer"
-	Email = "rolf.neugebauer@docker.com"
+	Email = "rn@rneugeba.io"
 	GitHub = "rn"
--- a/56
+++ b/56
@@ -1,16 +1,17 @@
-.DELETE_ON_ERROR:
-
-.PHONY: default all
-default: bin/linuxkit bin/rtf
-all: default
-
-VERSION="v0.2"
+VERSION="v0.6"
 GIT_COMMIT=$(shell git rev-list -1 HEAD)

-GO_COMPILE=linuxkit/go-compile:8235f703735672509a16fb626d25c6ffb0d1c21d
+GO_COMPILE=linuxkit/go-compile:e1204ce9921c1d45362a374e06be7234d3bf1184

+ifeq ($(OS),Windows_NT)
+LINUXKIT?=bin/linuxkit.exe
+RTF?=bin/rtf.exe
+GOOS?=windows
+else
 LINUXKIT?=bin/linuxkit
+RTF?=bin/rtf
 GOOS?=$(shell uname -s | tr '[:upper:]' '[:lower:]')
+endif
 GOARCH?=amd64
 ifneq ($(GOOS),linux)
 CROSS+=-e GOOS=$(GOOS)
@@ -21,16 +22,22 @@ endif

 PREFIX?=/usr/local/

-RTF_COMMIT=3e8ed35ca934259cb644c2492bf9b181954a07e1
+.DELETE_ON_ERROR:
+
+.PHONY: default all
+default: $(LINUXKIT) $(RTF)
+all: default
+
+RTF_COMMIT=171155c375706f2616f0b9c96afe2240e15d1de1
 RTF_CMD=github.com/linuxkit/rtf/cmd
 RTF_VERSION=0.0
-bin/rtf: tmp_rtf_bin.tar | bin
+$(RTF): tmp_rtf_bin.tar | bin
 	tar xf $<
 	rm $<
 	touch $@

 tmp_rtf_bin.tar: Makefile
-	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/linuxkit/rtf --clone https://github.com/linuxkit/rtf.git --commit $(RTF_COMMIT) --package github.com/linuxkit/rtf --ldflags "-X $(RTF_CMD).GitCommit=$(RTF_COMMIT) -X $(RTF_CMD).Version=$(RTF_VERSION)" -o bin/rtf > $@
+	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/linuxkit/rtf --clone https://github.com/linuxkit/rtf.git --commit $(RTF_COMMIT) --package github.com/linuxkit/rtf --ldflags "-X $(RTF_CMD).GitCommit=$(RTF_COMMIT) -X $(RTF_CMD).Version=$(RTF_VERSION)" -o $(RTF) > $@

 # Manifest tool for multi-arch images
 MT_COMMIT=bfbd11963b8e0eb5f6e400afaebeaf39820b4e90
@@ -44,13 +51,13 @@ tmp_mt_bin.tar: Makefile
 	docker run --rm --log-driver=none -e http_proxy=$(http_proxy) -e https_proxy=$(https_proxy) $(CROSS) $(GO_COMPILE) --clone-path github.com/estesp/manifest-tool --clone $(MT_REPO) --commit $(MT_COMMIT) --package github.com/estesp/manifest-tool --ldflags "-X main.gitCommit=$(MT_COMMIT)" -o bin/manifest-tool > $@

 LINUXKIT_DEPS=$(wildcard src/cmd/linuxkit/*.go) $(wildcard src/cmd/linuxkit/*/*.go) Makefile src/cmd/linuxkit/vendor.conf
-bin/linuxkit: tmp_linuxkit_bin.tar
+$(LINUXKIT): tmp_linuxkit_bin.tar
 	tar xf $<
 	rm $<
 	touch $@

 tmp_linuxkit_bin.tar: $(LINUXKIT_DEPS)
-	tar cf - -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit/src/cmd/linuxkit --ldflags "-X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)" -o bin/linuxkit > $@
+	tar cf - -C src/cmd/linuxkit . | docker run --rm --net=none --log-driver=none -i $(CROSS) $(GO_COMPILE) --package github.com/linuxkit/linuxkit/src/cmd/linuxkit --ldflags "-X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)" -o $(LINUXKIT) > $@

 .PHONY: test-cross
 test-cross:
@@ -62,23 +69,26 @@ test-cross:
 	$(MAKE) -j 3 GOOS=linux tmp_rtf_bin.tar tmp_mt_bin.tar tmp_linuxkit_bin.tar
 	$(MAKE) clean

-ifeq ($(GOARCH)-$(GOOS),amd64-linux)
-LOCAL_BUILDMODE?=pie
-endif
-LOCAL_BUILDMODE?=default
+LOCAL_LDFLAGS += -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)
+LOCAL_TARGET ?= $(LINUXKIT)

-LOCAL_LDFLAGS += -s -w -extldflags \"-static\" -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.GitCommit=$(GIT_COMMIT) -X github.com/linuxkit/linuxkit/src/cmd/linuxkit/version.Version=$(VERSION)
-LOCAL_TARGET ?= bin/linuxkit
-
-.PHONY: local-check local-build local-test local
+.PHONY: local-check local-build local-test local-static-pie local-static local-dynamic local
 local-check: $(LINUXKIT_DEPS)
 	@echo gofmt... && o=$$(gofmt -s -l $(filter %.go,$(LINUXKIT_DEPS))) && if [ -n "$$o" ] ; then echo $$o ; exit 1 ; fi
 	@echo govet... && go tool vet -printf=false $(filter %.go,$(LINUXKIT_DEPS))
 	@echo golint... && set -e ; for i in $(filter %.go,$(LINUXKIT_DEPS)); do golint $$i ; done
 	@echo ineffassign... && ineffassign  $(filter %.go,$(LINUXKIT_DEPS))

-local-build: $(LINUXKIT_DEPS) | bin
-	go build -o $(LOCAL_TARGET) --buildmode $(LOCAL_BUILDMODE) --ldflags "$(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
+local-build: local-static
+
+local-static-pie: $(LINUXKIT_DEPS) | bin
+	CGO_ENABLED=0 go build -o $(LOCAL_TARGET) --buildmode pie --ldflags "-s -w -extldflags \"-static\" $(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
+
+local-static: $(LINUXKIT_DEPS) | bin
+	CGO_ENABLED=0 go build -o $(LOCAL_TARGET) --ldflags "$(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit
+
+local-dynamic: $(LINUXKIT_DEPS) | bin
+	go build -o $(LOCAL_TARGET) --ldflags "$(LOCAL_LDFLAGS)" github.com/linuxkit/linuxkit/src/cmd/linuxkit

 local-test: $(LINUXKIT_DEPS)
 	go test $(shell go list github.com/linuxkit/linuxkit/src/cmd/linuxkit/... | grep -v ^github.com/linuxkit/linuxkit/src/cmd/linuxkit/vendor/)
--- a/README.md
+++ b/README.md
@@ -2,25 +2,6 @@

 [![CircleCI](https://circleci.com/gh/linuxkit/linuxkit.svg?style=svg)](https://circleci.com/gh/linuxkit/linuxkit)

-**Security Update 17/01/2018: All current LinuxKit `x86_64` kernels
-have KPTI/KAISER enabled by default. This protects against
-[Meltdown](https://meltdownattack.com/meltdown.pdf). Defences against
-[Spectre](https://spectreattack.com/spectre.pdf) are work in progress
-upstream and some have been incorporated into 4.14.14/4.9.77 onwards
-but work is still ongoing. The kernels 4.14.14/4.9.77 onwards also
-include various eBPF and KVM fixes to mitigate some aspects of
-Spectre.  The `arm64` kernels are not yet fixed. See [Greg KH's
-excellent
-blogpost](http://kroah.com/log/blog/2018/01/06/meltdown-status/) and
-this [LWN.net
-article](https://lwn.net/SubscriberLink/744287/1fc3c18173f732e7/) for
-details.**
-
-**If you run LinuxKit kernels on x86 baremetal we also strongly
-recommend to add `ucode: intel-ucode.cpio` to the kernel section of
-your YAML if you are using Intel CPUs and `linuxkit/firmware:<hash>` if
-you are using AMD CPUs.**
-
 LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.

 - Secure defaults without compromising usability
@@ -34,9 +15,15 @@ LinuxKit, a toolkit for building custom minimal, immutable Linux distributions.
 - Designed to be managed by external tooling, such as [Infrakit](https://github.com/docker/infrakit) or similar tools
 - Includes a set of longer-term collaborative projects in various stages of development to innovate on kernel and userspace changes, particularly around security

+LinuxKit currently supports the `x86_64`, `arm64`, and `s390x` architectures on a variety of platforms, both as virtual machines and baremetal (see [below](#booting-and-testing) for details).
+
 ## Subprojects

 - [LinuxKit kubernetes](https://github.com/linuxkit/kubernetes) aims to build minimal and immutable Kubernetes images. (previously `projects/kubernetes` in this repository).
+- [LinuxKit LCOW](https://github.com/linuxkit/lcow) LinuxKit images and utilities for Microsoft's Linux Containers on Windows.
+- [linux](https://github.com/linuxkit/linux) A copy of the Linux stable tree with branches LinuxKit kernels.
+- [virtsock](https://github.com/linuxkit/virtsock) A `go` library and test utilities for `virtio` and Hyper-V sockets.
+- [rtf](https://github.com/linuxkit/rtf) A regression test framework used for the LinuxKit CI tests (and other projects).

 ## Getting Started

@@ -71,29 +58,27 @@ linuxkit build linuxkit.yml
 to build the example configuration. You can also specify different output formats, eg `linuxkit build -format raw-bios linuxkit.yml` to
 output a raw BIOS bootable disk image, or `linuxkit build -format iso-efi linuxkit.yml` to output an EFI bootable ISO image. See `linuxkit build -help` for more information.

-Since `linuxkit build` is built around the [Moby tool](https://github.com/moby/tool) the input yml files are described in the [Moby tool documentation](https://github.com/moby/tool/blob/master/docs/yaml.md).
-
 ### Booting and Testing

-You can use `linuxkit run <name>` or `linuxkit run <name>.<format>` to execute the image you created with `linuxkit build <name>.yml`.
-This will use a suitable backend for your platform or you can choose one, for example VMWare.
-See `linuxkit run --help`.
+You can use `linuxkit run <name>` or `linuxkit run <name>.<format>` to
+execute the image you created with `linuxkit build <name>.yml`.  This
+will use a suitable backend for your platform or you can choose one,
+for example VMWare.  See `linuxkit run --help`.

 Currently supported platforms are:
 - Local hypervisors
-  - [HyperKit (macOS)](docs/platform-hyperkit.md)
-  - [Hyper-V (Windows)](docs/platform-hyperv.md)
-  - [qemu (macOS, Linux, Windows)](docs/platform-qemu.md)
-  - [VMware (macOS, Windows)](docs/platform-vmware.md)
+  - [HyperKit (macOS)](docs/platform-hyperkit.md) `[x86_64]`
+  - [Hyper-V (Windows)](docs/platform-hyperv.md) `[x86_64]`
+  - [qemu (macOS, Linux, Windows)](docs/platform-qemu.md) `[x86_64, arm64, s390x]`
+  - [VMware (macOS, Windows)](docs/platform-vmware.md) `[x86_64]`
 - Cloud based platforms:
-  - [Amazon Web Services](docs/platform-aws.md)
-  - [Google Cloud](docs/platform-gcp.md)
-  - [Microsoft Azure](docs/platform-azure.md)
-  - [OpenStack](docs/platform-openstack.md)
-  - [packet.net](docs/platform-packet.md)
+  - [Amazon Web Services](docs/platform-aws.md) `[x86_64]`
+  - [Google Cloud](docs/platform-gcp.md) `[x86_64]`
+  - [Microsoft Azure](docs/platform-azure.md) `[x86_64]`
+  - [OpenStack](docs/platform-openstack.md) `[x86_64]`
 - Baremetal:
-  - x86 and arm64 servers on [packet.net](docs/platform-packet.md)
-  - [Raspberry Pi Model 3b](docs/platform-rpi3.md)
+  - [packet.net](docs/platform-packet.md) `[x86_64, arm64]`
+  - [Raspberry Pi Model 3b](docs/platform-rpi3.md)  `[arm64]`


 #### Running the Tests
@@ -106,7 +91,7 @@ To run the test suite:

 ```
 cd test
-rtf -x run
+rtf -v run -x
 ```

 This will run the tests and put the results in a the `_results` directory!
@@ -115,13 +100,13 @@ Run control is handled using labels and with pattern matching.
 To run add a label you may use:

 ```
-rtf -x -l slow run
+rtf -v -l slow run -x
 ```

 To run tests that match the pattern `linuxkit.examples` you would use the following command:

 ```
-rtf -x run linuxkit.examples
+rtf -v run -x linuxkit.examples
 ```

 ## Building your own customised image
@@ -130,7 +115,7 @@ To customise, copy or modify the [`linuxkit.yml`](linuxkit.yml) to your own `fil
 generate its specified output. You can run the output with `linuxkit run file`.

 The yaml file specifies a kernel and base init system, a set of containers that are built into the generated image and started at boot time. You can specify the type
-of artifact to build with the `moby` tool eg `linuxkit build -format vhd linuxkit.yml`.
+of artifact to build eg `linuxkit build -format vhd linuxkit.yml`.

 If you want to build your own packages, see this [document](docs/packages.md).

@@ -144,7 +129,7 @@ The yaml format specifies the image to be built:
 - `services` is the system services, which normally run for the whole time the system is up
 - `files` are additional files to add to the image

-For a more detailed overview of the options see [yaml documentation](https://github.com/moby/tool/blob/master/docs/yaml.md)
+For a more detailed overview of the options see [yaml documentation](docs/yaml.md)

 ## Architecture and security

--- a/contrib/crosvm/.gitignore
+++ b/contrib/crosvm/.gitignore
@@ -0,0 +1,2 @@
+/build
+iid
--- a/contrib/crosvm/Dockerfile
+++ b/contrib/crosvm/Dockerfile
@@ -0,0 +1,36 @@
+FROM rust:1.25.0-stretch
+
+ENV CROSVM_REPO=https://chromium.googlesource.com/chromiumos/platform/crosvm
+ENV CROSVM_COMMIT=7a7268faf0a43c79b6a4520f5c2f35c3e0233932
+ENV MINIJAIL_REPO=https://android.googlesource.com/platform/external/minijail
+ENV MINIJAIL_COMMIT=d45fc420bb8fd9d1fc9297174f3c344db8c20bbd
+
+# Install deps
+RUN apt-get update && apt-get install -y libcap-dev libfdt-dev
+
+# Get source code
+RUN git clone ${MINIJAIL_REPO} && \
+    cd /minijail && \
+    git checkout ${MINIJAIL_COMMIT} && \
+    cd / && \
+    git clone ${CROSVM_REPO} && \
+    cd crosvm && \
+    git checkout ${CROSVM_COMMIT}
+
+# Compile and install minijail
+WORKDIR /minijail
+RUN make && \
+    cp libminijail.so /usr/lib/ && \
+    cp libminijail.h /usr/include/
+
+# Compile crosvm
+WORKDIR /crosvm
+RUN cargo build --release
+    
+RUN mkdir /out && \
+    cp /minijail/libminijail.so /out && \
+    cp /crosvm/target/release/crosvm /out && \
+    cp -r /crosvm/seccomp /out
+
+WORKDIR /out
+ENTRYPOINT ["tar", "cf", "-", "libminijail.so", "crosvm", "seccomp"]
--- a/contrib/crosvm/Makefile
+++ b/contrib/crosvm/Makefile
@@ -0,0 +1,9 @@
+.PHONY: extract
+extract: iid
+	rm -rf ./build
+	mkdir -p ./build
+	docker run --rm $(shell cat iid) | tar xf - -C ./build
+	rm iid
+
+iid: Makefile Dockerfile
+	docker build --no-cache --iidfile iid .
--- a/contrib/crosvm/README.md
+++ b/contrib/crosvm/README.md
@@ -0,0 +1,85 @@
+The Chrome OS Virtual Machine Monitor
+[`crosvm`](https://chromium.googlesource.com/chromiumos/platform/crosvm/)
+is a lightweight VMM written in Rust. It runs on top of KVM and
+optionally runs the device models in separate processes isolated with
+seccomp profiles.
+
+
+## Build/Install
+
+The `Makefile` and `Dockerfile` compile `crosvm` and a suitable
+version of `libminijail`. To build:
+
+```sh
+make
+```
+
+You should end up with a `crosvm` and `libminijail.so` binaries as
+well as the seccomp profiles in `./build`. Copy `libminijail.so` to
+`/usr/lib` or wherever `ldd` picks it up. You may also need `libcap`
+(on Ubuntu or Debian `apt-get install -y libcap-dev`).
+
+You may also have to create an empty directory `/var/empty`.
+
+
+## Use with LinuxKit images
+
+You can build a LinuxKit image suitable for `crosvm` with the
+`kernel+squashfs` build format. For example, using this LinuxKit
+YAML file (`minimal.yml`):
+
+```
+kernel:
+  image: linuxkit/kernel:4.9.115
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+services:
+  - name: getty
+    image: linuxkit/getty:v0.6
+    env:
+      - INSECURE=true
+trust:
+  org:
+    - linuxkit
+```
+
+run:
+
+```sh
+linuxkit build -output kernel+squashfs minimal.yml
+```
+
+The kernel this produces (`minimal-kernel`) needs to be converted as
+`crosvm` does not grok `bzImage`s. You can convert the LinuxKit kernel
+image with
+[extract-vmlinux](https://raw.githubusercontent.com/torvalds/linux/master/scripts/extract-vmlinux):
+
+```sh
+extract-vmlinux minimal-kernel > minimal-vmlinux
+```
+
+Then you can run `crosvm`:
+```sh
+./crosvm run --seccomp-policy-dir=./seccomp/x86_64 \
+    --root ./minimal-squashfs.img \
+    --mem 2048 \
+    --multiprocess \
+    --socket ./linuxkit-socket \
+    minimal-vmlinux
+```
+
+## Known issues
+
+- With 4.14.x, a `BUG_ON()` is hit in `drivers/base/driver.c`. 4.9.x
+  kernels seem to work.
+- Networking does not yet work, so don't include a `onboot` `dhcpd` service.
+- `poweroff` from the command line does not work (crosvm does not seem
+  to support ACPI). So to stop a VM you can use the control socket
+  and: `./crosvm stop ./linuxkit-socket`
+- `crosvm` and its dependencies compile on `arm64` but `crosvm` seems
+  to lack support for setting op the IRQ chip on the system I
+  tested. I got: `failed to create in-kernel IRQ chip:
+  CreateGICFailure(Error(19))`.
--- a/contrib/foreign-kernels/Dockerfile.deb
+++ b/contrib/foreign-kernels/Dockerfile.deb
@@ -1,4 +1,4 @@
-FROM alpine:3.7 AS extract
+FROM alpine:3.8 AS extract

 ARG DEB_URLS

--- a/contrib/foreign-kernels/Dockerfile.rpm
+++ b/contrib/foreign-kernels/Dockerfile.rpm
@@ -1,4 +1,4 @@
-FROM alpine:3.7 AS extract
+FROM alpine:3.8 AS extract

 ARG RPM_URLS

--- a/docs/faq.md
+++ b/docs/faq.md
@@ -30,3 +30,49 @@ of dependencies and functionality that we do not need. At present we are using t
 `init` process, and a small set of minimal scripts, but we expect to replace that with a small
 standalone `init` process and a small piece of code to bring up the system containers where the
 real work takes place.
+
+## Console not displaying init or containerd output at boot
+
+If you're not seeing `containerd` logs in the console during boot, make sure that your kernel `cmdline` configuration doesn't list multiple consoles.
+
+`init` and other processes like `containerd` will use the last defined console in the kernel `cmdline`. When using `qemu`, to see the console you need to list `ttyS0` as the last console to properly see the output.
+
+## Troubleshooting containers
+
+Linuxkit runs all services in a specific `containerd` namespace called `services.linuxkit`. To list all the defined containers:
+
+```sh
+(ns: getty) linuxkit-befde23bc535:~# ctr -n services.linuxkit container ls
+CONTAINER               IMAGE    RUNTIME
+getty                   -        io.containerd.runtime.v1.linux
+```
+
+To list all running containers and their status:
+
+```sh
+(ns: getty) linuxkit-befde23bc535:~# ctr -n services.linuxkit task ls
+TASK                    PID    STATUS
+getty                   661    RUNNING
+```
+
+To list all processes running in a container:
+
+```sh
+(ns: getty) linuxkit-befde23bc535:/containers/services/getty# ctr -n services.linuxkit task ps getty
+PID     INFO
+661     &ProcessDetails{ExecID:getty,}
+677     -
+685     -
+686     -
+687     -
+1237    -
+```
+
+To attach a shell to a running container:
+
+```sh
+(ns: getty) linuxkit-befde23bc535:/containers/services/getty# ctr -n services.linuxkit tasks exec --tty --exec-id sh sshd /bin/ash -l
+(ns: sshd) linuxkit-befde23bc535:/#
+```
+
+Containers are defined as OCI bundles in `/containers`.
--- a/docs/kernels.md
+++ b/docs/kernels.md
@@ -27,6 +27,11 @@ In addition to the official images, there are also some
 from some Linux distributions into LinuxKit kernel packages. These are
 mostly provided for testing purposes.

+Note now linuxkit also embraces Preempt-RT Linux kernel to support more
+use cases for the promising IoT scenarios. All -rt patches are grabbed from
+https://www.kernel.org/pub/linux/kernel/projects/rt/. But so far we just
+enable it over 4.14.x.
+

 ## Loading kernel modules

@@ -155,7 +160,7 @@ The kernel build system has some provision to allow local
 customisation to the build.

 If you want to override/add some kernel config options, you can add a
-file called `config-foo` and then invoke the build with `make
+file called `config-4.9.x-x86_64-foo` and then invoke the build with `make
 EXTRA=-foo build_4.9.x-foo` and this will build an image with the
 additional kernel config options enabled.

--- a/docs/logging.md
+++ b/docs/logging.md
@@ -0,0 +1,94 @@
+# Logging
+
+By default LinuxKit will write onboot and service logs directly to files in
+`/var/log` and `/var/log/onboot`.
+
+It is tricky to write the logs to a disk or a network service as no disks
+or networks are available until the `onboot` containers run. We work around
+this by splitting the logging into 2 pieces:
+
+1. `memlogd`: an in-memory circular buffer which receives logs (including
+   all the early `onboot` logs)
+2. a log writing `service` that starts later and can download and process
+   the logs from `memlogd`
+
+To use this new logging system, you should add the `memlogd` container to
+the `init` block in the LinuxKit yml. On boot `memlogd` will be started
+from `init.d` and it will listen on a Unix domain socket:
+
+```
+/var/run/linuxkit-external-logging.sock
+```
+
+The `init`/`service` process will look for this socket and redirect the
+`stdout` and `stderr` of both `onboot` and `services` to `memlogd`.
+
+## memlogd: an in-memory circular buffer
+
+The `memlogd` daemon reads the logs from the `onboot` and `services` containers
+and stores them together with a timestamp and the name of the originating
+container in a circular buffer in memory.
+
+The contents of the circular buffer can be read over the Unix domain socket
+```
+/var/run/memlogq.sock
+```
+
+The circular buffer has a fixed size (overridden by the command-line argument
+`-max-lines`) and when it fills up, the oldest messages will be overwritten.
+
+To store the logs somewhere more permanent, for example a disk or a remote
+network service, a service should be added to the yaml which connects to
+`memlogd` and streams the logs. The `logwrite` service described below shows
+how to do this.
+
+### Message format
+
+The format used to read logs is similar to [kmsg](https://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg):
+```
+<timestamp>,<log>;<body>
+```
+where `<timestamp>` is an RFC3339-formatted timestamp, `<log>` is the name of
+the log (e.g. `docker-ce.out`) and `<body>` is the output. The `<log>` must
+not contain the character `;`.
+
+## logwrite: writing logs to disk
+
+The service `pkg/logwrite` connects to `memlogd` and streams the logs to files
+in `/var/log`. The logs are automatically rotated; by default each file has
+a maximum size of 1 MiB and up to 10 files are kept per log. The arguments
+`-max-log-files` and `-max-log-size` can be used to override these defaults.
+
+Here is an example log file:
+```
+# cat /var/log/onboot.001-dhcpcd.out 
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: waiting for carrier
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: carrier acquired
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out DUID 00:01:00:01:22:d4:93:05:02:50:00
+:00:00:06
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: IAID 00:00:00:06
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: adding address fe80::f346:56a6:590d:5ea4
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: soliciting an IPv6 router
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: soliciting a DHCP lease
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: offered 192.168.65.8 from 192.168.65.1 `vpnkit'
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: leased 192.168.65.8 for 7200 se
+conds
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: adding route to 192.168.65.0/24
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out eth0: adding default route via 192.16
+8.65.1
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out exiting due to oneshot
+2018-07-08T09:16:53Z onboot.001-dhcpcd.out dhcpcd exited
+```
+
+## Current issues and limitations:
+
+- No docker logger plugin support yet - it could be nice to add support to
+  memlogd, so the docker container logs would also be gathered in one place
+- No syslog compatibility at the moment and `/dev/log` doesn’t exist. This
+  socket could be created to keep syslog compatibility, e.g. by using
+  https://github.com/mcuadros/go-syslog. Processes that require syslog should
+  then be able to log directly to memlogd.
+- Currently no direct external hooks exposed - but options available that
+  could be added. Should also be possible to pipe output to e.g. `oklog`
+  from `logread` (https://github.com/oklog/oklog)
+
--- a/docs/packages.md
+++ b/docs/packages.md
@@ -13,6 +13,18 @@ All LinuxKit packages are:
 - Derived from well-known (and signed) sources for repeatable builds.
 - Built with multi-stage builds to minimise their size.

+
+## CI and Package Builds
+When building and merging packages, it is important to note that our CI process builds packages. The targets `make ci` and `make ci-pr` execute `make -C pkg build`. These in turn execute `linuxkit pkg build` for each package under `pkg/`. This in turn will try to pull the image whose tag matches the tree hash or, failing that, to build it.
+
+We do not want the builds to happen with each CI run for two reasons:
+
+1. It is slower to do a package build than to just pull the latest image.
+2. If any of the steps of the build fails, e.g. a `curl` download that depends on an intermittent target, it can cause all of CI to fail.
+
+Thus, if, as a maintainer, you merge any commits into a `pkg/`, even if the change is documentation alone, please do a `linuxkit package push`.
+
+
 ## Package source

 A package source consists of a directory containing at least two files:
@@ -25,6 +37,7 @@ A package source consists of a directory containing at least two files:
 - `image` _(string)_: *(mandatory)* The name of the image to build
 - `org` _(string)_: The hub/registry organisation to which this package belongs
 - `arches` _(list of string)_: The architectures which this package should be built for (valid entries are `GOARCH` names)
+- `extra-sources` _(list of strings)_: Additional sources for the package outside the package directory. The format is `src:dst`, where `src` can be relative to the package directory and `dst` is the destination in the build context. This is useful for sharing files, such as vendored go code, between packages.
 - `gitrepo` _(string)_: The git repository where the package source is kept.
 - `network` _(bool)_: Allow network access during the package build (default: no)
 - `disable-content-trust` _(bool)_: Disable Docker content trust for this package (default: no)
@@ -60,9 +73,9 @@ should also be set up with signing keys for packages and your signing
 key should have a passphrase, which we call `<passphrase>` throughout.

 All official LinuxKit packages are multi-arch manifests and most of
-them are available for amd64 and aarm64. Official images *must* be
-build on both architectures and they must be build *in sequence*, i.e.,
-they can't be build in parallel.
+them are available for `amd64`, `arm64`, and `s390x`. Official images
+*must* be build on both architectures and they must be build *in
+sequence*, i.e., they can't be build in parallel.

 To build a package on an architecture:

@@ -138,4 +151,3 @@ linuxkit pkg build -org=wombat -disable-content-trust -hash=foo push

 and this will create `wombat/<image>:foo-<arch>` and
 `wombat/<image>:foo` for use in your YAML files.
-
--- a/docs/platform-hyperkit.md
+++ b/docs/platform-hyperkit.md
@@ -12,9 +12,19 @@ Alternatively, you can install HyperKit and VPNKit standalone and use it without

 ## Boot

-The HyperKit backend currently supports booting the
-`kernel+initrd` output from `moby`, and EFI ISOs using the EFI firmware.
+The HyperKit backend currently supports booting:
+- `kernel+initrd` output from `linuxkit build`.
+- `kernel+squashfs` output from `linuxkit build`.
+- EFI ISOs using the EFI firmware.

+You need to select the boot method manually using the command line
+options. The default is `kernel+initrd`. `kernel+squashfs` can be
+selected using `-squashfs` and to boot a ISO with EFI you have to
+specify `-iso -uefi`.
+
+The `kernel+initrd` uses a RAM disk for the root filesystem. If you
+have RAM constraints or large images we recommend using either the
+`kernel+squashfs` or the EFI ISO boot.

 ## Console

--- a/docs/platform-qemu.md
+++ b/docs/platform-qemu.md
@@ -4,19 +4,27 @@ The `qemu` backend is the most versatile `run` backend for
 `linuxkit`. It can boot both `x86_64` and `arm64` images, runs on
 macOS and Linux (and possibly Windows), and can boot most types of
 output formats. On Linux, `kvm` acceleration is enabled by default if
-available.
+available. On macOS, `hvf` acceleration (using the Hypervisor
+framework) is used if your `qemu` version supports it (versions
+released after Jan/Feb 2018 should support it). `s390x` is currently
+only supported in `kvm` mode as the emulated `s390x` architecture (aka
+`tcg` mode) does not seem to support several required platform
+features. Further, on `s390x` platforms you need to set
+`vm.allocate_pgste=1` via `sysctl` (or use `echo 1 >
+/proc/sys/vm/allocate_pgste`).


 ## Boot

 By default `linuxkit run qemu` will boot with the host architecture
-(`x86_64` on `x86_64` machines and `aarch64` on `arm64` systems). The
-architecture can be specified with `-arch` and currently accepts
-`x86_64` and `aarch64` as arguments.
+(e.g., `aarch64` on `arm64` systems). The architecture can be
+specified with `-arch` and currently accepts `x86_64`, `aarch64`, and
+`s390x` as arguments.

 `linuxkit run qemu` can boot in different types of images:

- `kernel+initrd`: This is the default mode of `linuxkit run qemu` [`x86_64`, `arm64`]
+- `kernel+initrd`: This is the default mode of `linuxkit run qemu` [`x86_64`, `arm64`, `s390x`]
+- `kernel+squashfs`: `linuxkit run qemu -squashfs <path to directory>`. This expects a kernel and a squashfs image. [`x86_64`, `arm64`, `s390x`]
 - `iso-bios`: `linuxkit run qemu -iso <path to iso>` [`x86_64`]
 - `iso-efi`: `linuxkit run qemu -iso -uefi <path to iso>`. This looks in `/usr/share/ovmf/bios.bin` for the EFI firmware by default. Can be overwritten with `-fw`. [`x86_64`, `arm64`]
 - `qcow-bios`: `linuxkit run qemu disk.qcow2` [`x86_64`]
@@ -25,6 +33,10 @@ architecture can be specified with `-arch` and currently accepts

 The formats `qcow-efi` and `raw-efi` may also work, but are currently not tested.

+The default `kernel+initrd` boot uses a RAM disk for the root
+filesystem. If you have RAM constraints or large images we recommend
+using one of the other methods, such as `kernel+squashfs` or booting
+via a ISO image.

 ## Console

--- a/docs/platform-rpi3.md
+++ b/docs/platform-rpi3.md
@@ -46,6 +46,14 @@ partition as `ext4` (or similar), and use it for persistent storage.

 **TODO:** Experiment with and document this set up.

+To enable and external USB stick as disk, add the following to the
+onboot section in your YAML:
+
+```
+  - name: usb-storage
+    image: linuxkit/modprobe:<hash>
+    command: ["modprobe", "usb_storage"]
+```

 ## Networking

--- a/docs/platform-scaleway.md
+++ b/docs/platform-scaleway.md
@@ -0,0 +1,62 @@
+# Using LinuxKit on Scaleway
+
+This is a quick guide to run LinuxKit on Scaleway (only VPS x86_64 for now)
+
+## Setup
+Before you proceed it's recommanded that you set up the [Scaleway CLI](https://github.com/scaleway/scaleway-cli/)
+and perform an `scw login`. This will create a `$HOME/.scwrc` file containing the required API token.
+
+You can also use the `SCW_TOKEN` environment variable to set a Scaleway token. 
+The `-token` flag of the `linuxkit push scaleway` and `linuxkit run scaleway` can also be used.
+
+The environment variable `SCW_TARGET_REGION` is used to set the region (there is also the `-region` flag)
+
+
+## Build an image
+
+Scaleway requires a `iso-efi` image. To create one:
+
+```
+$ linuxkit build -format iso-efi examples/scaleway.yml
+```
+
+### Changes needed in the yaml
+
+* You have to set `root=/dev/vda` in the `cmdline` to have the right device set on boot
+* The metadata package is not only used to set the metadata, but also to signal Scaleway that the instance has booted. So it is encouraged to use it (dhcpcd must be set before)
+
+## Push image
+
+You have to do `linuxkit push scaleway scaleway.iso` to upload it to your Scaleway images.
+By default the image name is the name of the ISO file without the extension. 
+It can be overidden with the `-img-name` flag or the `SCW_IMAGE_NAME` environment variable.
+
+**Note 1:** If an image (and snapshot) of the same name exists, it will be replaced.
+
+**Note 2:** The image is region specific: if you create an image in `par1` you can't use is in `ams1`.
+
+### Push process
+
+Building a Scaleway image have a special process. Basically:
+
+* Create an `image-builder` instance with an additional volume, based on Ubuntu Xenial (only x86_64 for now)
+* Copy the ISO image on this instance
+* Use `dd` to write the image on the additional volume (`/dev/vdb` by default)
+* Terminate the instance, create a snapshot, and create an image from the snapshot
+
+**Note 1:** An image is linked to a snapshot, so you can't delete a snapshot before the image.
+
+**Note 2:** You can specify an already running instance to act as the image builder with the `-instance-id` flag. But if you don't specify the `-no-clean` flag it will be destroyed upon completion.
+
+## Create an instance and connect to it
+
+With the image created, we can now create an instance.
+
+```
+linuxkit run scaleway scaleway
+```
+
+By default, the instance name is `linuxkit`. It can be overidden with the `-instance-name` flag.
+If you don't set the `-no-attach` flag, you will be connected to the serial port.
+
+You can edit the Scaleway example to allow you to SSH to your instance in order to use it.
--- a/docs/releasing.md
+++ b/docs/releasing.md
@@ -0,0 +1,279 @@
+# Making a LinuxKit release
+
+This document describes the steps to make a LinuxKit release. A
+LinuxKit release consists of:
+- A git tag of the form vX.Y on a specific commit.
+- Packages on Docker hub, tagged with the release tag.
+- All sample `YAML` files updated to use the release packages
+- `linuxkit` binaries for all supported architectures.
+- Changelog entry
+
+Note, we explicitly do not tag kernel images with LinuxKit release
+tags as we encourage users to stay current with the kernel
+releases. We also do not tag test and `mkimage` packages as these are
+not end-user facing.
+
+
+## Pre-requisites
+
+Releases can be done by any maintainer. Maintainers need to have
+access to build machines for all architectures support by LinuxKit and
+signing keys set up to sign Docker hub images.
+
+
+## Release preparation
+
+The release preparation is by far the most time consuming task as it
+involves updating all packages and YAML files.
+
+The release preparation is performed on a branch of your up-to-date
+LinuxKit clone. This document assumes that your clone of the LinuxKit
+repository is available as the `origin` remote in your local `git`
+clone (in my setup the official LinuxKit repository is available as
+`upstream` remote). If your setup is different, you may have to adjust
+some of the commands below.
+
+As a starting point you have to be on the update to date master branch
+and be in the root directory of your local git clone. You should also
+have the same setup on all build machines used.
+
+To make the release steps below cut-and-pastable, define the following
+environment variables:
+
+```sh
+LK_RELEASE=v0.4
+LK_ROOT=$(pwd)
+LK_REMOTE=origin
+```
+
+On one of the build machines (preferably the `x86_64` machine), create
+the release branch:
+
+```sh
+git checkout -b rel_$LK_RELEASE
+```
+
+Also make sure that you have a recent version of the `linuxkit`
+utility in the path. Either a previous release or compiled from
+master.
+
+
+### Update `linuxkit/alpine`
+
+This step is not necessarily required if the alpine base image has
+recently been updated, but it is good to pick up any recent bug
+fixes. Updating the alpine base image is different to other packages
+and it must be performed on `x86_64` first:
+
+```sh
+cd $LK_ROOT/tools/alpine
+make push
+```
+
+This will update `linuxkit/alpine` and change the `versions.x86_64`
+file. Check it in and push to GitHub:
+
+```sh
+git commit -a -s -m "tools/alpine: Update to latest"
+git push $LK_REMOTE rel_$LK_RELEASE
+```
+
+Now, on each build machine for the other supported architectures, in turn:
+
+```sh
+git fetch
+git checkout rel_$LK_RELEASE
+cd $LK_ROOT/tools/alpine
+make push
+git commit -a --amend
+git push --force $LK_REMOTE rel_$LK_RELEASE
+```
+
+With all supported architectures updated, head back to the `x86_64`
+machine and update the release branch:
+
+```sh
+git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
+```
+
+Stash the tag of the alpine base image in an environment variable:
+
+```sh
+LK_ALPINE=$(head -1 alpine/versions.x86_64 | sed 's,[#| ]*,,' | sed 's,\-.*$,,' | cut -d':' -f2)
+```
+
+
+### Update tools packages
+
+On the `x86_64` machine, get the `linuxkit/alpine` tag and update the
+other packages:
+
+```sh
+cd $LK_ROOT/tools
+../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
+git checkout alpine/versions.aarch64 alpine/versions.s390x
+
+git commit -a -s -m "tools: Update to the latest linuxkit/alpine"
+git push $LK_REMOTE rel_$LK_RELEASE
+
+make forcepush
+```
+
+Note, the `git checkout` reverts the changes made by
+`update-component-sha.sh` to files which are accidentally updated and
+the `make forcepush` will skip building the alpine base.
+
+Then, on the other build machines in turn:
+
+```sh
+cd $LK_ROOT/tools
+git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
+make forcepush
+```
+
+Back on the `x86_64` machine:
+
+```sh
+cd $LK_ROOT
+for img in $(cd tools; make show-tag); do
+    ./scripts/update-component-sha.sh --image $img
+done
+
+git commit -a -s -m "Update use of tools to latest"
+```
+
+
+### Update test packages
+
+Next, we update the test packages to the updated alpine base on the `x86_64` system:
+
+```sh
+cd $LK_ROOT/test/pkg
+../../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
+
+git commit -a -s -m "tests: Update packages to the latest linuxkit/alpine"
+git push $LK_REMOTE rel_$LK_RELEASE
+
+make push
+```
+
+Then, on the other build machines in turn:
+
+```sh
+cd $LK_ROOT/test/pkg
+git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
+make push
+```
+
+Back on the `x86_64` machine:
+
+```sh
+cd $LK_ROOT
+for img in $(cd test/pkg; make show-tag); do
+    ./scripts/update-component-sha.sh --image $img
+done
+
+git commit -a -s -m "Update use of test packages to latest"
+```
+
+Some tests also use `linuxkit/alpine`. Update them as well:
+
+```sh
+cd $LK_ROOT/test/cases
+../../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
+
+git commit -a -s -m "tests: Update tests cases to the latest linuxkit/alpine"
+```
+
+### Update packages
+
+Next, we update the LinuxKit packages. This is really the core of the
+release. The other steps above are just there to ensure consistency
+across packages.
+
+
+```sh
+cd $LK_ROOT/pkg
+../scripts/update-component-sha.sh --image linuxkit/alpine:$LK_ALPINE
+
+git commit -a -s -m "pkgs: Update packages to the latest linuxkit/alpine"
+git push $LK_REMOTE rel_$LK_RELEASE
+```
+
+Most of the packages are build from `linuxkit/alpine` and source code
+in the `linuxkit` repository, but some packages wrap external
+tools. The time of a release is a good opportunity to check if there
+have been updates. Specifically:
+
+- `pkg/cadvisor`: Check for [new releases](https://github.com/google/cadvisor/releases).
+- `pkg/firmware` and `pkg/firmware-all`: Use latest commit from [here](https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git).
+- `pkg/node_exporter`: Check for [new releases](https://github.com/prometheus/node_exporter/releases).
+- `example/docker.yml`: Check [docker hub](https://hub.docker.com/r/library/docker/tags/) for the latest `dind` tags.
+
+The build/push the packages:
+
+```sh
+cd $LK_ROOT/pkg
+make OPTIONS="-release $LK_RELEASE" push
+```
+
+Note, the `OPTIONS` argument. This adds the release tag to the
+packages.
+
+Then, on the other build machines in turn:
+
+```sh
+cd $LK_ROOT/pkg
+git fetch && git reset --hard $LK_REMOTE/rel_$LK_RELEASE
+make OPTIONS="-release $LK_RELEASE" push
+```
+
+Update the package tags in the YAML files:
+
+```sh
+cd $LK_ROOT
+for img in $(cd pkg; make show-tag | cut -d ':' -f1); do
+    ./scripts/update-component-sha.sh --image $img:$LK_RELEASE
+done
+
+git commit -a -s -m "Update package tags to $LK_RELEASE"
+```
+
+### Final preparation steps
+
+- Update AUTHORS by running `./scripts/generate-authors.sh`
+- Update the `VERSION` variable in the top-level `Makefile`
+- Create an entry in `CHANGELOG.md`. Take a look at `git log v0.3..HEAD` and pick interesting updates (of course adjust `v0.3` to the previous version).
+- Create a PR with your changes.
+
+
+## Releasing
+
+Once the PR is merged we can do the actual release.
+
+- Update your local git clone to the lastest
+- Identify the merge commit for your PR and tag it and push it to the main LinuxKit repository (remote `upstream` in my case):
+
+```
+git tag $LK_RELEASE master
+git push upstream $LK_RELEASE
+```
+
+Then head over to GitHub and look at the `Releases` tab. You should see the new tag. Edit it:
+- Add the changelog message
+- Head over to the Circle CI page of the master build (try the Circle CI badge in the top level `README.md`)
+- Download the artefacts and SHA256 sums file.
+- Add the downloaded binaries to the release page (drag-and-drop below the editor window)
+- Add the `sha256` sums to the release notes on the release page
+
+Hit the `Publish release` button.
+
+This completes the release, but you are not done, one more step is required.
+
+## Post release
+
+Create a PR which bumps the version number in the top-level `Makefile`
+to `$LK_RELEASE+` to make sure that the version reported by `linuxkit
+version` gets updated.
+
+
--- a/docs/testing.md
+++ b/docs/testing.md
@@ -12,7 +12,7 @@ To run the test suite:

 ```
 cd test
-rtf -x run
+rtf -v run -x
 ```

 This will run the tests and put the results in a the `_results` directory!
@@ -21,7 +21,7 @@ Run control is handled using labels and with pattern matching.
 To run add a label you may use:

 ```
-rtf -x -l slow run
+rtf -v -l slow run -x
 ```

 You can list the tests which will be run using:
@@ -35,7 +35,7 @@ Some tests may be marked as `SKIP` and `LABELS` column will typically provide an
 To run tests that match the pattern `linuxkit.build` you would use the following command:

 ```
-rtf -x run linuxkit.build
+rtf -v run -x linuxkit.build
 ```

 ### Writing new tests
--- a/docs/vendoring.md
+++ b/docs/vendoring.md
@@ -13,12 +13,6 @@ Details of usage of the `vndr` tool and the format of `vendor.conf` can be found
 Once done, you must run the `vndr` tool to add the necessary files to the `vendor` directory.
 The easiest way to do this is in a container.

-Currently if updating `github.com/moby/tool` it is also necessary to
-update `src/cmd/linuxkit/build.go` manually after updating `vendor.conf`:
-
-    hash=$(awk '/^github.com\/moby\/tool/ { print $2 }' src/cmd/linuxkit/vendor.conf)
-    curl -fsSL -o src/cmd/linuxkit/build.go https://raw.githubusercontent.com/moby/tool/${hash}/cmd/moby/build.go
-
 ## Updating in a container

 To update all dependencies:
@@ -28,7 +22,7 @@ docker run -it --rm \
 -v $(pwd):/go/src/github.com/linuxkit/linuxkit \
 -w /go/src/github.com/linuxkit/linuxkit/src/cmd/linuxkit \
 --entrypoint /go/bin/vndr \
-linuxkit/go-compile:8235f703735672509a16fb626d25c6ffb0d1c21d
+linuxkit/go-compile:e1204ce9921c1d45362a374e06be7234d3bf1184
 ```

 To update a single dependency:
@@ -38,7 +32,7 @@ docker run -it --rm \
 -v $(pwd):/go/src/github.com/linuxkit/linuxkit \
 -w /go/src/github.com/linuxkit/linuxkit/src/cmd/linuxkit \
 --entrypoint /go/bin/vndr \
-linuxkit/go-compile:8235f703735672509a16fb626d25c6ffb0d1c21d
+linuxkit/go-compile:e1204ce9921c1d45362a374e06be7234d3bf1184
 github.com/docker/docker
 ```

--- a/docs/yaml.md
+++ b/docs/yaml.md
@@ -0,0 +1,278 @@
+# Configuration Reference
+
+The `linuxkit build` command assembles a set of containerised components into in image. The simplest
+type of image is just a `tar` file of the contents (useful for debugging) but more useful
+outputs add a `Dockerfile` to build a container, or build a full disk image that can be
+booted as a linuxKit VM. The main use case is to build an assembly that includes
+`containerd` to run a set of containers, but the tooling is very generic.
+
+The yaml configuration specifies the components used to build up an image . All components
+are downloaded at build time to create an image. The image is self-contained and immutable,
+so it can be tested reliably for continuous delivery.
+
+Components are specified as Docker images which are pulled from a registry during build if they
+are not available locally. The Docker images are optionally verified with Docker Content Trust.
+For private registries or private repositories on a registry credentials provided via
+`docker login` are re-used. 
+
+The configuration file is processed in the order `kernel`, `init`, `onboot`, `onshutdown`,
+`services`, `files`. Each section adds files to the root file system. Sections may be omitted.
+
+Each container that is specified is allocated a unique `uid` and `gid` that it may use if it
+wishes to run as an isolated user (or user namespace). Anywhere you specify a `uid` or `gid`
+field you specify either the numeric id, or if you use a name it will refer to the id allocated
+to the container with that name.
+
+```
+services:
+  - name: redis
+    image: redis:latest
+    uid: redis
+    gid: redis
+    binds:
+     - /etc/redis:/etc/redis
+files:
+  - path: /etc/redis/redis.conf
+    contents: "..."
+    uid: redis
+    gid: redis
+    mode: "0600"
+```
+
+## `kernel`
+
+The `kernel` section is only required if booting a VM. The files will be put into the `boot/`
+directory, where they are used to build bootable images.
+
+The `kernel` section defines the kernel configuration. The `image` field specifies the Docker image,
+which should contain a `kernel` file that will be booted (eg a `bzImage` for `amd64`) and a file
+called `kernel.tar` which is a tarball that is unpacked into the root, which should usually
+contain a kernel modules directory. `cmdline` specifies the kernel command line options if required.
+
+To override the names, you can specify the kernel image name with `binary: bzImage` and the tar image
+with `tar: kernel.tar` or the empty string or `none` if you do not want to use a tarball at all.
+
+Kernel packages may also contain a cpio archive containing CPU microcode which needs prepending to
+the initrd. To select this option, recommended when booting on bare metal, add `ucode: intel-ucode.cpio`
+to the kernel section.
+
+## `init`
+
+The `init` section is a list of images that are used for the `init` system and are unpacked directly
+into the root filesystem. This should bring up `containerd`, start the system and daemon containers,
+and set up basic filesystem mounts. in the case of a LinuxKit system. For ease of
+modification `runc` and `containerd` images, which just contain these programs are added here
+rather than bundled into the `init` container.
+
+## `onboot`
+
+The `onboot` section is a list of images. These images are run before any other
+images. They are run sequentially and each must exit before the next one is run.
+These images can be used to configure one shot settings. See [Image
+specification](#image-specification) for a list of supported fields.
+
+## `onshutdown`
+
+This is a list of images to run on a clean shutdown. Note that you must not rely on these
+being run at all, as machines may be be powered off or shut down without having time to run
+these scripts. If you add anything here you should test both in the case where they are
+run and when they are not. Most systems are likely to be "crash only" and not have any setup here,
+but you can attempt to deregister cleanly from a network service here, rather than relying
+on timeouts, for example.
+
+## `services`
+
+The `services` section is a list of images for long running services which are
+run with `containerd`.  Startup order is undefined, so containers should wait
+on any resources, such as networking, that they need.  See [Image
+specification](#image-specification) for a list of supported fields.
+
+## `files`
+
+The files section can be used to add files inline in the config, or from an external file.
+
+```
+files:
+  - path: dir
+    directory: true
+    mode: "0777"
+  - path: dir/name1
+    source: "/some/path/on/local/filesystem"
+    mode: "0666"
+  - path: dir/name2
+    source: "/some/path/that/it/is/ok/to/omit"
+    optional: true
+    mode: "0666"
+  - path: dir/name3
+    contents: "orange"
+    mode: "0644"
+    uid: 100
+    gid: 100
+```
+
+Specifying the `mode` is optional, and will default to `0600`. Leading directories will be
+created if not specified. You can use `~/path` in `source` to specify a path in the build
+user's home directory.
+
+In addition there is a `metadata` option that will generate the file. Currently the only value
+supported here is `"yaml"` which will output the yaml used to generate the image into the specified
+file:
+```
+  - path: etc/linuxkit.yml
+    metadata: yaml
+```
+
+Because a `tmpfs` is mounted onto `/var`, `/run`, and `/tmp` by default, the `tmpfs` mounts will shadow anything specified in `files` section for those directories.
+
+## `trust`
+
+The `trust` section specifies which build components are to be cryptographically verified with
+[Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/) prior to pulling.
+Trust is a central concern in any build system, and LinuxKit's is no exception: Docker Content Trust provides authenticity,
+integrity, and freshness guarantees for the components it verifies.  The LinuxKit maintainers are responsible for signing
+`linuxkit` components, though collaborators can sign their own images with Docker Content Trust or [Notary](https://github.com/docker/notary).
+
+- `image` lists which individual images to enforce pulling with Docker Content Trust.
+The image name may include tag or digest, but the matching also succeeds if the base image name is the same.
+- `org` lists which organizations for which Docker Content Trust is to be enforced across all images,
+for example `linuxkit` is the org for `linuxkit/kernel`
+
+## Image specification
+
+Entries in the `onboot` and `services` sections specify an OCI image and
+options. Default values may be specified using the `org.mobyproject.config` image label.
+For more details see the [OCI specification](https://github.com/opencontainers/runtime-spec/blob/master/spec.md).
+
+If the `org.mobylinux.config` label is set in the image, that specifies default values for these fields if they
+are not set in the yaml file. You can override the label by setting the value, or setting it to be empty to remove
+the specification for that value in the label.
+
+If you need an OCI option that is not specified here please open an issue or pull request as the list is not yet
+complete.
+
+By default the containers will be run in the host `net`, `ipc` and `uts` namespaces, as that is the usual requirement;
+in many ways they behave like pods in Kubernetes. Mount points must already exist, as must a file or directory being
+bind mounted into a container.
+
+- `name` a unique name for the program being executed, used as the `containerd` id.
+- `image` the Docker image to use for the root filesystem. The default command, path and environment are
+  extracted from this so they need not be filled in.
+- `capabilities` the Linux capabilities required, for example `CAP_SYS_ADMIN`. If there is a single
+  capability `all` then all capabilities are added.
+- `ambient` the Linux ambient capabilities (capabilities passed to non root users) that are required.
+- `mounts` is the full form for specifying a mount, which requires `type`, `source`, `destination`
+  and a list of `options`. If any fields are omitted, sensible defaults are used if possible, for example
+  if the `type` is `dev` it is assumed you want to mount at `/dev`. The default mounts and their options
+  can be replaced by specifying a mount with new options here at the same mount point.
+- `binds` is a simpler interface to specify bind mounts, accepting a string like `/src:/dest:opt1,opt2`
+  similar to the `-v` option for bind mounts in Docker.
+- `tmpfs` is a simpler interface to mount a `tmpfs`, like `--tmpfs` in Docker, taking `/dest:opt1,opt2`.
+- `command` will override the command and entrypoint in the image with a new list of commands.
+- `env` will override the environment in the image with a new environment list. Specify variables as `VAR=value`.
+- `cwd` will set the working directory, defaults to `/`.
+- `net` sets the network namespace, either to a path, or if `none` or `new` is specified it will use a new namespace.
+- `ipc` sets the ipc namespace, either to a path, or if `new` is specified it will use a new namespace.
+- `uts` sets the uts namespace, either to a path, or if `new` is specified it will use a new namespace.
+- `pid` sets the pid namespace, either to a path, or if `host` is specified it will use the host namespace.
+- `readonly` sets the root filesystem to read only, and changes the other default filesystems to read only.
+- `maskedPaths` sets paths which should be hidden.
+- `readonlyPaths` sets paths to read only.
+- `uid` sets the user id of the process.
+- `gid` sets the group id of the process.
+- `additionalGids` sets a list of additional groups for the process.
+- `noNewPrivileges` is `true` means no additional capabilities can be acquired and `suid` binaries do not work.
+- `hostname` sets the hostname inside the image.
+- `oomScoreAdj` changes the OOM score.
+- `rootfsPropagation` sets the rootfs propagation, eg `shared`, `slave` or (default) `private`.
+- `cgroupsPath` sets the path for cgroups.
+- `resources` sets cgroup resource limits as per the OCI spec.
+- `sysctl` sets a map of `sysctl` key value pairs that are set inside the container namespace.
+- `rmlimits` sets a list of `rlimit` values in the form `name,soft,hard`, eg `nofile,100,200`. You can use `unlimited` as a value too.
+- `annotations` sets a map of key value pairs as OCI metadata.
+
+There are experimental `userns`, `uidMappings` and `gidMappings` options for user namespaces but these are not yet supported, and may have
+permissions issues in use.
+
+In addition to the parts of the specification above used to generate the OCI spec, there is a `runtime` section in the image specification
+which specifies some actions to take place when the container is being started.
+- `cgroups` takes a list of cgroups that will be created before the container is run.
+- `mounts` takes a list of mount specifications (`source`, `destination`, `type`, `options`) and mounts them in the root namespace before the container is created. It will
+  try to make any missing destination directories.
+- `mkdir` takes a list of directories to create at runtime, in the root mount namespace. These are created before the container is started, so they can be used to create
+  directories for bind mounts, for example in `/tmp` or `/run` which would otherwise be empty.
+- `interface` defines a list of actions to perform on a network interface:
+  - `name` specifies the name of an interface. An existing interface with this name will be moved into the container's network namespace.
+  - `add` specifies a type of interface to be created in the containers namespace, with the specified name.
+  - `createInRoot` is a boolean which specifes that the interface being `add`ed should be created in the root namespace first, then moved. This is needed for `wireguard` interfaces.
+  - `peer` specifies the name of the other end when creating a `veth` interface. This end will remain in the root namespace, where it can be attached to a bridge. Specifying this implies `add: veth`.
+- `bindNS` specifies a namespace type and a path where the namespace from the container being created will be bound. This allows a namespace to be set up in an `onboot` container, and then
+  using `net: path` for a `service` container to use that network namespace later.
+- `namespace` overrides the LinuxKit default containerd namespace to put the container in; only applicable to services.
+
+An example of using the `runtime` config to configure a network namespace with `wireguard` and then run `nginx` in that namespace is shown below:
+```
+onboot:
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:<hash>
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: wg
+    image: linuxkit/ip:<hash>
+    net: new
+    binds:
+      - /etc/wireguard:/etc/wireguard
+    command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1 peer 192.168.2.2; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"]
+    runtime:
+      interfaces:
+        - name: wg0
+          add: wireguard
+          createInRoot: true
+      bindNS:
+        net: /run/netns/wg
+services:
+  - name: nginx
+    image: nginx:alpine
+    net: /run/netns/wg
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+```
+
+
+### Mount Options
+When mounting filesystem paths into a container - whether as part of `onboot` or `services` - there are several options of which you need to be aware. Using them properly is necessary for your containers to function properly.
+
+For most containers - e.g. nginx or even docker - these options are not needed. Simply doing the following will work fine:
+
+```yml
+binds:
+ - /var:/some/var/path
+```
+
+Please note that `binds` doesn't **add** the mount points, but **replaces** them.
+You can examine the `Dockerfile` of the component (in particular, `binds` value of
+`org.mobyproject.config` label) to get the list of the existing binds.
+
+However, in some circumstances you will need additional options. These options are used primarily if you intend to make changes to mount points _from within your container_ that should be visible from outside the container, e.g., if you intend to mount an external disk from inside the container but have it be visible outside.
+
+In order for new mounts from within a container to be propagated, you must set the following on the container:
+
+1. `rootfsPropagation: shared`
+2. The mount point into the container below which new mounts are to occur must be `rshared,rbind`. In practice, this is `/var` (or some subdir of `/var`), since that is the only true read-write area of the filesystem where you will mount things.
+
+Thus, if you have a regular container that is only reading and writing, go ahead and do:
+
+```yml
+binds:
+ - /var:/some/var/path
+```
+
+On the other hand, if you have a container that will make new mounts that you wish to be visible outside the container, do:
+
+```yml
+binds:
+ - /var:/var:rshared,rbind
+rootfsPropagation: shared
+```
--- a/examples/aws.yml
+++ b/examples/aws.yml
@@ -1,28 +1,28 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:v0.2
+    image: linuxkit/metadata:v0.6
 services:
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
    binds:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
-    image: nginx:alpine
+    image: nginx:1.13.8-alpine
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
--- a/examples/azure.yml
+++ b/examples/azure.yml
@@ -1,21 +1,21 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
 services:
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
 files:
  - path: root/.ssh/authorized_keys
    source: ~/.ssh/id_rsa.pub
--- a/examples/cadvisor.yml
+++ b/examples/cadvisor.yml
@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: sysfs
-    image: linuxkit/sysfs:v0.2
+    image: linuxkit/sysfs:v0.6
  - name: format
-    image: linuxkit/format:v0.2
+    image: linuxkit/format:v0.6
  - name: mount
-    image: linuxkit/mount:v0.2
+    image: linuxkit/mount:v0.6
    command: ["/usr/bin/mountie", "/var/lib/docker"]

 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
      - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: ntpd
-    image: linuxkit/openntpd:v0.2
+    image: linuxkit/openntpd:v0.6

  - name: docker
    image: docker:17.10.0-ce-dind
@@ -46,7 +46,7 @@ services:
      - /etc/docker/daemon.json:/etc/docker/daemon.json
    command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
  - name: cadvisor
-    image: linuxkit/cadvisor:v0.2
+    image: linuxkit/cadvisor:v0.6
 files:
  - path: var/lib/docker
    directory: true
--- a/examples/docker-for-mac.md
+++ b/examples/docker-for-mac.md
@@ -19,6 +19,21 @@ To run the VM with a 4G disk:
 linuxkit run hyperkit -networking=vpnkit -vsock-ports=2376 -disk size=4096M -data-file ./metadata.json docker-for-mac
 ```

+Where the file `./metadata.json` should contain the desired docker daemon
+configuration, for example:
+
+```
+{
+  "docker": {
+    "entries": {
+      "daemon.json": {
+        "content": "{\n  \"debug\" : true,\n  \"experimental\" : true\n}\n"
+      }
+    }
+  }
+}
+```
+
 In another terminal you should now be able to access docker via the
 socket `guest.00000947` in the state directory
 (`docker-for-mac-state/` by default):
--- a/examples/docker-for-mac.yml
+++ b/examples/docker-for-mac.yml
@@ -1,36 +1,36 @@
 # This is an example for building the open source components of Docker for Mac
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0 page_poison=1"
 init:
-  - linuxkit/vpnkit-expose-port:v0.2 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/vpnkit-expose-port:v0.6 # install vpnkit-expose-port and vpnkit-iptables-wrapper on host
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  # support metadata for optional config in /run/config
  - name: metadata
-    image: linuxkit/metadata:v0.2
+    image: linuxkit/metadata:v0.6
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: sysfs
-    image: linuxkit/sysfs:v0.2
+    image: linuxkit/sysfs:v0.6
  - name: binfmt
-    image: linuxkit/binfmt:v0.2
+    image: linuxkit/binfmt:v0.6
  # Format and mount the disk image in /var/lib/docker
  - name: format
-    image: linuxkit/format:v0.2
+    image: linuxkit/format:v0.6
  - name: mount
-    image: linuxkit/mount:v0.2
+    image: linuxkit/mount:v0.6
    command: ["/usr/bin/mountie", "/var/lib"]
  # make a swap file on the mounted disk
  - name: swap
-    image: linuxkit/swap:v0.2
+    image: linuxkit/swap:v0.6
    command: ["/swap.sh", "--path", "/var/lib/swap", "--size", "1024M"]
  # mount-vpnkit mounts the 9p share used by vpnkit to coordinate port forwarding
  - name: mount-vpnkit
-    image: alpine:3.7
+    image: alpine:3.8
    binds:
        - /var/:/host_var:rbind,rshared
    capabilities:
@@ -39,46 +39,46 @@ onboot:
    command: ["sh", "-c", "mkdir -p /host_var/vpnkit/port && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
  # move logs to the mounted disk (this is a temporary fix until we can limit the log sizes)
  - name: move-logs
-    image: alpine:3.7
+    image: alpine:3.8
    binds:
        - /var:/host_var
    command: ["sh", "-c", "mv -v /host_var/log /host_var/lib && ln -vs /var/lib/log /host_var/log"]
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  # Enable acpi to shutdown on power events
  - name: acpid
-    image: linuxkit/acpid:v0.2
+    image: linuxkit/acpid:v0.6
  # Enable getty for easier debugging
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
        - INSECURE=true
  # Run ntpd to keep time synchronised in the VM
  - name: ntpd
-    image: linuxkit/openntpd:v0.2
+    image: linuxkit/openntpd:v0.6
  # VSOCK to unix domain socket forwarding. Forwards guest /var/run/docker.sock
  # to a socket on the host.
  - name: vsudd
-    image: linuxkit/vsudd:v0.2
+    image: linuxkit/vsudd:v0.6
    binds:
        - /var/run:/var/run
    command: ["/vsudd", "-inport", "2376:unix:/var/run/docker.sock"]
  # vpnkit-forwarder forwards network traffic to/from the host via VSOCK port 62373. 
  # It needs access to the vpnkit 9P coordination share 
  - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:v0.2
+    image: linuxkit/vpnkit-forwarder:v0.6
    binds:
        - /var/vpnkit:/port
    net: host
    command: ["/vpnkit-forwarder", "-vsockPort", "62373"]
  # Monitor for image deletes and invoke a TRIM on the container filesystem
  - name: trim-after-delete
-    image: linuxkit/trim-after-delete:v0.2
+    image: linuxkit/trim-after-delete:v0.6
  # When the host resumes from sleep, force a clock resync
  - name: host-timesync-daemon
-    image: linuxkit/host-timesync-daemon:v0.2
+    image: linuxkit/host-timesync-daemon:v0.6
  # Run dockerd with the vpnkit userland proxy from the vpnkit-forwarder container.
  # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
  # for vpnkit coordination and /run/config/docker for the configuration file.
--- a/examples/docker.yml
+++ b/examples/docker.yml
@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: sysfs
-    image: linuxkit/sysfs:v0.2
+    image: linuxkit/sysfs:v0.6
  - name: format
-    image: linuxkit/format:v0.2
+    image: linuxkit/format:v0.6
  - name: mount
-    image: linuxkit/mount:v0.2
+    image: linuxkit/mount:v0.6
    command: ["/usr/bin/mountie", "/var/lib/docker"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
  - name: ntpd
-    image: linuxkit/openntpd:v0.2
+    image: linuxkit/openntpd:v0.6
  - name: docker
-    image: docker:17.07.0-ce-dind
+    image: docker:18.06.0-ce-dind
    capabilities:
     - all
    net: host
--- a/examples/gcp.yml
+++ b/examples/gcp.yml
@@ -1,32 +1,32 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:v0.2
+    image: linuxkit/metadata:v0.6
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
    binds:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
-    image: nginx:alpine
+    image: nginx:1.13.8-alpine
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
--- a/examples/getty.yml
+++ b/examples/getty.yml
@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    # to make insecure with passwordless root login, uncomment following lines
    #env:
    # - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
 files:
  - path: etc/getty.shadow
    # sample sets password for root to "abcdefgh" (without quotes)
--- a/examples/hostmount-writeable-overlay.yml
+++ b/examples/hostmount-writeable-overlay.yml
@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 onshutdown:
  - name: shutdown
@@ -18,7 +18,7 @@ onshutdown:
    command: ["/bin/echo", "so long and thanks for all the fish"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
    runtime:
@@ -30,9 +30,9 @@ services:
          destination: writeable-host-etc
          options: ["rw", "lowerdir=/etc", "upperdir=/run/hostetc/upper", "workdir=/run/hostetc/work"]
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: nginx
-    image: nginx:alpine
+    image: nginx:1.13.8-alpine
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
--- a/examples/influxdb-os.yml
+++ b/examples/influxdb-os.yml
@@ -0,0 +1,48 @@
+kernel:
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
+onboot:
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:v0.6
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+services:
+  - name: getty
+    image: linuxkit/getty:v0.6
+    env:
+     - INSECURE=true
+  - name: influxdb
+    image: influxdb:1.4
+    net: host
+    capabilities:
+      - CAP_NET_BIND_SERVICE
+      - CAP_DAC_OVERRIDE
+  - name: kapacitor
+    image: kapacitor:1.4
+    net: host
+    capabilities:
+      - all
+    env:
+      - KAPACITOR_INFLUXDB_0_URLS_0=http://influxdb:8086
+  - name: telegraf
+    image: telegraf:1.4
+    net: host
+    capabilities:
+      - all
+  - name: chronograf
+    image: chronograf:1.4
+    net: host
+    capabilities:
+      - CAP_NET_BIND_SERVICE
+      - CAP_DAC_OVERRIDE
+    env:
+      - INFLUXDB_URL=http://localhost:8086
+      - KAPACITOR_URL=http://localhost:9092
+trust:
+  org:
+    - linuxkit
+    - library
--- a/examples/logging.yml
+++ b/examples/logging.yml
@@ -0,0 +1,34 @@
+# Simple example of using an external logging service
+kernel:
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+init:
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
+  - linuxkit/memlogd:v0.6
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:v0.6
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:v0.6
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+services:
+# Inside the getty type `/proc/1/root/usr/bin/logread -F` to follow the log
+  - name: getty
+    image: linuxkit/getty:v0.6
+    env:
+     - INSECURE=true
+# A service which generates log messages for testing
+  - name: write-to-the-logs
+    image: alpine:3.8
+    command: ["/bin/sh", "-c", "while /bin/true; do echo hello $(date); sleep 1; done" ]
+  - name: write-and-rotate-logs
+    image: linuxkit/logwrite:v0.6
+  - name: kmsg
+    image: linuxkit/kmsg:v0.6
+trust:
+  org:
+    - linuxkit
+    - library
--- a/examples/minimal.yml
+++ b/examples/minimal.yml
@@ -1,17 +1,17 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
 trust:
--- a/examples/node_exporter.yml
+++ b/examples/node_exporter.yml
@@ -1,21 +1,21 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
  - name: node_exporter
-    image: linuxkit/node_exporter:v0.2
+    image: linuxkit/node_exporter:v0.6
 trust:
  org:
    - linuxkit
--- a/examples/openstack.yml
+++ b/examples/openstack.yml
@@ -1,29 +1,29 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:v0.2
+    image: linuxkit/metadata:v0.6
    command: ["/usr/bin/metadata", "openstack"]
 services:
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
    binds:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
-    image: nginx:alpine
+    image: nginx:1.13.8-alpine
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
--- a/examples/packet.arm64.yml
+++ b/examples/packet.arm64.yml
@@ -5,10 +5,10 @@
 # for arm64 then the 'ucode' line in the kernel section can be left
 # out.
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyAMA0"
  ucode: ""
 onboot:
  - name: modprobe
-    image: linuxkit/modprobe:v0.2
+    image: linuxkit/modprobe:v0.6
    command: ["modprobe", "nicvf"]
--- a/examples/packet.yml
+++ b/examples/packet.yml
@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: console=ttyS1
  ucode: intel-ucode.cpio
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
-  - linuxkit/firmware:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
+  - linuxkit/firmware:v0.6
 onboot:
  - name: rngd1
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
    command: ["/sbin/rngd", "-1"]
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:v0.2
+    image: linuxkit/metadata:v0.6
    command: ["/usr/bin/metadata", "packet"]
 services:
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
 files:
  - path: root/.ssh/authorized_keys
    source: ~/.ssh/id_rsa.pub
--- a/examples/redis-os.yml
+++ b/examples/redis-os.yml
@@ -1,19 +1,19 @@
 # Minimal YAML to run a redis server (used at DockerCon'17)
 # connect: nc localhost 6379
 kernel:
-  image: linuxkit/kernel:4.9.78
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  # Currently redis:4.0.6-alpine has trust issue with multi-arch
--- a/examples/rt-for-vmware.yml
+++ b/examples/rt-for-vmware.yml
@@ -0,0 +1,36 @@
+kernel:
+  image: linuxkit/kernel:4.14.58-rt
+  cmdline: "console=tty0"
+init:
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:v0.6
+services:
+  - name: getty
+    image: linuxkit/getty:v0.6
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:v0.6
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:v0.6
+  - name: open-vm-tools
+    image: linuxkit/open-vm-tools:v0.6
+  - name: nginx
+    image: nginx:1.13.8-alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf
+trust:
+  org:
+    - linuxkit
+    - library
--- a/examples/scaleway.yml
+++ b/examples/scaleway.yml
@@ -0,0 +1,29 @@
+kernel:
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0 root=/dev/vda"
+init:
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:v0.6
+  - name: rngd1
+    image: linuxkit/rngd:v0.6
+    command: ["/sbin/rngd", "-1"]
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:v0.6
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: metadata
+    image: linuxkit/metadata:v0.6
+services:
+  - name: getty
+    image: linuxkit/getty:v0.6
+    env:
+     - INSECURE=true
+  - name: rngd
+    image: linuxkit/rngd:v0.6
+trust:
+  org:
+    - linuxkit
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@@ -1,28 +1,28 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: rngd1
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
    command: ["/sbin/rngd", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
 files:
  - path: root/.ssh/authorized_keys
    source: ~/.ssh/id_rsa.pub
--- a/examples/swap.yml
+++ b/examples/swap.yml
@@ -1,34 +1,34 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
-  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
+  image: linuxkit/kernel:4.14.58
+  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0 console=ttysclp0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: format
-    image: linuxkit/format:v0.2
+    image: linuxkit/format:v0.6
  - name: mount
-    image: linuxkit/mount:v0.2
+    image: linuxkit/mount:v0.6
    command: ["/usr/bin/mountie", "/var/external"]
  - name: swap
-    image: linuxkit/swap:v0.2
+    image: linuxkit/swap:v0.6
    # to use unencrypted swap, use:
    # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
    command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
 trust:
  org:
    - linuxkit
--- a/examples/tpm.yml
+++ b/examples/tpm.yml
@@ -2,25 +2,25 @@ kernel:
  image: linuxkit/kernel:4.9.38
  cmdline: "console=tty0 console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: tss
-    image: linuxkit/tss:v0.2
+    image: linuxkit/tss:v0.6
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
 files:
  - path: etc/getty.shadow
    # sample sets password for root to "abcdefgh" (without quotes)
--- a/examples/vmware.yml
+++ b/examples/vmware.yml
@@ -1,25 +1,25 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=tty0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
  - name: nginx
-    image: nginx:alpine
+    image: nginx:1.13.8-alpine
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
--- a/examples/vpnkit-forwarder.yml
+++ b/examples/vpnkit-forwarder.yml
@@ -1,16 +1,16 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: mount-vpnkit
-    image: alpine:3.7
+    image: alpine:3.8
    binds:
        - /var/:/host_var:rbind,rshared
    capabilities:
@@ -19,9 +19,9 @@ onboot:
    command: ["sh", "-c", "mkdir /host_var/vpnkit && mount -v -t 9p -o trans=virtio,dfltuid=1001,dfltgid=50,version=9p2000 port /host_var/vpnkit"]
 services:
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
  - name: vpnkit-forwarder
-    image: linuxkit/vpnkit-forwarder:v0.2
+    image: linuxkit/vpnkit-forwarder:v0.6
    binds:
        - /var/vpnkit:/port
    net: host
--- a/examples/vsudd-containerd.yml
+++ b/examples/vsudd-containerd.yml
@@ -1,17 +1,17 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
 onboot:
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
 services:
  - name: vsudd
-    image: linuxkit/vsudd:v0.2
+    image: linuxkit/vsudd:v0.6
    binds:
        - /run/containerd/containerd.sock:/run/containerd/containerd.sock
    command: ["/vsudd",
--- a/examples/vultr.yml
+++ b/examples/vultr.yml
@@ -1,32 +1,32 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=ttyS0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: metadata
-    image: linuxkit/metadata:v0.2
+    image: linuxkit/metadata:v0.6
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: sshd
-    image: linuxkit/sshd:v0.2
+    image: linuxkit/sshd:v0.6
    binds:
     - /run/config/ssh/authorized_keys:/root/.ssh/authorized_keys
  - name: nginx
-    image: nginx:alpine
+    image: nginx:1.13.8-alpine
    capabilities:
     - CAP_NET_BIND_SERVICE
     - CAP_CHOWN
--- a/examples/wireguard.yml
+++ b/examples/wireguard.yml
@@ -1,19 +1,19 @@
 kernel:
-  image: linuxkit/kernel:4.9.78
+  image: linuxkit/kernel:4.14.58
  cmdline: "console=tty0 console=ttyS0 console=ttyAMA0"
 init:
-  - linuxkit/init:v0.2
-  - linuxkit/runc:v0.2
-  - linuxkit/containerd:v0.2
-  - linuxkit/ca-certificates:v0.2
+  - linuxkit/init:v0.6
+  - linuxkit/runc:v0.6
+  - linuxkit/containerd:v0.6
+  - linuxkit/ca-certificates:v0.6
 onboot:
  - name: sysctl
-    image: linuxkit/sysctl:v0.2
+    image: linuxkit/sysctl:v0.6
  - name: dhcpcd
-    image: linuxkit/dhcpcd:v0.2
+    image: linuxkit/dhcpcd:v0.6
    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
  - name: wg0
-    image: linuxkit/ip:v0.2
+    image: linuxkit/ip:v0.6
    net: new
    binds:
      - /etc/wireguard:/etc/wireguard
@@ -26,7 +26,7 @@ onboot:
      bindNS:
          net: /run/netns/wg0
  - name: wg1
-    image: linuxkit/ip:v0.2
+    image: linuxkit/ip:v0.6
    net: new
    binds:
      - /etc/wireguard:/etc/wireguard
@@ -40,14 +40,14 @@ onboot:
          net: /run/netns/wg1
 services:
  - name: getty
-    image: linuxkit/getty:v0.2
+    image: linuxkit/getty:v0.6
    env:
     - INSECURE=true
    net: /run/netns/wg1
  - name: rngd
-    image: linuxkit/rngd:v0.2
+    image: linuxkit/rngd:v0.6
  - name: nginx
-    image: nginx:alpine
+    image: nginx:1.13.8-alpine
    net: /run/netns/wg0
    capabilities:
     - CAP_NET_BIND_SERVICE
--- a/kernel/Dockerfile
+++ b/kernel/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:cba395fbc278daee841106801aba1e1bd7e0f2f7 AS kernel-build
+FROM linuxkit/alpine:6264e5b39af8eb1da7ffa4c05a7ccc597da01197 AS kernel-build
 RUN apk add \
    argp-standalone \
    automake \
@@ -16,11 +16,13 @@ RUN apk add \
    installkernel \
    kmod \
    libelf-dev \
+    libressl \
    libressl-dev \
    linux-headers \
    mpc1-dev \
    mpfr-dev \
    ncurses-dev \
+    patch \
    sed \
    squashfs-tools \
    tar \
@@ -34,13 +36,14 @@ RUN [ $(uname -m) == x86_64 ] && apk add libunwind-dev || true
 ARG KERNEL_VERSION
 ARG KERNEL_SERIES
 ARG EXTRA
+ARG DEBUG

 ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
 ENV KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
 ENV KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.sign

-ENV WIREGUARD_VERSION=0.0.20180118
-ENV WIREGUARD_SHA256=463f3b402deb66b7ceac8df2d50944f32683933356455d6c1c7453926db3a8a3
+ENV WIREGUARD_VERSION=0.0.20180718
+ENV WIREGUARD_SHA256="083c093a6948c8d38f92e7ea5533f9ff926019f24dc2612ea974851ed3e24705"
 ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz

 # We copy the entire directory. This copies some unneeded files, but
@@ -61,16 +64,31 @@ RUN curl -fsSLO ${KERNEL_SHA256_SUMS} && \
    gpg2 --verify linux-${KERNEL_VERSION}.tar.sign linux-${KERNEL_VERSION}.tar && \
    cat linux-${KERNEL_VERSION}.tar | tar --absolute-names -x && mv /linux-${KERNEL_VERSION} /linux

-# Apply local patches if present
 WORKDIR /linux
+# Apply local specific patches if present
+RUN set -e && \
+    if [ -n "${EXTRA}" ] && [ -d /patches-${KERNEL_SERIES}${EXTRA} ]; then \
+	echo "Patching ${EXTRA} kernel"; \
+	for patch in /patches-${KERNEL_SERIES}${EXTRA}/*.patch; do \
+            echo "Applying $patch"; \
+            patch -t -F0 -N -u -p1 < "$patch"; \
+	done; \
+    fi
+
+# Apply local common patches if present
 RUN set -e && \
    if [ -d /patches-${KERNEL_SERIES} ]; then \
        for patch in /patches-${KERNEL_SERIES}/*.patch; do \
            echo "Applying $patch"; \
-            patch -p1 < "$patch"; \
+            patch -t -F0 -N -u -p1 < "$patch"; \
        done; \
    fi

+RUN mkdir -p /out/src
+
+# Save kernel source
+RUN tar cJf /out/src/linux.tar.xz /linux
+
 # Kernel config
 RUN case $(uname -m) in \
    x86_64) \
@@ -79,20 +97,23 @@ RUN case $(uname -m) in \
    aarch64) \
        KERNEL_DEF_CONF=/linux/arch/arm64/configs/defconfig; \
        ;; \
+    s390x) \
+        KERNEL_DEF_CONF=/linux/arch/s390/defconfig; \
+        ;; \
    esac  && \
    cp /config-${KERNEL_SERIES}-$(uname -m) ${KERNEL_DEF_CONF}; \
-    if [ -n "${EXTRA}" ]; then \
-        sed -i "s/CONFIG_LOCALVERSION=\"-linuxkit\"/CONFIG_LOCALVERSION=\"-linuxkit${EXTRA}\"/" ${KERNEL_DEF_CONF}; \
-        if [ "${EXTRA}" = "-dbg" ]; then \
-            sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' ${KERNEL_DEF_CONF}; \
-        fi && \
-        cat /config${EXTRA} >> ${KERNEL_DEF_CONF}; \
+    if [ -n "${EXTRA}" ] && [ -f "/config-${KERNEL_SERIES}-$(uname -m)${EXTRA}" ]; then \
+        cat /config-${KERNEL_SERIES}-$(uname -m)${EXTRA} >> ${KERNEL_DEF_CONF}; \
+    fi; \
+    sed -i "s/CONFIG_LOCALVERSION=\"-linuxkit\"/CONFIG_LOCALVERSION=\"-linuxkit${EXTRA}${DEBUG}\"/" ${KERNEL_DEF_CONF}; \
+    if [ -n "${DEBUG}" ]; then \
+        sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' ${KERNEL_DEF_CONF}; \
+        cat /config${DEBUG} >> ${KERNEL_DEF_CONF}; \
    fi && \
    make defconfig && \
    make oldconfig && \
-    if [ -z "${EXTRA}" ]; then diff .config ${KERNEL_DEF_CONF}; fi
+    if [ -z "${EXTRA}" ] && [ -z "${DEBUG}" ]; then diff .config ${KERNEL_DEF_CONF}; fi

-RUN mkdir /out

 # Kernel
 RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
@@ -103,13 +124,17 @@ RUN make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
    aarch64) \
        cp arch/arm64/boot/Image.gz /out/kernel; \
        ;; \
+    s390x) \
+        cp arch/s390/boot/bzImage /out/kernel; \
+        ;; \
    esac && \
    cp System.map /out && \
-    ([ "${EXTRA}" = "-dbg" ] && cp vmlinux /out || true)
+    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)

 # WireGuard
-RUN curl -sSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
+RUN curl -fsSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
    echo "${WIREGUARD_SHA256}  /wireguard.tar.xz" | sha256sum -c - && \
+    cp /wireguard.tar.xz /out/src/ && \
    tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
    make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules

@@ -149,8 +174,10 @@ RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdept

 RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info

-# perf (Don't compile for 4.4.x, it's broken and tedious to fix)
-RUN if [ "${KERNEL_SERIES}" != "4.4.x" ]; then \
+# perf
+# Skip for 4.4.x (the compile is broken and tedious to fix) and 4.9.x (the
+# compile broke with 4.9.93)
+RUN if [ "${KERNEL_SERIES}" != "4.4.x" ] && [ "${KERNEL_SERIES}" != "4.9.x" ]; then \
       mkdir -p /build/perf && \
       make -C tools/perf LDFLAGS=-static O=/build/perf && \
       strip /build/perf/perf && \
@@ -158,13 +185,14 @@ RUN if [ "${KERNEL_SERIES}" != "4.4.x" ]; then \
     fi

 # Download Intel ucode and create a CPIO archive for it
-ENV UCODE_URL=https://downloadmirror.intel.com/27431/eng/microcode-20180108.tgz
+ENV UCODE_URL=https://downloadmirror.intel.com/27776/eng/microcode-20180425.tgz
 RUN set -e && \
    if [ $(uname -m) == x86_64 ]; then \
        cd /ucode && \
-        curl -sSL -o microcode.tar.gz ${UCODE_URL} && \
+        curl -fsSL -o microcode.tar.gz ${UCODE_URL} && \
        md5sum -c intel-ucode-md5sums && \
        tar xf microcode.tar.gz && \
+        rm -f intel-ucode/list && \
        iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
        cp intel-ucode-license.txt /out; \
    fi
--- a/kernel/Dockerfile.kconfig
+++ b/kernel/Dockerfile.kconfig
@@ -1,11 +1,14 @@
-FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS kernel-build
+FROM linuxkit/alpine:6264e5b39af8eb1da7ffa4c05a7ccc597da01197 AS kernel-build
 RUN apk add \
    argp-standalone \
+    bison \
    build-base \
    curl \
    diffutils \
+    flex \
    libarchive-tools \
    ncurses-dev \
+    patch \
    xz

 ARG KERNEL_VERSIONS
@@ -27,14 +30,15 @@ RUN set -e && \
        SERIES=${VERSION%.*}.x && \
        echo "Patching $VERSION $SERIES" && \
        cd /linux-${VERSION} && \
-            if [ -d /patches-${SERIES} ]; then \
-               for patch in /patches-${SERIES}/*.patch; do \
-                   echo "Applying $patch" && \
-                   patch -p1 < "$patch"; \
-               done; \
-            fi && \
-        mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig && \
-        mv /config-${SERIES}-aarch64 arch/arm64/configs/defconfig; \
+        if [ -d /patches-${SERIES} ]; then \
+           for patch in /patches-${SERIES}/*.patch; do \
+               echo "Applying $patch" && \
+               patch -t -F0 -N -u -p1 < "$patch"; \
+           done; \
+        fi && \
+        [ ! -f /config-${SERIES}-x86_64 ] || mv /config-${SERIES}-x86_64 arch/x86/configs/x86_64_defconfig && \
+        [ ! -f /config-${SERIES}-aarch64 ] || mv /config-${SERIES}-aarch64 arch/arm64/configs/defconfig ; \
+        [ ! -f /config-${SERIES}-s390x ] || mv /config-${SERIES}-s390x arch/s390/defconfig; \
    done

 ENTRYPOINT ["/bin/sh"]
--- a/kernel/Dockerfile.zfs
+++ b/kernel/Dockerfile.zfs
@@ -1,6 +1,6 @@
 ARG IMAGE
 FROM ${IMAGE} AS ksrc
-FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS build
+FROM linuxkit/alpine:6264e5b39af8eb1da7ffa4c05a7ccc597da01197 AS build
 RUN apk add \
    attr-dev \
    autoconf \
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -23,6 +23,11 @@ IMAGE_ZFS:=zfs-kmod
 # - append $(EXTRA) to the CONFIG_LOCALVERSION of your kernel
 EXTRA?=

+# You can enable debug options for the Makefile. This will:
+# - append a config-dbg to the kernel config for your kernel/arch
+# - append -dbg to the CONFIG_LOCALVERSION of your kernel
+DEBUG?=
+
 ifeq ($(HASH),)
 HASH_COMMIT?=HEAD # Setting this is only really useful with the show-tag target
 HASH?=$(shell git ls-tree --full-tree $(HASH_COMMIT) -- $(CURDIR) | awk '{print $$3}')
@@ -36,12 +41,15 @@ endif
 PUSH_MANIFEST:=$(shell git rev-parse --show-toplevel)/scripts/push-manifest.sh

 ARCH := $(shell uname -m)
-ifeq ($(ARCH), x86_64)
+ifeq ($(ARCH),x86_64)
 SUFFIX=-amd64
 endif
-ifeq ($(ARCH), aarch64)
+ifeq ($(ARCH),aarch64)
 SUFFIX=-arm64
 endif
+ifeq ($(ARCH),s390x)
+SUFFIX=-s390x
+endif

 TAG=$(HASH)$(DIRTY)

@@ -63,7 +71,7 @@ endif

 KERNEL_VERSIONS=

-.PHONY: check build push
+.PHONY: fetch build push
 # Targets:
 # fetch: Downloads the kernel sources into ./sources
 # build: Builds all kernels
@@ -79,107 +87,112 @@ sources:
 # Arguments:
 # $1: Full kernel version, e.g., 4.9.22
 # $2: Kernel "series", e.g., 4.9.x
-# $3: Build a debug kernel (used as suffix for image)
+# $3: Build a specific kernel like -rt: Preempt-RT (used as suffix for image)
 # This defines targets like:
 # build_4.9.x and  push_4.9.x and adds them as dependencies
 # to the global targets
-# Set $3 to "-dbg", to build debug kernels. This defines targets like
+# Set $3 to "-rt", to build Preempt-RT kernels. This defines targets like
+# build_4.14.x-rt and adds "-rt" to the hub image name.
+# Set $4 to "-dbg", to build debug kernels. This defines targets like
 # build_4.9.x-dbg and adds "-dbg" to the hub image name.
+# Set $3 to "-rt" and $4 to "-dbg" to build debug Preempt-RT kernel.
 define kernel

-ifeq ($(3),)
+ifeq ($(4),)
 sources/linux-$(1).tar.xz: Makefile | sources
 	curl -fsSLo sources/linux-$(1).tar.xz https://www.kernel.org/pub/linux/kernel/v4.x/linux-$(1).tar.xz 
 KERNEL_VERSIONS+=$(1)
 endif

-build_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
-	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) || \
+build_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
+	docker pull $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		docker build \
 			--build-arg KERNEL_VERSION=$(1) \
 			--build-arg KERNEL_SERIES=$(2) \
 			--build-arg EXTRA=$(3) \
+			--build-arg DEBUG=$(4) \
 			$(LABELS) \
-			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) .
+			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .

-forcebuild_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
+forcebuild_$(2)$(3)$(4): Dockerfile Makefile $(wildcard patches-$(2)/*) $(wildcard config-$(2)*) config-dbg | sources
 	docker build \
 		--build-arg KERNEL_VERSION=$(1) \
 		--build-arg KERNEL_SERIES=$(2) \
 		--build-arg EXTRA=$(3) \
+		--build-arg DEBUG=$(4) \
 		$(LABELS) \
-		--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) .
+		--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .

-push_$(2)$(3): build_$(2)$(3)
+push_$(2)$(3)$(4): build_$(2)$(3)$(4)
 	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
-	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) || \
-		(docker push $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) && \
-		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(SUFFIX) && \
-		 docker push $(ORG)/$(IMAGE):$(1)$(3)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3) $(DOCKER_CONTENT_TRUST))
+	docker pull $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
+		(docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
+		 docker tag $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
+		 docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST))

-forcepush_$(2)$(3): forcebuild_$(2)$(3)
+forcepush_$(2)$(3)$(4): forcebuild_$(2)$(3)$(4)
 	@if [ x"$(DIRTY)" !=  x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
-	docker push $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) && \
-	 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(SUFFIX) && \
-	 docker push $(ORG)/$(IMAGE):$(1)$(3)$(SUFFIX) && \
-	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3) $(DOCKER_CONTENT_TRUST)
+	docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
+	 docker tag $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
+	 docker push $(ORG)/$(IMAGE):$(1)$(3)$(4)$(SUFFIX) && \
+	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
+	 $(PUSH_MANIFEST) $(ORG)/$(IMAGE):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST)

-show-tag_$(2)$(3):
-	@echo $(ORG)/$(IMAGE):$(1)$(3)-$(TAG)
+show-tag_$(2)$(3)$(4):
+	@echo $(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)

-build: build_$(2)$(3)
-forcebuild: forcebuild_$(2)$(3)
-push: push_$(2)$(3)
-forcepush: forcepush_$(2)$(3)
-show-tags: show-tag_$(2)$(3)
+build: build_$(2)$(3)$(4)
+forcebuild: forcebuild_$(2)$(3)$(4)
+push: push_$(2)$(3)$(4)
+forcepush: forcepush_$(2)$(3)$(4)
+show-tags: show-tag_$(2)$(3)$(4)
 fetch: sources/linux-$(1).tar.xz

 # 'docker build' with the FROM image supplied as --build-arg
 # *and* with DOCKER_CONTENT_TRUST=1 currently does not work
 # (https://github.com/moby/moby/issues/34199). So, we pull the image
-# with DCT as part of the dependency on build_$(2)$(3) and then build 
+# with DCT as part of the dependency on build_$(2)$(3)$(4) and then build
 # with DOCKER_CONTENT_TRUST explicitly set to 0

-ifneq ($(2), 4.4.x)
-# perf does not build out of the box for 4.4.x and 4.4.x is not that relevant anymore to work on a fix
-build_perf_$(2)$(3): build_$(2)$(3)
-	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) || \
+ifneq ($(2), $(filter $(2),4.4.x 4.9.x))
+# perf does not build out of the box for 4.4.x and 4.9.x
+build_perf_$(2)$(3)$(4): build_$(2)$(3)$(4)
+	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
 		 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.perf \
-			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) \
-			--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) .
+			--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+			--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .

-forcebuild_perf_$(2)$(3): build_$(2)$(3)
+forcebuild_perf_$(2)$(3)$(4): build_$(2)$(3)$(4)
 	 DOCKER_CONTENT_TRUST=0 docker build -f Dockerfile.perf \
-		--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)-$(TAG)$(SUFFIX) \
-		--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) .
+		--build-arg IMAGE=$(ORG)/$(IMAGE):$(1)$(3)$(4)-$(TAG)$(SUFFIX) \
+		--no-cache --network=none $(LABEL) -t $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) .

-push_perf_$(2)$(3): build_perf_$(2)$(3)
+push_perf_$(2)$(3)$(4): build_perf_$(2)$(3)$(4)
 	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
-	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) || \
-		(docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) && \
-		 docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(SUFFIX) && \
-		 docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(SUFFIX) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3) $(DOCKER_CONTENT_TRUST))
+	docker pull $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) || \
+		(docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
+		 docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
+		 docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
+		 $(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST))

-forcepush_perf_$(2)$(3): forcebuild_perf_$(2)$(3)
+forcepush_perf_$(2)$(3)$(4): forcebuild_perf_$(2)$(3)$(4)
 	@if [ x"$(DIRTY)" != x ]; then echo "Your repository is not clean. Will not push image"; exit 1; fi
-	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) && \
-	docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(SUFFIX) && \
-	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(SUFFIX) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
-	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3) $(DOCKER_CONTENT_TRUST)
+	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) && \
+	docker tag $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG)$(SUFFIX) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
+	docker push $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)$(SUFFIX) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4)-$(TAG) $(DOCKER_CONTENT_TRUST) && \
+	$(PUSH_MANIFEST) $(ORG)/$(IMAGE_PERF):$(1)$(3)$(4) $(DOCKER_CONTENT_TRUST)

-build: build_perf_$(2)$(3)
-forcebuild: forcebuild_perf_$(2)$(3)
-push: push_perf_$(2)$(3)
-forcepush: forcepush_perf_$(2)$(3)
+build: build_perf_$(2)$(3)$(4)
+forcebuild: forcebuild_perf_$(2)$(3)$(4)
+push: push_perf_$(2)$(3)$(4)
+forcepush: forcepush_perf_$(2)$(3)$(4)
 endif

-ifneq ($(3), -dbg)
+ifeq ($(4),)
 # ZFS does not compile against -dbg kernels because CONFIG_DEBUG_LOCK_ALLOC
 # is incompatible with CDDL, apparently (this is ./configure check)
 build_zfs_$(2)$(3): build_$(2)$(3)
@@ -204,11 +217,23 @@ endef
 # Build Targets
 # Debug targets only for latest stable and LTS stable
 #
-$(eval $(call kernel,4.14.15,4.14.x,$(EXTRA)))
-$(eval $(call kernel,4.14.15,4.14.x,-dbg))
-$(eval $(call kernel,4.9.78,4.9.x,$(EXTRA)))
-$(eval $(call kernel,4.9.78,4.9.x,-dbg))
-$(eval $(call kernel,4.4.113,4.4.x,$(EXTRA)))
+ifeq ($(ARCH),x86_64)
+$(eval $(call kernel,4.17.10,4.17.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,4.14.58,4.14.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,4.14.58,4.14.x,,-dbg))
+$(eval $(call kernel,4.14.53,4.14.x,-rt,))
+$(eval $(call kernel,4.9.115,4.9.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,4.4.144,4.4.x,$(EXTRA),$(DEBUG)))
+
+else ifeq ($(ARCH),aarch64)
+$(eval $(call kernel,4.17.10,4.17.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,4.14.58,4.14.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,4.14.53,4.14.x,-rt,))
+
+else ifeq ($(ARCH),s390x)
+$(eval $(call kernel,4.17.10,4.17.x,$(EXTRA),$(DEBUG)))
+$(eval $(call kernel,4.14.58,4.14.x,$(EXTRA),$(DEBUG)))
+endif

 # Target for kernel config
 kconfig: | sources
--- a/kernel/config-4.14.x-aarch64
+++ b/kernel/config-4.14.x-aarch64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 4.14.15 Kernel Configuration
+# Linux/arm64 4.14.58 Kernel Configuration
 #
 CONFIG_ARM64=y
 CONFIG_64BIT=y
@@ -199,6 +199,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -487,6 +488,7 @@ CONFIG_ARM64_ERRATUM_819472=y
 CONFIG_ARM64_ERRATUM_832075=y
 CONFIG_ARM64_ERRATUM_834220=y
 CONFIG_ARM64_ERRATUM_843419=y
+CONFIG_ARM64_ERRATUM_1024718=y
 CONFIG_CAVIUM_ERRATUM_22375=y
 CONFIG_CAVIUM_ERRATUM_23154=y
 CONFIG_CAVIUM_ERRATUM_27456=y
@@ -494,6 +496,7 @@ CONFIG_CAVIUM_ERRATUM_30115=y
 CONFIG_QCOM_FALKOR_ERRATUM_1003=y
 CONFIG_QCOM_FALKOR_ERRATUM_1009=y
 CONFIG_QCOM_QDF2400_ERRATUM_0065=y
+CONFIG_QCOM_FALKOR_ERRATUM_E1041=y
 CONFIG_ARM64_4K_PAGES=y
 # CONFIG_ARM64_16K_PAGES is not set
 # CONFIG_ARM64_64K_PAGES is not set
@@ -569,6 +572,9 @@ CONFIG_PARAVIRT=y
 CONFIG_XEN_DOM0=y
 CONFIG_XEN=y
 CONFIG_FORCE_MAX_ZONEORDER=11
+CONFIG_UNMAP_KERNEL_AT_EL0=y
+CONFIG_HARDEN_BRANCH_PREDICTOR=y
+CONFIG_ARM64_SSBD=y
 # CONFIG_ARM64_SW_TTBR0_PAN is not set

 #
@@ -1055,6 +1061,9 @@ CONFIG_NF_CONNTRACK_IPV6=y
 # CONFIG_NF_SOCKET_IPV6 is not set
 CONFIG_NF_TABLES_IPV6=y
 CONFIG_NFT_CHAIN_ROUTE_IPV6=y
+CONFIG_NFT_CHAIN_NAT_IPV6=y
+CONFIG_NFT_MASQ_IPV6=y
+CONFIG_NFT_REDIR_IPV6=y
 CONFIG_NFT_REJECT_IPV6=y
 CONFIG_NFT_DUP_IPV6=y
 # CONFIG_NFT_FIB_IPV6 is not set
@@ -1062,10 +1071,7 @@ CONFIG_NF_DUP_IPV6=y
 CONFIG_NF_REJECT_IPV6=y
 CONFIG_NF_LOG_IPV6=y
 CONFIG_NF_NAT_IPV6=y
-CONFIG_NFT_CHAIN_NAT_IPV6=y
 CONFIG_NF_NAT_MASQUERADE_IPV6=y
-CONFIG_NFT_MASQ_IPV6=y
-CONFIG_NFT_REDIR_IPV6=y
 CONFIG_IP6_NF_IPTABLES=y
 CONFIG_IP6_NF_MATCH_AH=y
 CONFIG_IP6_NF_MATCH_EUI64=y
@@ -1112,7 +1118,15 @@ CONFIG_BRIDGE_EBT_SNAT=y
 CONFIG_BRIDGE_EBT_LOG=y
 CONFIG_BRIDGE_EBT_NFLOG=y
 # CONFIG_IP_DCCP is not set
-# CONFIG_IP_SCTP is not set
+CONFIG_IP_SCTP=m
+# CONFIG_NET_SCTPPROBE is not set
+# CONFIG_SCTP_DBG_OBJCNT is not set
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
+CONFIG_SCTP_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
+CONFIG_INET_SCTP_DIAG=m
 # CONFIG_RDS is not set
 # CONFIG_TIPC is not set
 # CONFIG_ATM is not set
@@ -1228,7 +1242,8 @@ CONFIG_VIRTIO_VSOCKETS_COMMON=y
 CONFIG_NETLINK_DIAG=y
 CONFIG_MPLS=y
 CONFIG_NET_MPLS_GSO=m
-# CONFIG_MPLS_ROUTING is not set
+CONFIG_MPLS_ROUTING=m
+CONFIG_MPLS_IPTUNNEL=m
 # CONFIG_NET_NSH is not set
 # CONFIG_HSR is not set
 CONFIG_NET_SWITCHDEV=y
@@ -1267,7 +1282,9 @@ CONFIG_NET_9P_VIRTIO=y
 # CONFIG_NET_9P_XEN is not set
 # CONFIG_NET_9P_DEBUG is not set
 # CONFIG_CAIF is not set
-# CONFIG_CEPH_LIB is not set
+CONFIG_CEPH_LIB=m
+# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
+# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
 # CONFIG_NFC is not set
 # CONFIG_PSAMPLE is not set
 # CONFIG_NET_IFE is not set
@@ -1359,7 +1376,8 @@ CONFIG_BLK_DEV=y
 CONFIG_BLK_DEV_LOOP=y
 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
 CONFIG_BLK_DEV_CRYPTOLOOP=y
-# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_DRBD=m
+# CONFIG_DRBD_FAULT_INJECTION is not set
 CONFIG_BLK_DEV_NBD=y
 # CONFIG_BLK_DEV_SKD is not set
 # CONFIG_BLK_DEV_SX8 is not set
@@ -1371,7 +1389,7 @@ CONFIG_ATA_OVER_ETH=m
 CONFIG_XEN_BLKDEV_FRONTEND=y
 CONFIG_VIRTIO_BLK=y
 # CONFIG_VIRTIO_BLK_SCSI is not set
-# CONFIG_BLK_DEV_RBD is not set
+CONFIG_BLK_DEV_RBD=m
 # CONFIG_BLK_DEV_RSXX is not set
 CONFIG_NVME_CORE=y
 CONFIG_BLK_DEV_NVME=y
@@ -2126,7 +2144,8 @@ CONFIG_SERIAL_CORE_CONSOLE=y
 # CONFIG_SERIAL_RP2 is not set
 # CONFIG_SERIAL_FSL_LPUART is not set
 # CONFIG_SERIAL_CONEXANT_DIGICOLOR is not set
-# CONFIG_SERIAL_DEV_BUS is not set
+CONFIG_SERIAL_DEV_BUS=y
+# CONFIG_SERIAL_DEV_CTRL_TTYPORT is not set
 # CONFIG_TTY_PRINTK is not set
 CONFIG_HVC_DRIVER=y
 CONFIG_HVC_IRQ=y
@@ -2160,7 +2179,7 @@ CONFIG_TCG_TIS_I2C_NUVOTON=m
 CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
-CONFIG_TCG_CRB=m
+CONFIG_TCG_CRB=y
 CONFIG_TCG_VTPM_PROXY=m
 CONFIG_TCG_TIS_ST33ZP24=m
 CONFIG_TCG_TIS_ST33ZP24_I2C=m
@@ -2733,7 +2752,7 @@ CONFIG_FB_DEFERRED_IO=y
 # CONFIG_FB_CYBER2000 is not set
 # CONFIG_FB_ASILIANT is not set
 # CONFIG_FB_IMSTT is not set
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_OPENCORES is not set
 # CONFIG_FB_S1D13XXX is not set
 # CONFIG_FB_NVIDIA is not set
@@ -2935,7 +2954,22 @@ CONFIG_USB_UHCI_HCD=m
 #
 # also be needed; see USB_STORAGE Help for more info
 #
-# CONFIG_USB_STORAGE is not set
+CONFIG_USB_STORAGE=m
+# CONFIG_USB_STORAGE_DEBUG is not set
+# CONFIG_USB_STORAGE_REALTEK is not set
+# CONFIG_USB_STORAGE_DATAFAB is not set
+# CONFIG_USB_STORAGE_FREECOM is not set
+# CONFIG_USB_STORAGE_ISD200 is not set
+# CONFIG_USB_STORAGE_USBAT is not set
+# CONFIG_USB_STORAGE_SDDR09 is not set
+# CONFIG_USB_STORAGE_SDDR55 is not set
+# CONFIG_USB_STORAGE_JUMPSHOT is not set
+# CONFIG_USB_STORAGE_ALAUDA is not set
+# CONFIG_USB_STORAGE_ONETOUCH is not set
+# CONFIG_USB_STORAGE_KARMA is not set
+# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
+# CONFIG_USB_STORAGE_ENE_UB6250 is not set
+# CONFIG_USB_UAS is not set

 #
 # USB Imaging devices
@@ -3710,7 +3744,9 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DEBUG is not set
-# CONFIG_CEPH_FS is not set
+CONFIG_CEPH_FS=m
+CONFIG_CEPH_FSCACHE=y
+CONFIG_CEPH_FS_POSIX_ACL=y
 CONFIG_CIFS=y
 # CONFIG_CIFS_STATS is not set
 # CONFIG_CIFS_WEAK_PW_HASH is not set
@@ -3953,7 +3989,6 @@ CONFIG_FTRACE_SYSCALLS=y
 # CONFIG_TRACER_SNAPSHOT is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-# CONFIG_PROFILE_ALL_BRANCHES is not set
 CONFIG_STACK_TRACER=y
 CONFIG_BLK_DEV_IO_TRACE=y
 CONFIG_KPROBE_EVENTS=y
@@ -4029,7 +4064,7 @@ CONFIG_STRICT_DEVMEM=y
 CONFIG_KEYS=y
 CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_BIG_KEYS=y
-CONFIG_TRUSTED_KEYS=m
+CONFIG_TRUSTED_KEYS=y
 CONFIG_ENCRYPTED_KEYS=y
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_SECURITY_DMESG_RESTRICT=y
@@ -4052,10 +4087,26 @@ CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_INTEGRITY=y
-# CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
 CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_IMA is not set
-# CONFIG_EVM is not set
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+# CONFIG_IMA_TEMPLATE is not set
+CONFIG_IMA_NG_TEMPLATE=y
+# CONFIG_IMA_SIG_TEMPLATE is not set
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+# CONFIG_IMA_DEFAULT_HASH_WP512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+# CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
 CONFIG_DEFAULT_SECURITY_DAC=y
 CONFIG_DEFAULT_SECURITY=""
 CONFIG_XOR_BLOCKS=m
@@ -4307,11 +4358,13 @@ CONFIG_DQL=y
 CONFIG_GLOB=y
 # CONFIG_GLOB_SELFTEST is not set
 CONFIG_NLATTR=y
+CONFIG_LRU_CACHE=m
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
 # CONFIG_IRQ_POLL is not set
 CONFIG_MPILIB=y
+CONFIG_SIGNATURE=y
 CONFIG_LIBFDT=y
 CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y
--- a/kernel/config-4.14.x-aarch64-rt
+++ b/kernel/config-4.14.x-aarch64-rt
@@ -0,0 +1,20 @@
+CONFIG_SLUB_DEBUG=y
+# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
+CONFIG_SLUB=y
+# CONFIG_SLAB_FREELIST_HARDENED is not set
+CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
+CONFIG_PREEMPT=y
+CONFIG_PREEMPT_RT_BASE=y
+CONFIG_HAVE_PREEMPT_LAZY=y
+CONFIG_PREEMPT_LAZY=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT__LL is not set
+# CONFIG_PREEMPT_RTB is not set
+CONFIG_PREEMPT_RT_FULL=y
+CONFIG_PREEMPT_COUNT=y
+# CONFIG_SLUB_DEBUG_ON is not set
+# CONFIG_SLUB_STATS is not set
+CONFIG_DEBUG_PREEMPT=y
+# CONFIG_PREEMPT_TRACER is not set
+CONFIG_HZ_1000=y
+CONFIG_HZ=1000
--- a/kernel/config-4.4.x-aarch64
+++ b/kernel/config-4.4.x-aarch64
--- a/kernel/config-4.14.x-x86_64
+++ b/kernel/config-4.14.x-x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.15 Kernel Configuration
+# Linux/x86 4.14.58 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -224,6 +224,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -1218,6 +1219,9 @@ CONFIG_NF_CONNTRACK_IPV6=y
 # CONFIG_NF_SOCKET_IPV6 is not set
 CONFIG_NF_TABLES_IPV6=y
 CONFIG_NFT_CHAIN_ROUTE_IPV6=y
+CONFIG_NFT_CHAIN_NAT_IPV6=y
+CONFIG_NFT_MASQ_IPV6=y
+CONFIG_NFT_REDIR_IPV6=y
 CONFIG_NFT_REJECT_IPV6=y
 CONFIG_NFT_DUP_IPV6=y
 # CONFIG_NFT_FIB_IPV6 is not set
@@ -1225,10 +1229,7 @@ CONFIG_NF_DUP_IPV6=y
 CONFIG_NF_REJECT_IPV6=y
 CONFIG_NF_LOG_IPV6=y
 CONFIG_NF_NAT_IPV6=y
-CONFIG_NFT_CHAIN_NAT_IPV6=y
 CONFIG_NF_NAT_MASQUERADE_IPV6=y
-CONFIG_NFT_MASQ_IPV6=y
-CONFIG_NFT_REDIR_IPV6=y
 CONFIG_IP6_NF_IPTABLES=y
 CONFIG_IP6_NF_MATCH_AH=y
 CONFIG_IP6_NF_MATCH_EUI64=y
@@ -1275,7 +1276,15 @@ CONFIG_BRIDGE_EBT_SNAT=y
 CONFIG_BRIDGE_EBT_LOG=y
 CONFIG_BRIDGE_EBT_NFLOG=y
 # CONFIG_IP_DCCP is not set
-# CONFIG_IP_SCTP is not set
+CONFIG_IP_SCTP=m
+# CONFIG_NET_SCTPPROBE is not set
+# CONFIG_SCTP_DBG_OBJCNT is not set
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
+CONFIG_SCTP_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
+CONFIG_INET_SCTP_DIAG=m
 # CONFIG_RDS is not set
 # CONFIG_TIPC is not set
 # CONFIG_ATM is not set
@@ -1392,7 +1401,8 @@ CONFIG_HYPERV_VSOCKETS=y
 CONFIG_NETLINK_DIAG=y
 CONFIG_MPLS=y
 CONFIG_NET_MPLS_GSO=m
-# CONFIG_MPLS_ROUTING is not set
+CONFIG_MPLS_ROUTING=m
+CONFIG_MPLS_IPTUNNEL=m
 # CONFIG_NET_NSH is not set
 # CONFIG_HSR is not set
 CONFIG_NET_SWITCHDEV=y
@@ -1430,7 +1440,9 @@ CONFIG_NET_9P_VIRTIO=y
 # CONFIG_NET_9P_XEN is not set
 # CONFIG_NET_9P_DEBUG is not set
 # CONFIG_CAIF is not set
-# CONFIG_CEPH_LIB is not set
+CONFIG_CEPH_LIB=m
+# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
+# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
 # CONFIG_NFC is not set
 # CONFIG_PSAMPLE is not set
 # CONFIG_NET_IFE is not set
@@ -1498,7 +1510,8 @@ CONFIG_BLK_DEV=y
 CONFIG_BLK_DEV_LOOP=y
 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
 CONFIG_BLK_DEV_CRYPTOLOOP=y
-# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_DRBD=m
+# CONFIG_DRBD_FAULT_INJECTION is not set
 CONFIG_BLK_DEV_NBD=y
 # CONFIG_BLK_DEV_SKD is not set
 # CONFIG_BLK_DEV_SX8 is not set
@@ -1511,7 +1524,7 @@ CONFIG_ATA_OVER_ETH=m
 CONFIG_XEN_BLKDEV_FRONTEND=y
 CONFIG_VIRTIO_BLK=y
 # CONFIG_VIRTIO_BLK_SCSI is not set
-# CONFIG_BLK_DEV_RBD is not set
+CONFIG_BLK_DEV_RBD=m
 # CONFIG_BLK_DEV_RSXX is not set
 CONFIG_NVME_CORE=y
 CONFIG_BLK_DEV_NVME=y
@@ -2218,9 +2231,9 @@ CONFIG_HPET=y
 CONFIG_HPET_MMAP=y
 CONFIG_HPET_MMAP_DEFAULT=y
 CONFIG_HANGCHECK_TIMER=y
-CONFIG_TCG_TPM=m
-CONFIG_TCG_TIS_CORE=m
-CONFIG_TCG_TIS=m
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
 CONFIG_TCG_TIS_I2C_ATMEL=m
 CONFIG_TCG_TIS_I2C_INFINEON=m
 CONFIG_TCG_TIS_I2C_NUVOTON=m
@@ -2228,7 +2241,7 @@ CONFIG_TCG_NSC=m
 CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
-CONFIG_TCG_CRB=m
+CONFIG_TCG_CRB=y
 CONFIG_TCG_VTPM_PROXY=m
 CONFIG_TCG_TIS_ST33ZP24=m
 CONFIG_TCG_TIS_ST33ZP24_I2C=m
@@ -2671,7 +2684,7 @@ CONFIG_FB_DEFERRED_IO=y
 # CONFIG_FB_VGA16 is not set
 # CONFIG_FB_UVESA is not set
 CONFIG_FB_VESA=y
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_N411 is not set
 # CONFIG_FB_HGA is not set
 # CONFIG_FB_OPENCORES is not set
@@ -2880,7 +2893,22 @@ CONFIG_USB_UHCI_HCD=m
 #
 # also be needed; see USB_STORAGE Help for more info
 #
-# CONFIG_USB_STORAGE is not set
+CONFIG_USB_STORAGE=m
+# CONFIG_USB_STORAGE_DEBUG is not set
+# CONFIG_USB_STORAGE_REALTEK is not set
+# CONFIG_USB_STORAGE_DATAFAB is not set
+# CONFIG_USB_STORAGE_FREECOM is not set
+# CONFIG_USB_STORAGE_ISD200 is not set
+# CONFIG_USB_STORAGE_USBAT is not set
+# CONFIG_USB_STORAGE_SDDR09 is not set
+# CONFIG_USB_STORAGE_SDDR55 is not set
+# CONFIG_USB_STORAGE_JUMPSHOT is not set
+# CONFIG_USB_STORAGE_ALAUDA is not set
+# CONFIG_USB_STORAGE_ONETOUCH is not set
+# CONFIG_USB_STORAGE_KARMA is not set
+# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
+# CONFIG_USB_STORAGE_ENE_UB6250 is not set
+# CONFIG_USB_UAS is not set

 #
 # USB Imaging devices
@@ -3510,7 +3538,9 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DEBUG is not set
-# CONFIG_CEPH_FS is not set
+CONFIG_CEPH_FS=m
+CONFIG_CEPH_FSCACHE=y
+CONFIG_CEPH_FS_POSIX_ACL=y
 CONFIG_CIFS=y
 # CONFIG_CIFS_STATS is not set
 # CONFIG_CIFS_WEAK_PW_HASH is not set
@@ -3645,7 +3675,6 @@ CONFIG_DEBUG_MEMORY_INIT=y
 # CONFIG_DEBUG_PER_CPU_MAPS is not set
 CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
 # CONFIG_DEBUG_STACKOVERFLOW is not set
-CONFIG_HAVE_ARCH_KMEMCHECK=y
 CONFIG_HAVE_ARCH_KASAN=y
 # CONFIG_KASAN is not set
 CONFIG_ARCH_HAS_KCOV=y
@@ -3746,7 +3775,6 @@ CONFIG_FTRACE_SYSCALLS=y
 # CONFIG_TRACER_SNAPSHOT is not set
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
-# CONFIG_PROFILE_ALL_BRANCHES is not set
 CONFIG_STACK_TRACER=y
 CONFIG_BLK_DEV_IO_TRACE=y
 CONFIG_KPROBE_EVENTS=y
@@ -3851,7 +3879,7 @@ CONFIG_KEYS=y
 CONFIG_KEYS_COMPAT=y
 CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_BIG_KEYS=y
-CONFIG_TRUSTED_KEYS=m
+CONFIG_TRUSTED_KEYS=y
 CONFIG_ENCRYPTED_KEYS=y
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_SECURITY_DMESG_RESTRICT=y
@@ -3875,10 +3903,26 @@ CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
 CONFIG_INTEGRITY=y
-# CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
 CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_IMA is not set
-# CONFIG_EVM is not set
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+# CONFIG_IMA_TEMPLATE is not set
+CONFIG_IMA_NG_TEMPLATE=y
+# CONFIG_IMA_SIG_TEMPLATE is not set
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+# CONFIG_IMA_DEFAULT_HASH_WP512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+# CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
 CONFIG_DEFAULT_SECURITY_DAC=y
 CONFIG_DEFAULT_SECURITY=""
 CONFIG_XOR_BLOCKS=m
@@ -4012,7 +4056,6 @@ CONFIG_CRYPTO_DES3_EDE_X86_64=y
 CONFIG_CRYPTO_FCRYPT=y
 CONFIG_CRYPTO_KHAZAD=y
 CONFIG_CRYPTO_SALSA20=y
-CONFIG_CRYPTO_SALSA20_X86_64=y
 CONFIG_CRYPTO_CHACHA20=y
 CONFIG_CRYPTO_CHACHA20_X86_64=y
 CONFIG_CRYPTO_SEED=y
@@ -4172,11 +4215,13 @@ CONFIG_DQL=y
 CONFIG_GLOB=y
 # CONFIG_GLOB_SELFTEST is not set
 CONFIG_NLATTR=y
+CONFIG_LRU_CACHE=m
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
 # CONFIG_IRQ_POLL is not set
 CONFIG_MPILIB=y
+CONFIG_SIGNATURE=y
 CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y
 CONFIG_FONT_SUPPORT=y
--- a/kernel/config-4.14.x-x86_64-rt
+++ b/kernel/config-4.14.x-x86_64-rt
@@ -0,0 +1,22 @@
+CONFIG_RWSEM_GENERIC_SPINLOCK=y
+# CONFIG_RWSEM_XCHGADD_ALGORITHM is not set
+CONFIG_PREEMPT_RCU=y
+CONFIG_TASKS_RCU=y
+CONFIG_SLUB_DEBUG=y
+# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
+CONFIG_SLUB=y
+# CONFIG_SLAB_FREELIST_HARDENED is not set
+CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
+CONFIG_PREEMPT=y
+CONFIG_PREEMPT_RT_BASE=y
+CONFIG_HAVE_PREEMPT_LAZY=y
+CONFIG_PREEMPT_LAZY=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT__LL is not set
+# CONFIG_PREEMPT_RTB is not set
+CONFIG_PREEMPT_RT_FULL=y
+CONFIG_PREEMPT_COUNT=y
+# CONFIG_SLUB_DEBUG_ON is not set
+# CONFIG_SLUB_STATS is not set
+CONFIG_DEBUG_PREEMPT=y
+# CONFIG_PREEMPT_TRACER is not set
--- a/kernel/config-4.17.x-aarch64
+++ b/kernel/config-4.17.x-aarch64
--- a/kernel/config-4.17.x-s390x
+++ b/kernel/config-4.17.x-s390x
--- a/kernel/config-4.17.x-x86_64
+++ b/kernel/config-4.17.x-x86_64
--- a/kernel/config-4.4.x-x86_64
+++ b/kernel/config-4.4.x-x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.4.113 Kernel Configuration
+# Linux/x86 4.4.144 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -36,7 +36,6 @@ CONFIG_AUDIT_ARCH=y
 CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
 CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
 CONFIG_X86_64_SMP=y
-CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
 CONFIG_ARCH_SUPPORTS_UPROBES=y
 CONFIG_FIX_EARLYCON_MEM=y
 CONFIG_PGTABLE_LEVELS=4
@@ -184,6 +183,7 @@ CONFIG_RD_GZIP=y
 # CONFIG_RD_XZ is not set
 # CONFIG_RD_LZO is not set
 # CONFIG_RD_LZ4 is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
 CONFIG_CC_OPTIMIZE_FOR_SIZE=y
 CONFIG_SYSCTL=y
 CONFIG_ANON_INODES=y
@@ -210,6 +210,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -375,6 +376,7 @@ CONFIG_FREEZER=y
 CONFIG_ZONE_DMA=y
 CONFIG_SMP=y
 CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_FAST_FEATURE_TESTS=y
 # CONFIG_X86_X2APIC is not set
 CONFIG_X86_MPPARSE=y
 CONFIG_RETPOLINE=y
@@ -1123,7 +1125,14 @@ CONFIG_BRIDGE_EBT_SNAT=y
 CONFIG_BRIDGE_EBT_LOG=y
 CONFIG_BRIDGE_EBT_NFLOG=y
 # CONFIG_IP_DCCP is not set
-# CONFIG_IP_SCTP is not set
+CONFIG_IP_SCTP=m
+# CONFIG_NET_SCTPPROBE is not set
+# CONFIG_SCTP_DBG_OBJCNT is not set
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
+CONFIG_SCTP_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
 # CONFIG_RDS is not set
 # CONFIG_TIPC is not set
 # CONFIG_ATM is not set
@@ -1231,7 +1240,8 @@ CONFIG_VSOCKETS=y
 CONFIG_NETLINK_DIAG=y
 CONFIG_MPLS=y
 CONFIG_NET_MPLS_GSO=m
-# CONFIG_MPLS_ROUTING is not set
+CONFIG_MPLS_ROUTING=m
+CONFIG_MPLS_IPTUNNEL=m
 # CONFIG_HSR is not set
 CONFIG_NET_SWITCHDEV=y
 CONFIG_NET_L3_MASTER_DEV=y
@@ -1264,10 +1274,14 @@ CONFIG_NET_9P=y
 CONFIG_NET_9P_VIRTIO=y
 # CONFIG_NET_9P_DEBUG is not set
 # CONFIG_CAIF is not set
-# CONFIG_CEPH_LIB is not set
+CONFIG_CEPH_LIB=m
+# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
+# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
 # CONFIG_NFC is not set
 CONFIG_LWTUNNEL=y
+CONFIG_DST_CACHE=y
 CONFIG_HAVE_BPF_JIT=y
+CONFIG_HAVE_EBPF_JIT=y

 #
 # Device Drivers
@@ -1322,7 +1336,8 @@ CONFIG_BLK_DEV=y
 CONFIG_BLK_DEV_LOOP=y
 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
 CONFIG_BLK_DEV_CRYPTOLOOP=y
-# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_DRBD=m
+# CONFIG_DRBD_FAULT_INJECTION is not set
 CONFIG_BLK_DEV_NBD=y
 # CONFIG_BLK_DEV_SKD is not set
 # CONFIG_BLK_DEV_SX8 is not set
@@ -1332,7 +1347,7 @@ CONFIG_ATA_OVER_ETH=m
 CONFIG_XEN_BLKDEV_FRONTEND=y
 CONFIG_VIRTIO_BLK=y
 # CONFIG_BLK_DEV_HD is not set
-# CONFIG_BLK_DEV_RBD is not set
+CONFIG_BLK_DEV_RBD=m
 # CONFIG_BLK_DEV_RSXX is not set
 CONFIG_BLK_DEV_NVME=y

@@ -2417,7 +2432,7 @@ CONFIG_FB_DEFERRED_IO=y
 # CONFIG_FB_VGA16 is not set
 # CONFIG_FB_UVESA is not set
 CONFIG_FB_VESA=y
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_N411 is not set
 # CONFIG_FB_HGA is not set
 # CONFIG_FB_OPENCORES is not set
@@ -2613,7 +2628,22 @@ CONFIG_USB_UHCI_HCD=m
 #
 # also be needed; see USB_STORAGE Help for more info
 #
-# CONFIG_USB_STORAGE is not set
+CONFIG_USB_STORAGE=y
+# CONFIG_USB_STORAGE_DEBUG is not set
+# CONFIG_USB_STORAGE_REALTEK is not set
+# CONFIG_USB_STORAGE_DATAFAB is not set
+# CONFIG_USB_STORAGE_FREECOM is not set
+# CONFIG_USB_STORAGE_ISD200 is not set
+# CONFIG_USB_STORAGE_USBAT is not set
+# CONFIG_USB_STORAGE_SDDR09 is not set
+# CONFIG_USB_STORAGE_SDDR55 is not set
+# CONFIG_USB_STORAGE_JUMPSHOT is not set
+# CONFIG_USB_STORAGE_ALAUDA is not set
+# CONFIG_USB_STORAGE_ONETOUCH is not set
+# CONFIG_USB_STORAGE_KARMA is not set
+# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
+# CONFIG_USB_STORAGE_ENE_UB6250 is not set
+# CONFIG_USB_UAS is not set

 #
 # USB Imaging devices
@@ -3130,7 +3160,9 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DEBUG is not set
-# CONFIG_CEPH_FS is not set
+CONFIG_CEPH_FS=m
+CONFIG_CEPH_FSCACHE=y
+CONFIG_CEPH_FS_POSIX_ACL=y
 CONFIG_CIFS=y
 # CONFIG_CIFS_STATS is not set
 # CONFIG_CIFS_WEAK_PW_HASH is not set
@@ -3430,7 +3462,6 @@ CONFIG_DEFAULT_IO_DELAY_TYPE=0
 CONFIG_OPTIMIZE_INLINING=y
 # CONFIG_DEBUG_ENTRY is not set
 # CONFIG_DEBUG_NMI_SELFTEST is not set
-# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
 CONFIG_X86_DEBUG_FPU=y
 # CONFIG_PUNIT_ATOM_DEBUG is not set

@@ -3729,6 +3760,7 @@ CONFIG_GLOB=y
 # CONFIG_GLOB_SELFTEST is not set
 CONFIG_NLATTR=y
 CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_LRU_CACHE=m
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
--- a/kernel/config-4.9.x-x86_64
+++ b/kernel/config-4.9.x-x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.78 Kernel Configuration
+# Linux/x86 4.9.115 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -217,6 +217,7 @@ CONFIG_SIGNALFD=y
 CONFIG_TIMERFD=y
 CONFIG_EVENTFD=y
 CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
 CONFIG_SHMEM=y
 CONFIG_AIO=y
 CONFIG_ADVISE_SYSCALLS=y
@@ -1188,7 +1189,15 @@ CONFIG_BRIDGE_EBT_SNAT=y
 CONFIG_BRIDGE_EBT_LOG=y
 CONFIG_BRIDGE_EBT_NFLOG=y
 # CONFIG_IP_DCCP is not set
-# CONFIG_IP_SCTP is not set
+CONFIG_IP_SCTP=m
+# CONFIG_NET_SCTPPROBE is not set
+# CONFIG_SCTP_DBG_OBJCNT is not set
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
+CONFIG_SCTP_COOKIE_HMAC_MD5=y
+# CONFIG_SCTP_COOKIE_HMAC_SHA1 is not set
+CONFIG_INET_SCTP_DIAG=m
 # CONFIG_RDS is not set
 # CONFIG_TIPC is not set
 # CONFIG_ATM is not set
@@ -1303,7 +1312,8 @@ CONFIG_HYPERV_SOCK=y
 CONFIG_NETLINK_DIAG=y
 CONFIG_MPLS=y
 CONFIG_NET_MPLS_GSO=m
-# CONFIG_MPLS_ROUTING is not set
+CONFIG_MPLS_ROUTING=m
+CONFIG_MPLS_IPTUNNEL=m
 # CONFIG_HSR is not set
 CONFIG_NET_SWITCHDEV=y
 CONFIG_NET_L3_MASTER_DEV=y
@@ -1340,7 +1350,9 @@ CONFIG_NET_9P=y
 CONFIG_NET_9P_VIRTIO=y
 # CONFIG_NET_9P_DEBUG is not set
 # CONFIG_CAIF is not set
-# CONFIG_CEPH_LIB is not set
+CONFIG_CEPH_LIB=m
+# CONFIG_CEPH_LIB_PRETTYDEBUG is not set
+# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
 # CONFIG_NFC is not set
 CONFIG_LWTUNNEL=y
 CONFIG_DST_CACHE=y
@@ -1404,7 +1416,8 @@ CONFIG_BLK_DEV=y
 CONFIG_BLK_DEV_LOOP=y
 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
 CONFIG_BLK_DEV_CRYPTOLOOP=y
-# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_DRBD=m
+# CONFIG_DRBD_FAULT_INJECTION is not set
 CONFIG_BLK_DEV_NBD=y
 # CONFIG_BLK_DEV_SKD is not set
 # CONFIG_BLK_DEV_SX8 is not set
@@ -1414,7 +1427,7 @@ CONFIG_ATA_OVER_ETH=m
 CONFIG_XEN_BLKDEV_FRONTEND=y
 CONFIG_VIRTIO_BLK=y
 # CONFIG_BLK_DEV_HD is not set
-# CONFIG_BLK_DEV_RBD is not set
+CONFIG_BLK_DEV_RBD=m
 # CONFIG_BLK_DEV_RSXX is not set
 CONFIG_NVME_CORE=y
 CONFIG_BLK_DEV_NVME=y
@@ -2537,7 +2550,7 @@ CONFIG_FB_DEFERRED_IO=y
 # CONFIG_FB_VGA16 is not set
 # CONFIG_FB_UVESA is not set
 CONFIG_FB_VESA=y
-# CONFIG_FB_EFI is not set
+CONFIG_FB_EFI=y
 # CONFIG_FB_N411 is not set
 # CONFIG_FB_HGA is not set
 # CONFIG_FB_OPENCORES is not set
@@ -2739,7 +2752,22 @@ CONFIG_USB_UHCI_HCD=m
 #
 # also be needed; see USB_STORAGE Help for more info
 #
-# CONFIG_USB_STORAGE is not set
+CONFIG_USB_STORAGE=m
+# CONFIG_USB_STORAGE_DEBUG is not set
+# CONFIG_USB_STORAGE_REALTEK is not set
+# CONFIG_USB_STORAGE_DATAFAB is not set
+# CONFIG_USB_STORAGE_FREECOM is not set
+# CONFIG_USB_STORAGE_ISD200 is not set
+# CONFIG_USB_STORAGE_USBAT is not set
+# CONFIG_USB_STORAGE_SDDR09 is not set
+# CONFIG_USB_STORAGE_SDDR55 is not set
+# CONFIG_USB_STORAGE_JUMPSHOT is not set
+# CONFIG_USB_STORAGE_ALAUDA is not set
+# CONFIG_USB_STORAGE_ONETOUCH is not set
+# CONFIG_USB_STORAGE_KARMA is not set
+# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
+# CONFIG_USB_STORAGE_ENE_UB6250 is not set
+# CONFIG_USB_UAS is not set

 #
 # USB Imaging devices
@@ -3304,7 +3332,9 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DEBUG is not set
-# CONFIG_CEPH_FS is not set
+CONFIG_CEPH_FS=m
+CONFIG_CEPH_FSCACHE=y
+CONFIG_CEPH_FS_POSIX_ACL=y
 CONFIG_CIFS=y
 # CONFIG_CIFS_STATS is not set
 # CONFIG_CIFS_WEAK_PW_HASH is not set
@@ -3938,6 +3968,7 @@ CONFIG_DQL=y
 CONFIG_GLOB=y
 # CONFIG_GLOB_SELFTEST is not set
 CONFIG_NLATTR=y
+CONFIG_LRU_CACHE=m
 CONFIG_CLZ_TAB=y
 # CONFIG_CORDIC is not set
 # CONFIG_DDR is not set
--- a/kernel/patches-4.14.x-rt/0001-Revert-mm-vmstat.c-fix-vmstat_update-preemption-BUG.patch
+++ b/kernel/patches-4.14.x-rt/0001-Revert-mm-vmstat.c-fix-vmstat_update-preemption-BUG.patch
@@ -0,0 +1,59 @@
+From 1f9863a3348be088896f745bca5cf5a31d1d2c96 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Wed, 11 Apr 2018 11:27:44 +0200
+Subject: [PATCH 001/418] Revert mm/vmstat.c: fix vmstat_update() preemption
+ BUG
+
+commit 97731753d44d5efcb95b994dc952c0e8195b3e96 upstream
+
+This patch reverts commit c7f26ccfb2c3 ("mm/vmstat.c: fix
+vmstat_update() preemption BUG").
+Steven saw a "using smp_processor_id() in preemptible" message and
+added a preempt_disable() section around it to keep it quiet. This is
+not the right thing to do it does not fix the real problem.
+
+vmstat_update() is invoked by a kworker on a specific CPU. This worker
+it bound to this CPU. The name of the worker was "kworker/1:1" so it
+should have been a worker which was bound to CPU1. A worker which can
+run on any CPU would have a `u' before the first digit.
+
+smp_processor_id() can be used in a preempt-enabled region as long as
+the task is bound to a single CPU which is the case here. If it could
+run on an arbitrary CPU then this is the problem we have an should seek
+to resolve.
+Not only this smp_processor_id() must not be migrated to another CPU but
+also refresh_cpu_vm_stats() which might access wrong per-CPU variables.
+Not to mention that other code relies on the fact that such a worker
+runs on one specific CPU only.
+
+Therefore I revert that commit and we should look instead what broke the
+affinity mask of the kworker.
+
+Cc: Steven J. Hill <steven.hill@cavium.com>
+Cc: Tejun Heo <htejun@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+---
+ mm/vmstat.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/mm/vmstat.c b/mm/vmstat.c
+index e085b13c572e..4bb13e72ac97 100644
+--- a/mm/vmstat.c
+++ b/mm/vmstat.c
+@@ -1770,11 +1770,9 @@ static void vmstat_update(struct work_struct *w)
+ 		 * to occur in the future. Keep on running the
+ 		 * update worker thread.
+ 		 */
+-		preempt_disable();
+ 		queue_delayed_work_on(smp_processor_id(), mm_percpu_wq,
+ 				this_cpu_ptr(&vmstat_work),
+ 				round_jiffies_relative(sysctl_stat_interval));
+-		preempt_enable();
+ 	}
+ }
+ 
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0002-rtmutex-Make-rt_mutex_futex_unlock-safe-for-irq-off-.patch
+++ b/kernel/patches-4.14.x-rt/0002-rtmutex-Make-rt_mutex_futex_unlock-safe-for-irq-off-.patch
@@ -0,0 +1,127 @@
+From 0ff9e891f4b361a8909d6f062f5137f041d6adaa Mon Sep 17 00:00:00 2001
+From: Boqun Feng <boqun.feng@gmail.com>
+Date: Fri, 9 Mar 2018 14:56:28 +0800
+Subject: [PATCH 002/418] rtmutex: Make rt_mutex_futex_unlock() safe for
+ irq-off callsites
+
+Upstream commit 6b0ef92fee2a3189eba6d6b827b247cb4f6da7e9
+
+When running rcutorture with TREE03 config, CONFIG_PROVE_LOCKING=y, and
+kernel cmdline argument "rcutorture.gp_exp=1", lockdep reports a
+HARDIRQ-safe->HARDIRQ-unsafe deadlock:
+
+ ================================
+ WARNING: inconsistent lock state
+ 4.16.0-rc4+ #1 Not tainted
+ --------------------------------
+ inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
+ takes:
+ __schedule+0xbe/0xaf0
+ {IN-HARDIRQ-W} state was registered at:
+   _raw_spin_lock+0x2a/0x40
+   scheduler_tick+0x47/0xf0
+...
+ other info that might help us debug this:
+  Possible unsafe locking scenario:
+        CPU0
+        ----
+   lock(&rq->lock);
+   <Interrupt>
+     lock(&rq->lock);
+  *** DEADLOCK ***
+ 1 lock held by rcu_torture_rea/724:
+ rcu_torture_read_lock+0x0/0x70
+ stack backtrace:
+ CPU: 2 PID: 724 Comm: rcu_torture_rea Not tainted 4.16.0-rc4+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
+ Call Trace:
+  lock_acquire+0x90/0x200
+  ? __schedule+0xbe/0xaf0
+  _raw_spin_lock+0x2a/0x40
+  ? __schedule+0xbe/0xaf0
+  __schedule+0xbe/0xaf0
+  preempt_schedule_irq+0x2f/0x60
+  retint_kernel+0x1b/0x2d
+ RIP: 0010:rcu_read_unlock_special+0x0/0x680
+  ? rcu_torture_read_unlock+0x60/0x60
+  __rcu_read_unlock+0x64/0x70
+  rcu_torture_read_unlock+0x17/0x60
+  rcu_torture_reader+0x275/0x450
+  ? rcutorture_booster_init+0x110/0x110
+  ? rcu_torture_stall+0x230/0x230
+  ? kthread+0x10e/0x130
+  kthread+0x10e/0x130
+  ? kthread_create_worker_on_cpu+0x70/0x70
+  ? call_usermodehelper_exec_async+0x11a/0x150
+  ret_from_fork+0x3a/0x50
+
+This happens with the following even sequence:
+
+	preempt_schedule_irq();
+	  local_irq_enable();
+	  __schedule():
+	    local_irq_disable(); // irq off
+	    ...
+	    rcu_note_context_switch():
+	      rcu_note_preempt_context_switch():
+	        rcu_read_unlock_special():
+	          local_irq_save(flags);
+	          ...
+		  raw_spin_unlock_irqrestore(...,flags); // irq remains off
+	          rt_mutex_futex_unlock():
+	            raw_spin_lock_irq();
+	            ...
+	            raw_spin_unlock_irq(); // accidentally set irq on
+
+	    <return to __schedule()>
+	    rq_lock():
+	      raw_spin_lock(); // acquiring rq->lock with irq on
+
+which means rq->lock becomes a HARDIRQ-unsafe lock, which can cause
+deadlocks in scheduler code.
+
+This problem was introduced by commit 02a7c234e540 ("rcu: Suppress
+lockdep false-positive ->boost_mtx complaints"). That brought the user
+of rt_mutex_futex_unlock() with irq off.
+
+To fix this, replace the *lock_irq() in rt_mutex_futex_unlock() with
+*lock_irq{save,restore}() to make it safe to call rt_mutex_futex_unlock()
+with irq off.
+
+Fixes: 02a7c234e540 ("rcu: Suppress lockdep false-positive ->boost_mtx complaints")
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Josh Triplett <josh@joshtriplett.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
+Link: https://lkml.kernel.org/r/20180309065630.8283-1-boqun.feng@gmail.com
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ kernel/locking/rtmutex.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/locking/rtmutex.c b/kernel/locking/rtmutex.c
+index 65cc0cb984e6..940633c63254 100644
+--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
+@@ -1616,11 +1616,12 @@ bool __sched __rt_mutex_futex_unlock(struct rt_mutex *lock,
+ void __sched rt_mutex_futex_unlock(struct rt_mutex *lock)
+ {
+ 	DEFINE_WAKE_Q(wake_q);
+	unsigned long flags;
+ 	bool postunlock;
+ 
+-	raw_spin_lock_irq(&lock->wait_lock);
+	raw_spin_lock_irqsave(&lock->wait_lock, flags);
+ 	postunlock = __rt_mutex_futex_unlock(lock, &wake_q);
+-	raw_spin_unlock_irq(&lock->wait_lock);
+	raw_spin_unlock_irqrestore(&lock->wait_lock, flags);
+ 
+ 	if (postunlock)
+ 		rt_mutex_postunlock(&wake_q);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0003-rcu-Suppress-lockdep-false-positive-boost_mtx-compla.patch
+++ b/kernel/patches-4.14.x-rt/0003-rcu-Suppress-lockdep-false-positive-boost_mtx-compla.patch
@@ -0,0 +1,56 @@
+From 7b28fe258efc9f3d9dbac60f39826d57845ff991 Mon Sep 17 00:00:00 2001
+From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Date: Tue, 19 Sep 2017 15:36:42 -0700
+Subject: [PATCH 003/418] rcu: Suppress lockdep false-positive ->boost_mtx
+ complaints
+
+Upstream commit bcda31a2659497df39d6bedfbdf17498b4f4ac89
+
+RCU priority boosting uses rt_mutex_init_proxy_locked() to initialize an
+rt_mutex structure in locked state held by some other task.  When that
+other task releases it, lockdep complains (quite accurately, but a bit
+uselessly) that the other task never acquired it.  This complaint can
+suppress other, more helpful, lockdep complaints, and in any case it is
+a false positive.
+
+This commit therefore switches from rt_mutex_unlock() to
+rt_mutex_futex_unlock(), thereby avoiding the lockdep annotations.
+Of course, if lockdep ever learns about rt_mutex_init_proxy_locked(),
+addtional adjustments will be required.
+
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ kernel/rcu/tree_plugin.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
+index 8b3102d22823..181e2487c8b8 100644
+--- a/kernel/rcu/tree_plugin.h
+++ b/kernel/rcu/tree_plugin.h
+@@ -31,11 +31,10 @@
+ #include <linux/smpboot.h>
+ #include <uapi/linux/sched/types.h>
+ #include "../time/tick-internal.h"
+#include "../locking/rtmutex_common.h"
+ 
+ #ifdef CONFIG_RCU_BOOST
+ 
+-#include "../locking/rtmutex_common.h"
+-
+ /*
+  * Control variables for per-CPU and per-rcu_node kthreads.  These
+  * handle all flavors of RCU.
+@@ -530,7 +529,7 @@ void rcu_read_unlock_special(struct task_struct *t)
+ 
+ 		/* Unboost if we were boosted. */
+ 		if (IS_ENABLED(CONFIG_RCU_BOOST) && drop_boost_mutex)
+-			rt_mutex_unlock(&rnp->boost_mtx);
+			rt_mutex_futex_unlock(&rnp->boost_mtx);
+ 
+ 		/*
+ 		 * If this was the last task on the expedited lists,
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0004-brd-remove-unused-brd_mutex.patch
+++ b/kernel/patches-4.14.x-rt/0004-brd-remove-unused-brd_mutex.patch
@@ -0,0 +1,32 @@
+From e90c5da25d3a76acf44c248eb76fe0b6794174dd Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 10 Nov 2017 12:29:34 -0500
+Subject: [PATCH 004/418] brd: remove unused brd_mutex
+
+Upstream commit 15f7b41f70ddcca3b555bd0fdc7c8da7466b517e
+
+Remove unused mutex brd_mutex. It is unused since the commit ff26956875c2
+("brd: remove support for BLKFLSBUF").
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ drivers/block/brd.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/block/brd.c b/drivers/block/brd.c
+index 2d7178f7754e..c1cf87718c2e 100644
+--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
+@@ -60,7 +60,6 @@ struct brd_device {
+ /*
+  * Look up and return a brd's page for a given sector.
+  */
+-static DEFINE_MUTEX(brd_mutex);
+ static struct page *brd_lookup_page(struct brd_device *brd, sector_t sector)
+ {
+ 	pgoff_t idx;
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0005-KVM-arm-arm64-Remove-redundant-preemptible-checks.patch
+++ b/kernel/patches-4.14.x-rt/0005-KVM-arm-arm64-Remove-redundant-preemptible-checks.patch
@@ -0,0 +1,44 @@
+From 36d6a35ae79ce5699704c987d3b4d3eb2de6e7db Mon Sep 17 00:00:00 2001
+From: Christoffer Dall <christoffer.dall@linaro.org>
+Date: Fri, 8 Sep 2017 07:07:13 -0700
+Subject: [PATCH 005/418] KVM: arm/arm64: Remove redundant preemptible checks
+
+Upstream commit 5a24575032971c5a9a4580417a791c427ebdb8e5
+
+The __this_cpu_read() and __this_cpu_write() functions already implement
+checks for the required preemption levels when using
+CONFIG_DEBUG_PREEMPT which gives you nice error messages and such.
+Therefore there is no need to explicitly check this using a BUG_ON() in
+the code (which we don't do for other uses of per cpu variables either).
+
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Reviewed-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Christoffer Dall <christoffer.dall@linaro.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ virt/kvm/arm/arm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/virt/kvm/arm/arm.c b/virt/kvm/arm/arm.c
+index 9bee849db682..0c5d846ba809 100644
+--- a/virt/kvm/arm/arm.c
+++ b/virt/kvm/arm/arm.c
+@@ -69,7 +69,6 @@ static DEFINE_PER_CPU(unsigned char, kvm_arm_hardware_enabled);
+ 
+ static void kvm_arm_set_running_vcpu(struct kvm_vcpu *vcpu)
+ {
+-	BUG_ON(preemptible());
+ 	__this_cpu_write(kvm_arm_running_vcpu, vcpu);
+ }
+ 
+@@ -79,7 +78,6 @@ static void kvm_arm_set_running_vcpu(struct kvm_vcpu *vcpu)
+  */
+ struct kvm_vcpu *kvm_arm_get_running_vcpu(void)
+ {
+-	BUG_ON(preemptible());
+ 	return __this_cpu_read(kvm_arm_running_vcpu);
+ }
+ 
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0006-string-drop-__must_check-from-strscpy-and-restore-st.patch
+++ b/kernel/patches-4.14.x-rt/0006-string-drop-__must_check-from-strscpy-and-restore-st.patch
@@ -0,0 +1,68 @@
+From c9e312daee80f74ba3e2b50da2ea33336f6846e8 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Tue, 9 Jan 2018 07:21:15 -0800
+Subject: [PATCH 006/418] string: drop __must_check from strscpy() and restore
+ strscpy() usages in cgroup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream commit 08a77676f9c5fc69a681ccd2cd8140e65dcb26c7
+
+e7fd37ba1217 ("cgroup: avoid copying strings longer than the buffers")
+converted possibly unsafe strncpy() usages in cgroup to strscpy().
+However, although the callsites are completely fine with truncated
+copied, because strscpy() is marked __must_check, it led to the
+following warnings.
+
+  kernel/cgroup/cgroup.c: In function ‘cgroup_file_name’:
+  kernel/cgroup/cgroup.c:1400:10: warning: ignoring return value of ‘strscpy’, declared with attribute warn_unused_result [-Wunused-result]
+     strscpy(buf, cft->name, CGROUP_FILE_NAME_MAX);
+	       ^
+
+To avoid the warnings, 50034ed49645 ("cgroup: use strlcpy() instead of
+strscpy() to avoid spurious warning") switched them to strlcpy().
+
+strlcpy() is worse than strlcpy() because it unconditionally runs
+strlen() on the source string, and the only reason we switched to
+strlcpy() here was because it was lacking __must_check, which doesn't
+reflect any material differences between the two function.  It's just
+that someone added __must_check to strscpy() and not to strlcpy().
+
+These basic string copy operations are used in variety of ways, and
+one of not-so-uncommon use cases is safely handling truncated copies,
+where the caller naturally doesn't care about the return value.  The
+__must_check doesn't match the actual use cases and forces users to
+opt for inferior variants which lack __must_check by happenstance or
+spread ugly (void) casts.
+
+Remove __must_check from strscpy() and restore strscpy() usages in
+cgroup.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Chris Metcalf <cmetcalf@ezchip.com>
+[bigeasy: drop the cgroup.c hunk]
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/string.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/string.h b/include/linux/string.h
+index cfd83eb2f926..96115bf561b4 100644
+--- a/include/linux/string.h
+++ b/include/linux/string.h
+@@ -28,7 +28,7 @@ extern char * strncpy(char *,const char *, __kernel_size_t);
+ size_t strlcpy(char *, const char *, size_t);
+ #endif
+ #ifndef __HAVE_ARCH_STRSCPY
+-ssize_t __must_check strscpy(char *, const char *, size_t);
+ssize_t strscpy(char *, const char *, size_t);
+ #endif
+ #ifndef __HAVE_ARCH_STRCAT
+ extern char * strcat(char *, const char *);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0007-iommu-amd-Use-raw-locks-on-atomic-context-paths.patch
+++ b/kernel/patches-4.14.x-rt/0007-iommu-amd-Use-raw-locks-on-atomic-context-paths.patch
@@ -0,0 +1,180 @@
+From 5217a4b31298b5ff1082bd88e6ac8054780b6aaf Mon Sep 17 00:00:00 2001
+From: Scott Wood <swood@redhat.com>
+Date: Sun, 21 Jan 2018 03:28:54 -0600
+Subject: [PATCH 007/418] iommu/amd: Use raw locks on atomic context paths
+
+Upstream commit 27790398c2aed917828dc3c6f81240d57f1584c9
+
+Several functions in this driver are called from atomic context,
+and thus raw locks must be used in order to be safe on PREEMPT_RT.
+
+This includes paths that must wait for command completion, which is
+a potential PREEMPT_RT latency concern but not easily avoidable.
+
+Signed-off-by: Scott Wood <swood@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c       | 30 +++++++++++++++---------------
+ drivers/iommu/amd_iommu_init.c  |  2 +-
+ drivers/iommu/amd_iommu_types.h |  4 ++--
+ 3 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 10190e361a13..ff50337fe3ba 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -1056,9 +1056,9 @@ static int iommu_queue_command_sync(struct amd_iommu *iommu,
+ 	unsigned long flags;
+ 	int ret;
+ 
+-	spin_lock_irqsave(&iommu->lock, flags);
+	raw_spin_lock_irqsave(&iommu->lock, flags);
+ 	ret = __iommu_queue_command_sync(iommu, cmd, sync);
+-	spin_unlock_irqrestore(&iommu->lock, flags);
+	raw_spin_unlock_irqrestore(&iommu->lock, flags);
+ 
+ 	return ret;
+ }
+@@ -1084,7 +1084,7 @@ static int iommu_completion_wait(struct amd_iommu *iommu)
+ 
+ 	build_completion_wait(&cmd, (u64)&iommu->cmd_sem);
+ 
+-	spin_lock_irqsave(&iommu->lock, flags);
+	raw_spin_lock_irqsave(&iommu->lock, flags);
+ 
+ 	iommu->cmd_sem = 0;
+ 
+@@ -1095,7 +1095,7 @@ static int iommu_completion_wait(struct amd_iommu *iommu)
+ 	ret = wait_on_sem(&iommu->cmd_sem);
+ 
+ out_unlock:
+-	spin_unlock_irqrestore(&iommu->lock, flags);
+	raw_spin_unlock_irqrestore(&iommu->lock, flags);
+ 
+ 	return ret;
+ }
+@@ -3620,7 +3620,7 @@ static struct irq_remap_table *get_irq_table(u16 devid, bool ioapic)
+ 		goto out_unlock;
+ 
+ 	/* Initialize table spin-lock */
+-	spin_lock_init(&table->lock);
+	raw_spin_lock_init(&table->lock);
+ 
+ 	if (ioapic)
+ 		/* Keep the first 32 indexes free for IOAPIC interrupts */
+@@ -3679,7 +3679,7 @@ static int alloc_irq_index(u16 devid, int count)
+ 	if (!table)
+ 		return -ENODEV;
+ 
+-	spin_lock_irqsave(&table->lock, flags);
+	raw_spin_lock_irqsave(&table->lock, flags);
+ 
+ 	/* Scan table for free entries */
+ 	for (c = 0, index = table->min_index;
+@@ -3702,7 +3702,7 @@ static int alloc_irq_index(u16 devid, int count)
+ 	index = -ENOSPC;
+ 
+ out:
+-	spin_unlock_irqrestore(&table->lock, flags);
+	raw_spin_unlock_irqrestore(&table->lock, flags);
+ 
+ 	return index;
+ }
+@@ -3723,7 +3723,7 @@ static int modify_irte_ga(u16 devid, int index, struct irte_ga *irte,
+ 	if (!table)
+ 		return -ENOMEM;
+ 
+-	spin_lock_irqsave(&table->lock, flags);
+	raw_spin_lock_irqsave(&table->lock, flags);
+ 
+ 	entry = (struct irte_ga *)table->table;
+ 	entry = &entry[index];
+@@ -3734,7 +3734,7 @@ static int modify_irte_ga(u16 devid, int index, struct irte_ga *irte,
+ 	if (data)
+ 		data->ref = entry;
+ 
+-	spin_unlock_irqrestore(&table->lock, flags);
+	raw_spin_unlock_irqrestore(&table->lock, flags);
+ 
+ 	iommu_flush_irt(iommu, devid);
+ 	iommu_completion_wait(iommu);
+@@ -3756,9 +3756,9 @@ static int modify_irte(u16 devid, int index, union irte *irte)
+ 	if (!table)
+ 		return -ENOMEM;
+ 
+-	spin_lock_irqsave(&table->lock, flags);
+	raw_spin_lock_irqsave(&table->lock, flags);
+ 	table->table[index] = irte->val;
+-	spin_unlock_irqrestore(&table->lock, flags);
+	raw_spin_unlock_irqrestore(&table->lock, flags);
+ 
+ 	iommu_flush_irt(iommu, devid);
+ 	iommu_completion_wait(iommu);
+@@ -3780,9 +3780,9 @@ static void free_irte(u16 devid, int index)
+ 	if (!table)
+ 		return;
+ 
+-	spin_lock_irqsave(&table->lock, flags);
+	raw_spin_lock_irqsave(&table->lock, flags);
+ 	iommu->irte_ops->clear_allocated(table, index);
+-	spin_unlock_irqrestore(&table->lock, flags);
+	raw_spin_unlock_irqrestore(&table->lock, flags);
+ 
+ 	iommu_flush_irt(iommu, devid);
+ 	iommu_completion_wait(iommu);
+@@ -4361,7 +4361,7 @@ int amd_iommu_update_ga(int cpu, bool is_run, void *data)
+ 	if (!irt)
+ 		return -ENODEV;
+ 
+-	spin_lock_irqsave(&irt->lock, flags);
+	raw_spin_lock_irqsave(&irt->lock, flags);
+ 
+ 	if (ref->lo.fields_vapic.guest_mode) {
+ 		if (cpu >= 0)
+@@ -4370,7 +4370,7 @@ int amd_iommu_update_ga(int cpu, bool is_run, void *data)
+ 		barrier();
+ 	}
+ 
+-	spin_unlock_irqrestore(&irt->lock, flags);
+	raw_spin_unlock_irqrestore(&irt->lock, flags);
+ 
+ 	iommu_flush_irt(iommu, devid);
+ 	iommu_completion_wait(iommu);
+diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
+index 6fe2d0346073..e3cd81b32a33 100644
+--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
+@@ -1474,7 +1474,7 @@ static int __init init_iommu_one(struct amd_iommu *iommu, struct ivhd_header *h)
+ {
+ 	int ret;
+ 
+-	spin_lock_init(&iommu->lock);
+	raw_spin_lock_init(&iommu->lock);
+ 
+ 	/* Add IOMMU to internal data structures */
+ 	list_add_tail(&iommu->list, &amd_iommu_list);
+diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
+index f6b24c7d8b70..7521745dc2a5 100644
+--- a/drivers/iommu/amd_iommu_types.h
+++ b/drivers/iommu/amd_iommu_types.h
+@@ -406,7 +406,7 @@ extern bool amd_iommu_iotlb_sup;
+ #define IRQ_TABLE_ALIGNMENT	128
+ 
+ struct irq_remap_table {
+-	spinlock_t lock;
+	raw_spinlock_t lock;
+ 	unsigned min_index;
+ 	u32 *table;
+ };
+@@ -488,7 +488,7 @@ struct amd_iommu {
+ 	int index;
+ 
+ 	/* locks the accesses to the hardware */
+-	spinlock_t lock;
+	raw_spinlock_t lock;
+ 
+ 	/* Pointer to PCI device of this IOMMU */
+ 	struct pci_dev *dev;
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0008-iommu-amd-Don-t-use-dev_data-in-irte_ga_set_affinity.patch
+++ b/kernel/patches-4.14.x-rt/0008-iommu-amd-Don-t-use-dev_data-in-irte_ga_set_affinity.patch
@@ -0,0 +1,38 @@
+From f139b736cc22cafcb207795386fe46e0a8fea151 Mon Sep 17 00:00:00 2001
+From: Scott Wood <swood@redhat.com>
+Date: Sun, 28 Jan 2018 14:22:19 -0600
+Subject: [PATCH 008/418] iommu/amd: Don't use dev_data in
+ irte_ga_set_affinity()
+
+Upstream commit 01ee04badefd296eb7a4430497373be9b7b16783
+
+search_dev_data() acquires a non-raw lock, which can't be done
+from atomic context on PREEMPT_RT.  There is no need to look at
+dev_data because guest_mode should never be set if use_vapic is
+not set.
+
+Signed-off-by: Scott Wood <swood@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index ff50337fe3ba..388ec5e98ef5 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -3863,10 +3863,8 @@ static void irte_ga_set_affinity(void *entry, u16 devid, u16 index,
+ 				 u8 vector, u32 dest_apicid)
+ {
+ 	struct irte_ga *irte = (struct irte_ga *) entry;
+-	struct iommu_dev_data *dev_data = search_dev_data(devid);
+ 
+-	if (!dev_data || !dev_data->use_vapic ||
+-	    !irte->lo.fields_remap.guest_mode) {
+	if (!irte->lo.fields_remap.guest_mode) {
+ 		irte->hi.fields.vector = vector;
+ 		irte->lo.fields_remap.destination = dest_apicid;
+ 		modify_irte_ga(devid, index, irte, NULL);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0009-iommu-amd-Avoid-locking-get_irq_table-from-atomic-co.patch
+++ b/kernel/patches-4.14.x-rt/0009-iommu-amd-Avoid-locking-get_irq_table-from-atomic-co.patch
@@ -0,0 +1,122 @@
+From eec0129e06a60a46f1f09a329f850a248af0e4ea Mon Sep 17 00:00:00 2001
+From: Scott Wood <swood@redhat.com>
+Date: Wed, 14 Feb 2018 17:36:28 -0600
+Subject: [PATCH 009/418] iommu/amd: Avoid locking get_irq_table() from atomic
+ context
+
+Upstream commit df42a04b15f19a842393dc98a84cbc52b1f8ed49
+
+get_irq_table() previously acquired amd_iommu_devtable_lock which is not
+a raw lock, and thus cannot be acquired from atomic context on
+PREEMPT_RT.  Many calls to modify_irte*() come from atomic context due to
+the IRQ desc->lock, as does amd_iommu_update_ga() due to the preemption
+disabling in vcpu_load/put().
+
+The only difference between calling get_irq_table() and reading from
+irq_lookup_table[] directly, other than the lock acquisition and
+amd_iommu_rlookup_table[] check, is if the table entry is unpopulated,
+which should never happen when looking up a devid that came from an
+irq_2_irte struct, as get_irq_table() would have already been called on
+that devid during irq_remapping_alloc().
+
+The lock acquisition is not needed in these cases because entries in
+irq_lookup_table[] never change once non-NULL -- nor would the
+amd_iommu_devtable_lock usage in get_irq_table() provide meaningful
+protection if they did, since it's released before using the looked up
+table in the get_irq_table() caller.
+
+Rename the old get_irq_table() to alloc_irq_table(), and create a new
+lockless get_irq_table() to be used in non-allocating contexts that WARNs
+if it doesn't find what it's looking for.
+
+Signed-off-by: Scott Wood <swood@redhat.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 388ec5e98ef5..e42992fcebca 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -3588,7 +3588,22 @@ static void set_dte_irq_entry(u16 devid, struct irq_remap_table *table)
+ 	amd_iommu_dev_table[devid].data[2] = dte;
+ }
+ 
+-static struct irq_remap_table *get_irq_table(u16 devid, bool ioapic)
+static struct irq_remap_table *get_irq_table(u16 devid)
+{
+	struct irq_remap_table *table;
+
+	if (WARN_ONCE(!amd_iommu_rlookup_table[devid],
+		      "%s: no iommu for devid %x\n", __func__, devid))
+		return NULL;
+
+	table = irq_lookup_table[devid];
+	if (WARN_ONCE(!table, "%s: no table for devid %x\n", __func__, devid))
+		return NULL;
+
+	return table;
+}
+
+static struct irq_remap_table *alloc_irq_table(u16 devid, bool ioapic)
+ {
+ 	struct irq_remap_table *table = NULL;
+ 	struct amd_iommu *iommu;
+@@ -3675,7 +3690,7 @@ static int alloc_irq_index(u16 devid, int count)
+ 	if (!iommu)
+ 		return -ENODEV;
+ 
+-	table = get_irq_table(devid, false);
+	table = alloc_irq_table(devid, false);
+ 	if (!table)
+ 		return -ENODEV;
+ 
+@@ -3719,7 +3734,7 @@ static int modify_irte_ga(u16 devid, int index, struct irte_ga *irte,
+ 	if (iommu == NULL)
+ 		return -EINVAL;
+ 
+-	table = get_irq_table(devid, false);
+	table = get_irq_table(devid);
+ 	if (!table)
+ 		return -ENOMEM;
+ 
+@@ -3752,7 +3767,7 @@ static int modify_irte(u16 devid, int index, union irte *irte)
+ 	if (iommu == NULL)
+ 		return -EINVAL;
+ 
+-	table = get_irq_table(devid, false);
+	table = get_irq_table(devid);
+ 	if (!table)
+ 		return -ENOMEM;
+ 
+@@ -3776,7 +3791,7 @@ static void free_irte(u16 devid, int index)
+ 	if (iommu == NULL)
+ 		return;
+ 
+-	table = get_irq_table(devid, false);
+	table = get_irq_table(devid);
+ 	if (!table)
+ 		return;
+ 
+@@ -4094,7 +4109,7 @@ static int irq_remapping_alloc(struct irq_domain *domain, unsigned int virq,
+ 		return ret;
+ 
+ 	if (info->type == X86_IRQ_ALLOC_TYPE_IOAPIC) {
+-		if (get_irq_table(devid, true))
+		if (alloc_irq_table(devid, true))
+ 			index = info->ioapic_pin;
+ 		else
+ 			ret = -ENOMEM;
+@@ -4355,7 +4370,7 @@ int amd_iommu_update_ga(int cpu, bool is_run, void *data)
+ 	if (!iommu)
+ 		return -ENODEV;
+ 
+-	irt = get_irq_table(devid, false);
+	irt = get_irq_table(devid);
+ 	if (!irt)
+ 		return -ENODEV;
+ 
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0010-iommu-amd-Turn-dev_data_list-into-a-lock-less-list.patch
+++ b/kernel/patches-4.14.x-rt/0010-iommu-amd-Turn-dev_data_list-into-a-lock-less-list.patch
@@ -0,0 +1,105 @@
+From 53ff4b0f4c2a4ae8eea46b71b11b9fc5a7d79a11 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:34 +0100
+Subject: [PATCH 010/418] iommu/amd: Turn dev_data_list into a lock less list
+
+Upstream commit 779da73273fc4c4c6f41579a95e4fb7880a1720e
+
+alloc_dev_data() adds new items to dev_data_list and search_dev_data()
+is searching for items in this list. Both protect the access to the list
+with a spinlock.
+There is no need to navigate forth and back within the list and there is
+also no deleting of a specific item. This qualifies the list to become a
+lock less list and as part of this, the spinlock can be removed.
+With this change the ordering of those items within the list is changed:
+before the change new items were added to the end of the list, now they
+are added to the front. I don't think it matters but wanted to mention
+it.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c       | 28 ++++++++++------------------
+ drivers/iommu/amd_iommu_types.h |  2 +-
+ 2 files changed, 11 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index e42992fcebca..1babecd37819 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -84,8 +84,7 @@
+ static DEFINE_RWLOCK(amd_iommu_devtable_lock);
+ 
+ /* List of all available dev_data structures */
+-static LIST_HEAD(dev_data_list);
+-static DEFINE_SPINLOCK(dev_data_list_lock);
+static LLIST_HEAD(dev_data_list);
+ 
+ LIST_HEAD(ioapic_map);
+ LIST_HEAD(hpet_map);
+@@ -204,40 +203,33 @@ static struct dma_ops_domain* to_dma_ops_domain(struct protection_domain *domain
+ static struct iommu_dev_data *alloc_dev_data(u16 devid)
+ {
+ 	struct iommu_dev_data *dev_data;
+-	unsigned long flags;
+ 
+ 	dev_data = kzalloc(sizeof(*dev_data), GFP_KERNEL);
+ 	if (!dev_data)
+ 		return NULL;
+ 
+ 	dev_data->devid = devid;
+-
+-	spin_lock_irqsave(&dev_data_list_lock, flags);
+-	list_add_tail(&dev_data->dev_data_list, &dev_data_list);
+-	spin_unlock_irqrestore(&dev_data_list_lock, flags);
+-
+ 	ratelimit_default_init(&dev_data->rs);
+ 
+	llist_add(&dev_data->dev_data_list, &dev_data_list);
+ 	return dev_data;
+ }
+ 
+ static struct iommu_dev_data *search_dev_data(u16 devid)
+ {
+ 	struct iommu_dev_data *dev_data;
+-	unsigned long flags;
+	struct llist_node *node;
+
+	if (llist_empty(&dev_data_list))
+		return NULL;
+ 
+-	spin_lock_irqsave(&dev_data_list_lock, flags);
+-	list_for_each_entry(dev_data, &dev_data_list, dev_data_list) {
+	node = dev_data_list.first;
+	llist_for_each_entry(dev_data, node, dev_data_list) {
+ 		if (dev_data->devid == devid)
+-			goto out_unlock;
+			return dev_data;
+ 	}
+ 
+-	dev_data = NULL;
+-
+-out_unlock:
+-	spin_unlock_irqrestore(&dev_data_list_lock, flags);
+-
+-	return dev_data;
+	return NULL;
+ }
+ 
+ static int __last_alias(struct pci_dev *pdev, u16 alias, void *data)
+diff --git a/drivers/iommu/amd_iommu_types.h b/drivers/iommu/amd_iommu_types.h
+index 7521745dc2a5..16b1404da58c 100644
+--- a/drivers/iommu/amd_iommu_types.h
+++ b/drivers/iommu/amd_iommu_types.h
+@@ -625,7 +625,7 @@ struct devid_map {
+  */
+ struct iommu_dev_data {
+ 	struct list_head list;		  /* For domain->dev_list */
+-	struct list_head dev_data_list;	  /* For global dev_data_list */
+	struct llist_node dev_data_list;  /* For global dev_data_list */
+ 	struct protection_domain *domain; /* Domain the device is bound to */
+ 	u16 devid;			  /* PCI Device ID */
+ 	u16 alias;			  /* Alias Device ID */
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0011-iommu-amd-Split-domain-id-out-of-amd_iommu_devtable_.patch
+++ b/kernel/patches-4.14.x-rt/0011-iommu-amd-Split-domain-id-out-of-amd_iommu_devtable_.patch
@@ -0,0 +1,68 @@
+From 1645ac08eb6be3c6b2900de419f578ed5f91ecf4 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:35 +0100
+Subject: [PATCH 011/418] iommu/amd: Split domain id out of
+ amd_iommu_devtable_lock
+
+Upstream commit 2bc00180890427dcc092b2f2b0d03c904bcade29
+
+domain_id_alloc() and domain_id_free() is used for id management. Those
+two function share a bitmap (amd_iommu_pd_alloc_bitmap) and set/clear
+bits based on id allocation. There is no need to share this with
+amd_iommu_devtable_lock, it can use its own lock for this operation.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 1babecd37819..250b6354fae5 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -82,6 +82,7 @@
+ #define AMD_IOMMU_PGSIZES	((~0xFFFUL) & ~(2ULL << 38))
+ 
+ static DEFINE_RWLOCK(amd_iommu_devtable_lock);
+static DEFINE_SPINLOCK(pd_bitmap_lock);
+ 
+ /* List of all available dev_data structures */
+ static LLIST_HEAD(dev_data_list);
+@@ -1596,29 +1597,26 @@ static void del_domain_from_list(struct protection_domain *domain)
+ 
+ static u16 domain_id_alloc(void)
+ {
+-	unsigned long flags;
+ 	int id;
+ 
+-	write_lock_irqsave(&amd_iommu_devtable_lock, flags);
+	spin_lock(&pd_bitmap_lock);
+ 	id = find_first_zero_bit(amd_iommu_pd_alloc_bitmap, MAX_DOMAIN_ID);
+ 	BUG_ON(id == 0);
+ 	if (id > 0 && id < MAX_DOMAIN_ID)
+ 		__set_bit(id, amd_iommu_pd_alloc_bitmap);
+ 	else
+ 		id = 0;
+-	write_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+	spin_unlock(&pd_bitmap_lock);
+ 
+ 	return id;
+ }
+ 
+ static void domain_id_free(int id)
+ {
+-	unsigned long flags;
+-
+-	write_lock_irqsave(&amd_iommu_devtable_lock, flags);
+	spin_lock(&pd_bitmap_lock);
+ 	if (id > 0 && id < MAX_DOMAIN_ID)
+ 		__clear_bit(id, amd_iommu_pd_alloc_bitmap);
+-	write_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+	spin_unlock(&pd_bitmap_lock);
+ }
+ 
+ #define DEFINE_FREE_PT_FN(LVL, FN)				\
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0012-iommu-amd-Split-irq_lookup_table-out-of-the-amd_iomm.patch
+++ b/kernel/patches-4.14.x-rt/0012-iommu-amd-Split-irq_lookup_table-out-of-the-amd_iomm.patch
@@ -0,0 +1,56 @@
+From 37ded533c97f8424a00e051c4351ab2515717457 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:36 +0100
+Subject: [PATCH 012/418] iommu/amd: Split irq_lookup_table out of the
+ amd_iommu_devtable_lock
+
+Upstream commit ea6166f4b83e9cfba1c18f46a764d50045682fe5
+
+The function get_irq_table() reads/writes irq_lookup_table while holding
+the amd_iommu_devtable_lock. It also modifies
+amd_iommu_dev_table[].data[2].
+set_dte_entry() is using amd_iommu_dev_table[].data[0|1] (under the
+domain->lock) so it should be okay. The access to the iommu is
+serialized with its own (iommu's) lock.
+
+So split out get_irq_table() out of amd_iommu_devtable_lock's lock.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 250b6354fae5..2cedb0caec73 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -83,6 +83,7 @@
+ 
+ static DEFINE_RWLOCK(amd_iommu_devtable_lock);
+ static DEFINE_SPINLOCK(pd_bitmap_lock);
+static DEFINE_SPINLOCK(iommu_table_lock);
+ 
+ /* List of all available dev_data structures */
+ static LLIST_HEAD(dev_data_list);
+@@ -3600,7 +3601,7 @@ static struct irq_remap_table *alloc_irq_table(u16 devid, bool ioapic)
+ 	unsigned long flags;
+ 	u16 alias;
+ 
+-	write_lock_irqsave(&amd_iommu_devtable_lock, flags);
+	spin_lock_irqsave(&iommu_table_lock, flags);
+ 
+ 	iommu = amd_iommu_rlookup_table[devid];
+ 	if (!iommu)
+@@ -3665,7 +3666,7 @@ static struct irq_remap_table *alloc_irq_table(u16 devid, bool ioapic)
+ 	iommu_completion_wait(iommu);
+ 
+ out_unlock:
+-	write_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+	spin_unlock_irqrestore(&iommu_table_lock, flags);
+ 
+ 	return table;
+ }
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0013-iommu-amd-Remove-the-special-case-from-alloc_irq_tab.patch
+++ b/kernel/patches-4.14.x-rt/0013-iommu-amd-Remove-the-special-case-from-alloc_irq_tab.patch
@@ -0,0 +1,100 @@
+From 7faa3de9da88db7a577fbc9d11c095425c7de802 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:37 +0100
+Subject: [PATCH 013/418] iommu/amd: Remove the special case from
+ alloc_irq_table()
+
+Upstream commit fde65dd3d3096e8f6ecc7bbe544eb91f4220772c
+
+alloc_irq_table() has a special ioapic argument. If set then it will
+pre-allocate / reserve the first 32 indexes. The argument is only once
+true and it would make alloc_irq_table() a little simpler if we would
+extract the special bits to the caller.
+The caller of irq_remapping_alloc() is holding irq_domain_mutex so the
+initialization of iommu->irte_ops->set_allocated() should not race
+against other user.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 34 ++++++++++++++++++++--------------
+ 1 file changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 2cedb0caec73..fc23b89d2372 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -3594,7 +3594,7 @@ static struct irq_remap_table *get_irq_table(u16 devid)
+ 	return table;
+ }
+ 
+-static struct irq_remap_table *alloc_irq_table(u16 devid, bool ioapic)
+static struct irq_remap_table *alloc_irq_table(u16 devid)
+ {
+ 	struct irq_remap_table *table = NULL;
+ 	struct amd_iommu *iommu;
+@@ -3628,10 +3628,6 @@ static struct irq_remap_table *alloc_irq_table(u16 devid, bool ioapic)
+ 	/* Initialize table spin-lock */
+ 	raw_spin_lock_init(&table->lock);
+ 
+-	if (ioapic)
+-		/* Keep the first 32 indexes free for IOAPIC interrupts */
+-		table->min_index = 32;
+-
+ 	table->table = kmem_cache_alloc(amd_iommu_irq_cache, GFP_ATOMIC);
+ 	if (!table->table) {
+ 		kfree(table);
+@@ -3646,12 +3642,6 @@ static struct irq_remap_table *alloc_irq_table(u16 devid, bool ioapic)
+ 		memset(table->table, 0,
+ 		       (MAX_IRQS_PER_TABLE * (sizeof(u64) * 2)));
+ 
+-	if (ioapic) {
+-		int i;
+-
+-		for (i = 0; i < 32; ++i)
+-			iommu->irte_ops->set_allocated(table, i);
+-	}
+ 
+ 	irq_lookup_table[devid] = table;
+ 	set_dte_irq_entry(devid, table);
+@@ -3681,7 +3671,7 @@ static int alloc_irq_index(u16 devid, int count)
+ 	if (!iommu)
+ 		return -ENODEV;
+ 
+-	table = alloc_irq_table(devid, false);
+	table = alloc_irq_table(devid);
+ 	if (!table)
+ 		return -ENODEV;
+ 
+@@ -4100,10 +4090,26 @@ static int irq_remapping_alloc(struct irq_domain *domain, unsigned int virq,
+ 		return ret;
+ 
+ 	if (info->type == X86_IRQ_ALLOC_TYPE_IOAPIC) {
+-		if (alloc_irq_table(devid, true))
+		struct irq_remap_table *table;
+		struct amd_iommu *iommu;
+
+		table = alloc_irq_table(devid);
+		if (table) {
+			if (!table->min_index) {
+				/*
+				 * Keep the first 32 indexes free for IOAPIC
+				 * interrupts.
+				 */
+				table->min_index = 32;
+				iommu = amd_iommu_rlookup_table[devid];
+				for (i = 0; i < 32; ++i)
+					iommu->irte_ops->set_allocated(table, i);
+			}
+			WARN_ON(table->min_index != 32);
+ 			index = info->ioapic_pin;
+-		else
+		} else {
+ 			ret = -ENOMEM;
+		}
+ 	} else {
+ 		index = alloc_irq_index(devid, nr_irqs);
+ 	}
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0014-iommu-amd-Use-table-instead-irt-as-variable-name-in-.patch
+++ b/kernel/patches-4.14.x-rt/0014-iommu-amd-Use-table-instead-irt-as-variable-name-in-.patch
@@ -0,0 +1,58 @@
+From c148dfef5e405f1d7f74ac4e667b19007bc31fd1 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:38 +0100
+Subject: [PATCH 014/418] iommu/amd: Use `table' instead `irt' as variable name
+ in amd_iommu_update_ga()
+
+Upstream commit 4fde541c9dc114c5b448ad34b0286fe8b7c550f1
+
+The variable of type struct irq_remap_table is always named `table'
+except in amd_iommu_update_ga() where it is called `irt'. Make it
+consistent and name it also `table'.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index fc23b89d2372..bfda5f26ea50 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -4353,7 +4353,7 @@ int amd_iommu_update_ga(int cpu, bool is_run, void *data)
+ {
+ 	unsigned long flags;
+ 	struct amd_iommu *iommu;
+-	struct irq_remap_table *irt;
+	struct irq_remap_table *table;
+ 	struct amd_ir_data *ir_data = (struct amd_ir_data *)data;
+ 	int devid = ir_data->irq_2_irte.devid;
+ 	struct irte_ga *entry = (struct irte_ga *) ir_data->entry;
+@@ -4367,11 +4367,11 @@ int amd_iommu_update_ga(int cpu, bool is_run, void *data)
+ 	if (!iommu)
+ 		return -ENODEV;
+ 
+-	irt = get_irq_table(devid);
+-	if (!irt)
+	table = get_irq_table(devid);
+	if (!table)
+ 		return -ENODEV;
+ 
+-	raw_spin_lock_irqsave(&irt->lock, flags);
+	raw_spin_lock_irqsave(&table->lock, flags);
+ 
+ 	if (ref->lo.fields_vapic.guest_mode) {
+ 		if (cpu >= 0)
+@@ -4380,7 +4380,7 @@ int amd_iommu_update_ga(int cpu, bool is_run, void *data)
+ 		barrier();
+ 	}
+ 
+-	raw_spin_unlock_irqrestore(&irt->lock, flags);
+	raw_spin_unlock_irqrestore(&table->lock, flags);
+ 
+ 	iommu_flush_irt(iommu, devid);
+ 	iommu_completion_wait(iommu);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0015-iommu-amd-Factor-out-setting-the-remap-table-for-a-d.patch
+++ b/kernel/patches-4.14.x-rt/0015-iommu-amd-Factor-out-setting-the-remap-table-for-a-d.patch
@@ -0,0 +1,72 @@
+From ef80165d12b76356146a32c6b43e45e98f052ae9 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:39 +0100
+Subject: [PATCH 015/418] iommu/amd: Factor out setting the remap table for a
+ devid
+
+Upstream commit 2fcc1e8ac4a8514c64f946178fc36c2e30e56a41
+
+Setting the IRQ remap table for a specific devid (or its alias devid)
+includes three steps. Those three steps are always repeated each time
+this is done.
+Introduce a new helper function, move those steps there and use that
+function instead. The compiler can still decide if it is worth to
+inline.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index bfda5f26ea50..d4eeb91afa36 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -3594,6 +3594,14 @@ static struct irq_remap_table *get_irq_table(u16 devid)
+ 	return table;
+ }
+ 
+static void set_remap_table_entry(struct amd_iommu *iommu, u16 devid,
+				  struct irq_remap_table *table)
+{
+	irq_lookup_table[devid] = table;
+	set_dte_irq_entry(devid, table);
+	iommu_flush_dte(iommu, devid);
+}
+
+ static struct irq_remap_table *alloc_irq_table(u16 devid)
+ {
+ 	struct irq_remap_table *table = NULL;
+@@ -3614,9 +3622,7 @@ static struct irq_remap_table *alloc_irq_table(u16 devid)
+ 	alias = amd_iommu_alias_table[devid];
+ 	table = irq_lookup_table[alias];
+ 	if (table) {
+-		irq_lookup_table[devid] = table;
+-		set_dte_irq_entry(devid, table);
+-		iommu_flush_dte(iommu, devid);
+		set_remap_table_entry(iommu, devid, table);
+ 		goto out;
+ 	}
+ 
+@@ -3643,14 +3649,9 @@ static struct irq_remap_table *alloc_irq_table(u16 devid)
+ 		       (MAX_IRQS_PER_TABLE * (sizeof(u64) * 2)));
+ 
+ 
+-	irq_lookup_table[devid] = table;
+-	set_dte_irq_entry(devid, table);
+-	iommu_flush_dte(iommu, devid);
+-	if (devid != alias) {
+-		irq_lookup_table[alias] = table;
+-		set_dte_irq_entry(alias, table);
+-		iommu_flush_dte(iommu, alias);
+-	}
+	set_remap_table_entry(iommu, devid, table);
+	if (devid != alias)
+		set_remap_table_entry(iommu, alias, table);
+ 
+ out:
+ 	iommu_completion_wait(iommu);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0016-iommu-amd-Drop-the-lock-while-allocating-new-irq-rem.patch
+++ b/kernel/patches-4.14.x-rt/0016-iommu-amd-Drop-the-lock-while-allocating-new-irq-rem.patch
@@ -0,0 +1,137 @@
+From 6224ad75694b7e9aa332a504f1da722c416a4cf3 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:40 +0100
+Subject: [PATCH 016/418] iommu/amd: Drop the lock while allocating new irq
+ remap table
+
+Upstream commit 993ca6e063a69a0c65ca42ed449b6bc1b3844151
+
+The irq_remap_table is allocated while the iommu_table_lock is held with
+interrupts disabled.
+>From looking at the call sites, all callers are in the early device
+initialisation (apic_bsp_setup(), pci_enable_device(),
+pci_enable_msi()) so make sense to drop the lock which also enables
+interrupts and try to allocate that memory with GFP_KERNEL instead
+GFP_ATOMIC.
+
+Since during the allocation the iommu_table_lock is dropped, we need to
+recheck if table exists after the lock has been reacquired. I *think*
+that it is impossible that the "devid" entry appears in irq_lookup_table
+while the lock is dropped since the same device can only be probed once.
+However I check for both cases, just to be sure.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 63 ++++++++++++++++++++++++++++-----------
+ 1 file changed, 45 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index d4eeb91afa36..8b6e515b395e 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -3594,6 +3594,30 @@ static struct irq_remap_table *get_irq_table(u16 devid)
+ 	return table;
+ }
+ 
+static struct irq_remap_table *__alloc_irq_table(void)
+{
+	struct irq_remap_table *table;
+
+	table = kzalloc(sizeof(*table), GFP_KERNEL);
+	if (!table)
+		return NULL;
+
+	table->table = kmem_cache_alloc(amd_iommu_irq_cache, GFP_KERNEL);
+	if (!table->table) {
+		kfree(table);
+		return NULL;
+	}
+	raw_spin_lock_init(&table->lock);
+
+	if (!AMD_IOMMU_GUEST_IR_GA(amd_iommu_guest_ir))
+		memset(table->table, 0,
+		       MAX_IRQS_PER_TABLE * sizeof(u32));
+	else
+		memset(table->table, 0,
+		       (MAX_IRQS_PER_TABLE * (sizeof(u64) * 2)));
+	return table;
+}
+
+ static void set_remap_table_entry(struct amd_iommu *iommu, u16 devid,
+ 				  struct irq_remap_table *table)
+ {
+@@ -3605,6 +3629,7 @@ static void set_remap_table_entry(struct amd_iommu *iommu, u16 devid,
+ static struct irq_remap_table *alloc_irq_table(u16 devid)
+ {
+ 	struct irq_remap_table *table = NULL;
+	struct irq_remap_table *new_table = NULL;
+ 	struct amd_iommu *iommu;
+ 	unsigned long flags;
+ 	u16 alias;
+@@ -3623,42 +3648,44 @@ static struct irq_remap_table *alloc_irq_table(u16 devid)
+ 	table = irq_lookup_table[alias];
+ 	if (table) {
+ 		set_remap_table_entry(iommu, devid, table);
+-		goto out;
+		goto out_wait;
+ 	}
+	spin_unlock_irqrestore(&iommu_table_lock, flags);
+ 
+ 	/* Nothing there yet, allocate new irq remapping table */
+-	table = kzalloc(sizeof(*table), GFP_ATOMIC);
+-	if (!table)
+-		goto out_unlock;
+	new_table = __alloc_irq_table();
+	if (!new_table)
+		return NULL;
+ 
+-	/* Initialize table spin-lock */
+-	raw_spin_lock_init(&table->lock);
+	spin_lock_irqsave(&iommu_table_lock, flags);
+ 
+-	table->table = kmem_cache_alloc(amd_iommu_irq_cache, GFP_ATOMIC);
+-	if (!table->table) {
+-		kfree(table);
+-		table = NULL;
+	table = irq_lookup_table[devid];
+	if (table)
+ 		goto out_unlock;
+-	}
+ 
+-	if (!AMD_IOMMU_GUEST_IR_GA(amd_iommu_guest_ir))
+-		memset(table->table, 0,
+-		       MAX_IRQS_PER_TABLE * sizeof(u32));
+-	else
+-		memset(table->table, 0,
+-		       (MAX_IRQS_PER_TABLE * (sizeof(u64) * 2)));
+	table = irq_lookup_table[alias];
+	if (table) {
+		set_remap_table_entry(iommu, devid, table);
+		goto out_wait;
+	}
+ 
+	table = new_table;
+	new_table = NULL;
+ 
+ 	set_remap_table_entry(iommu, devid, table);
+ 	if (devid != alias)
+ 		set_remap_table_entry(iommu, alias, table);
+ 
+-out:
+out_wait:
+ 	iommu_completion_wait(iommu);
+ 
+ out_unlock:
+ 	spin_unlock_irqrestore(&iommu_table_lock, flags);
+ 
+	if (new_table) {
+		kmem_cache_free(amd_iommu_irq_cache, new_table->table);
+		kfree(new_table);
+	}
+ 	return table;
+ }
+ 
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0017-iommu-amd-Make-amd_iommu_devtable_lock-a-spin_lock.patch
+++ b/kernel/patches-4.14.x-rt/0017-iommu-amd-Make-amd_iommu_devtable_lock-a-spin_lock.patch
@@ -0,0 +1,79 @@
+From 9d350d7dff14fe5881062bb1dd588fe1bf19719d Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:41 +0100
+Subject: [PATCH 017/418] iommu/amd: Make amd_iommu_devtable_lock a spin_lock
+
+Upstream commit 2cd1083d79a0a8c223af430ca97884c28a1e2fc0
+
+Before commit 0bb6e243d7fb ("iommu/amd: Support IOMMU_DOMAIN_DMA type
+allocation") amd_iommu_devtable_lock had a read_lock() user but now
+there are none. In fact, after the mentioned commit we had only
+write_lock() user of the lock. Since there is no reason to keep it as
+writer lock, change its type to a spin_lock.
+I *think* that we might even be able to remove the lock because all its
+current user seem to have their own protection.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index 8b6e515b395e..f685026e6d9e 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -81,7 +81,7 @@
+  */
+ #define AMD_IOMMU_PGSIZES	((~0xFFFUL) & ~(2ULL << 38))
+ 
+-static DEFINE_RWLOCK(amd_iommu_devtable_lock);
+static DEFINE_SPINLOCK(amd_iommu_devtable_lock);
+ static DEFINE_SPINLOCK(pd_bitmap_lock);
+ static DEFINE_SPINLOCK(iommu_table_lock);
+ 
+@@ -2086,9 +2086,9 @@ static int attach_device(struct device *dev,
+ 	}
+ 
+ skip_ats_check:
+-	write_lock_irqsave(&amd_iommu_devtable_lock, flags);
+	spin_lock_irqsave(&amd_iommu_devtable_lock, flags);
+ 	ret = __attach_device(dev_data, domain);
+-	write_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+	spin_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+ 
+ 	/*
+ 	 * We might boot into a crash-kernel here. The crashed kernel
+@@ -2138,9 +2138,9 @@ static void detach_device(struct device *dev)
+ 	domain   = dev_data->domain;
+ 
+ 	/* lock device table */
+-	write_lock_irqsave(&amd_iommu_devtable_lock, flags);
+	spin_lock_irqsave(&amd_iommu_devtable_lock, flags);
+ 	__detach_device(dev_data);
+-	write_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+	spin_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+ 
+ 	if (!dev_is_pci(dev))
+ 		return;
+@@ -2804,7 +2804,7 @@ static void cleanup_domain(struct protection_domain *domain)
+ 	struct iommu_dev_data *entry;
+ 	unsigned long flags;
+ 
+-	write_lock_irqsave(&amd_iommu_devtable_lock, flags);
+	spin_lock_irqsave(&amd_iommu_devtable_lock, flags);
+ 
+ 	while (!list_empty(&domain->dev_list)) {
+ 		entry = list_first_entry(&domain->dev_list,
+@@ -2812,7 +2812,7 @@ static void cleanup_domain(struct protection_domain *domain)
+ 		__detach_device(entry);
+ 	}
+ 
+-	write_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+	spin_unlock_irqrestore(&amd_iommu_devtable_lock, flags);
+ }
+ 
+ static void protection_domain_free(struct protection_domain *domain)
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0018-iommu-amd-Return-proper-error-code-in-irq_remapping_.patch
+++ b/kernel/patches-4.14.x-rt/0018-iommu-amd-Return-proper-error-code-in-irq_remapping_.patch
@@ -0,0 +1,46 @@
+From cf3885d685d1115031da5d5963a9152b11cf9f36 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 22 Mar 2018 16:22:42 +0100
+Subject: [PATCH 018/418] iommu/amd: Return proper error code in
+ irq_remapping_alloc()
+
+Upstream commit 29d049be9438278c47253a74cf8d0ddf36bd5d68
+
+In the unlikely case when alloc_irq_table() is not able to return a
+remap table then "ret" will be assigned with an error code. Later, the
+code checks `index' and if it is negative (which it is because it is
+initialized with `-1') and then then function properly aborts but
+returns `-1' instead `-ENOMEM' what was intended.
+In order to correct this, I assign -ENOMEM to index.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+---
+ drivers/iommu/amd_iommu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
+index f685026e6d9e..f61c2dab5490 100644
+--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
+@@ -4094,7 +4094,7 @@ static int irq_remapping_alloc(struct irq_domain *domain, unsigned int virq,
+ 	struct amd_ir_data *data = NULL;
+ 	struct irq_cfg *cfg;
+ 	int i, ret, devid;
+-	int index = -1;
+	int index;
+ 
+ 	if (!info)
+ 		return -EINVAL;
+@@ -4136,7 +4136,7 @@ static int irq_remapping_alloc(struct irq_domain *domain, unsigned int virq,
+ 			WARN_ON(table->min_index != 32);
+ 			index = info->ioapic_pin;
+ 		} else {
+-			ret = -ENOMEM;
+			index = -ENOMEM;
+ 		}
+ 	} else {
+ 		index = alloc_irq_index(devid, nr_irqs);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0019-timers-Use-static-keys-for-migrate_enable-nohz_activ.patch
+++ b/kernel/patches-4.14.x-rt/0019-timers-Use-static-keys-for-migrate_enable-nohz_activ.patch
@@ -0,0 +1,287 @@
+From d2540f23d6110bdea14e3b9b8af69ee71909096f Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:50 +0100
+Subject: [PATCH 019/418] timers: Use static keys for
+ migrate_enable/nohz_active
+
+The members migrate_enable and nohz_active in the timer/hrtimer per CPU
+bases have been introduced to avoid accessing global variables for these
+decisions.
+
+Still that results in a (cache hot) load and conditional branch, which can
+be avoided by using static keys.
+
+Implement it with static keys and optimize for the most critical case of
+high performance networking which tends to disable the timer migration
+functionality.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h     |  4 --
+ kernel/time/hrtimer.c       | 17 +++-----
+ kernel/time/tick-internal.h | 19 +++++----
+ kernel/time/tick-sched.c    |  2 +-
+ kernel/time/timer.c         | 83 +++++++++++++++++++------------------
+ 5 files changed, 61 insertions(+), 64 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 012c37fdb688..79b2a8d29d8c 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -153,8 +153,6 @@ enum  hrtimer_base_type {
+  * @cpu:		cpu number
+  * @active_bases:	Bitfield to mark bases with active timers
+  * @clock_was_set_seq:	Sequence counter of clock was set events
+- * @migration_enabled:	The migration of hrtimers to other cpus is enabled
+- * @nohz_active:	The nohz functionality is enabled
+  * @expires_next:	absolute time of the next event which was scheduled
+  *			via clock_set_next_event()
+  * @next_timer:		Pointer to the first expiring timer
+@@ -178,8 +176,6 @@ struct hrtimer_cpu_base {
+ 	unsigned int			cpu;
+ 	unsigned int			active_bases;
+ 	unsigned int			clock_was_set_seq;
+-	bool				migration_enabled;
+-	bool				nohz_active;
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ 	unsigned int			in_hrtirq	: 1,
+ 					hres_active	: 1,
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index d00e85ac10d6..883fef2926e9 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -178,23 +178,16 @@ hrtimer_check_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base)
+ #endif
+ }
+ 
+-#ifdef CONFIG_NO_HZ_COMMON
+-static inline
+-struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base,
+-					 int pinned)
+-{
+-	if (pinned || !base->migration_enabled)
+-		return base;
+-	return &per_cpu(hrtimer_bases, get_nohz_timer_target());
+-}
+-#else
+ static inline
+ struct hrtimer_cpu_base *get_target_base(struct hrtimer_cpu_base *base,
+ 					 int pinned)
+ {
+#if defined(CONFIG_SMP) && defined(CONFIG_NO_HZ_COMMON)
+	if (static_branch_unlikely(&timers_migration_enabled) && !pinned)
+		return &per_cpu(hrtimer_bases, get_nohz_timer_target());
+#endif
+ 	return base;
+ }
+-#endif
+ 
+ /*
+  * We switch the timer base to a power-optimized selected CPU target,
+@@ -973,7 +966,7 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ 		 * Kick to reschedule the next tick to handle the new timer
+ 		 * on dynticks target.
+ 		 */
+-		if (new_base->cpu_base->nohz_active)
+		if (is_timers_nohz_active())
+ 			wake_up_nohz_cpu(new_base->cpu_base->cpu);
+ 	} else {
+ 		hrtimer_reprogram(timer, new_base);
+diff --git a/kernel/time/tick-internal.h b/kernel/time/tick-internal.h
+index f8e1845aa464..4ac74dff59f0 100644
+--- a/kernel/time/tick-internal.h
+++ b/kernel/time/tick-internal.h
+@@ -150,14 +150,19 @@ static inline void tick_nohz_init(void) { }
+ 
+ #ifdef CONFIG_NO_HZ_COMMON
+ extern unsigned long tick_nohz_active;
+-#else
+extern void timers_update_nohz(void);
+extern struct static_key_false timers_nohz_active;
+static inline bool is_timers_nohz_active(void)
+{
+	return static_branch_unlikely(&timers_nohz_active);
+}
+# ifdef CONFIG_SMP
+extern struct static_key_false timers_migration_enabled;
+# endif
+#else /* CONFIG_NO_HZ_COMMON */
+static inline void timers_update_nohz(void) { }
+ #define tick_nohz_active (0)
+-#endif
+-
+-#if defined(CONFIG_SMP) && defined(CONFIG_NO_HZ_COMMON)
+-extern void timers_update_migration(bool update_nohz);
+-#else
+-static inline void timers_update_migration(bool update_nohz) { }
+static inline bool is_timers_nohz_active(void) { return false; }
+ #endif
+ 
+ DECLARE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases);
+diff --git a/kernel/time/tick-sched.c b/kernel/time/tick-sched.c
+index bb2af74e6b62..9a372e16791c 100644
+--- a/kernel/time/tick-sched.c
+++ b/kernel/time/tick-sched.c
+@@ -1132,7 +1132,7 @@ static inline void tick_nohz_activate(struct tick_sched *ts, int mode)
+ 	ts->nohz_mode = mode;
+ 	/* One update is enough */
+ 	if (!test_and_set_bit(0, &tick_nohz_active))
+-		timers_update_migration(true);
+		timers_update_nohz();
+ }
+ 
+ /**
+diff --git a/kernel/time/timer.c b/kernel/time/timer.c
+index 9fe525f410bf..b24232985960 100644
+--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
+@@ -200,8 +200,6 @@ struct timer_base {
+ 	unsigned long		clk;
+ 	unsigned long		next_expiry;
+ 	unsigned int		cpu;
+-	bool			migration_enabled;
+-	bool			nohz_active;
+ 	bool			is_idle;
+ 	bool			must_forward_clk;
+ 	DECLARE_BITMAP(pending_map, WHEEL_SIZE);
+@@ -210,45 +208,59 @@ struct timer_base {
+ 
+ static DEFINE_PER_CPU(struct timer_base, timer_bases[NR_BASES]);
+ 
+-#if defined(CONFIG_SMP) && defined(CONFIG_NO_HZ_COMMON)
+#ifdef CONFIG_NO_HZ_COMMON
+
+DEFINE_STATIC_KEY_FALSE(timers_nohz_active);
+static DEFINE_MUTEX(timer_keys_mutex);
+
+static void timer_update_keys(struct work_struct *work);
+static DECLARE_WORK(timer_update_work, timer_update_keys);
+
+#ifdef CONFIG_SMP
+ unsigned int sysctl_timer_migration = 1;
+ 
+-void timers_update_migration(bool update_nohz)
+DEFINE_STATIC_KEY_FALSE(timers_migration_enabled);
+
+static void timers_update_migration(void)
+ {
+ 	bool on = sysctl_timer_migration && tick_nohz_active;
+-	unsigned int cpu;
+ 
+-	/* Avoid the loop, if nothing to update */
+-	if (this_cpu_read(timer_bases[BASE_STD].migration_enabled) == on)
+-		return;
+	if (on)
+		static_branch_enable(&timers_migration_enabled);
+	else
+		static_branch_disable(&timers_migration_enabled);
+}
+#else
+static inline void timers_update_migration(void) { }
+#endif /* !CONFIG_SMP */
+ 
+-	for_each_possible_cpu(cpu) {
+-		per_cpu(timer_bases[BASE_STD].migration_enabled, cpu) = on;
+-		per_cpu(timer_bases[BASE_DEF].migration_enabled, cpu) = on;
+-		per_cpu(hrtimer_bases.migration_enabled, cpu) = on;
+-		if (!update_nohz)
+-			continue;
+-		per_cpu(timer_bases[BASE_STD].nohz_active, cpu) = true;
+-		per_cpu(timer_bases[BASE_DEF].nohz_active, cpu) = true;
+-		per_cpu(hrtimer_bases.nohz_active, cpu) = true;
+-	}
+static void timer_update_keys(struct work_struct *work)
+{
+	mutex_lock(&timer_keys_mutex);
+	timers_update_migration();
+	static_branch_enable(&timers_nohz_active);
+	mutex_unlock(&timer_keys_mutex);
+}
+
+void timers_update_nohz(void)
+{
+	schedule_work(&timer_update_work);
+ }
+ 
+ int timer_migration_handler(struct ctl_table *table, int write,
+ 			    void __user *buffer, size_t *lenp,
+ 			    loff_t *ppos)
+ {
+-	static DEFINE_MUTEX(mutex);
+ 	int ret;
+ 
+-	mutex_lock(&mutex);
+	mutex_lock(&timer_keys_mutex);
+ 	ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ 	if (!ret && write)
+-		timers_update_migration(false);
+-	mutex_unlock(&mutex);
+		timers_update_migration();
+	mutex_unlock(&timer_keys_mutex);
+ 	return ret;
+ }
+-#endif
+#endif /* NO_HZ_COMMON */
+ 
+ static unsigned long round_jiffies_common(unsigned long j, int cpu,
+ 		bool force_up)
+@@ -534,7 +546,7 @@ __internal_add_timer(struct timer_base *base, struct timer_list *timer)
+ static void
+ trigger_dyntick_cpu(struct timer_base *base, struct timer_list *timer)
+ {
+-	if (!IS_ENABLED(CONFIG_NO_HZ_COMMON) || !base->nohz_active)
+	if (!is_timers_nohz_active())
+ 		return;
+ 
+ 	/*
+@@ -840,21 +852,20 @@ static inline struct timer_base *get_timer_base(u32 tflags)
+ 	return get_timer_cpu_base(tflags, tflags & TIMER_CPUMASK);
+ }
+ 
+-#ifdef CONFIG_NO_HZ_COMMON
+ static inline struct timer_base *
+ get_target_base(struct timer_base *base, unsigned tflags)
+ {
+-#ifdef CONFIG_SMP
+-	if ((tflags & TIMER_PINNED) || !base->migration_enabled)
+-		return get_timer_this_cpu_base(tflags);
+-	return get_timer_cpu_base(tflags, get_nohz_timer_target());
+-#else
+-	return get_timer_this_cpu_base(tflags);
+#if defined(CONFIG_SMP) && defined(CONFIG_NO_HZ_COMMON)
+	if (static_branch_unlikely(&timers_migration_enabled) &&
+	    !(tflags & TIMER_PINNED))
+		return get_timer_cpu_base(tflags, get_nohz_timer_target());
+ #endif
+	return get_timer_this_cpu_base(tflags);
+ }
+ 
+ static inline void forward_timer_base(struct timer_base *base)
+ {
+#ifdef CONFIG_NO_HZ_COMMON
+ 	unsigned long jnow;
+ 
+ 	/*
+@@ -878,16 +889,8 @@ static inline void forward_timer_base(struct timer_base *base)
+ 		base->clk = jnow;
+ 	else
+ 		base->clk = base->next_expiry;
+-}
+-#else
+-static inline struct timer_base *
+-get_target_base(struct timer_base *base, unsigned tflags)
+-{
+-	return get_timer_this_cpu_base(tflags);
+-}
+-
+-static inline void forward_timer_base(struct timer_base *base) { }
+ #endif
+}
+ 
+ 
+ /*
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0020-hrtimer-Correct-blantanly-wrong-comment.patch
+++ b/kernel/patches-4.14.x-rt/0020-hrtimer-Correct-blantanly-wrong-comment.patch
@@ -0,0 +1,42 @@
+From 437a57e7664994a510190bfaff01026cd7e75422 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:51 +0100
+Subject: [PATCH 020/418] hrtimer: Correct blantanly wrong comment
+
+The protection of a hrtimer which runs its callback against migration to a
+different CPU has nothing to do with hard interrupt context.
+
+The protection against migration of a hrtimer running the expiry callback
+is the pointer in the cpu_base which holds a pointer to the currently
+running timer. This pointer is evaluated in the code which potentially
+switches the timer base and makes sure it's kept on the CPU on which the
+callback is running.
+
+Reported-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ kernel/time/hrtimer.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 883fef2926e9..65543d31af32 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -1204,9 +1204,9 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
+ 		timer->is_rel = false;
+ 
+ 	/*
+-	 * Because we run timers from hardirq context, there is no chance
+-	 * they get migrated to another cpu, therefore its safe to unlock
+-	 * the timer base.
+	 * The timer is marked as running in the cpu base, so it is
+	 * protected against migration to a different CPU even if the lock
+	 * is dropped.
+ 	 */
+ 	raw_spin_unlock(&cpu_base->lock);
+ 	trace_hrtimer_expire_entry(timer, now);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0021-hrtimer-Fix-kerneldoc-for-struct-hrtimer_cpu_base.patch
+++ b/kernel/patches-4.14.x-rt/0021-hrtimer-Fix-kerneldoc-for-struct-hrtimer_cpu_base.patch
@@ -0,0 +1,48 @@
+From b9a845a61b4f2fd293791e8a6f3b3031ba03308d Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:52 +0100
+Subject: [PATCH 021/418] hrtimer: Fix kerneldoc for struct hrtimer_cpu_base
+
+The sequence '/**' marks the start of a struct description. Add the
+missing second asterisk. While at it adapt the ordering of the struct
+members to the struct definition and document the purpose of
+expires_next more precisely.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 79b2a8d29d8c..b3a382be8db0 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -144,7 +144,7 @@ enum  hrtimer_base_type {
+ 	HRTIMER_MAX_CLOCK_BASES,
+ };
+ 
+-/*
+/**
+  * struct hrtimer_cpu_base - the per cpu clock bases
+  * @lock:		lock protecting the base and associated clock bases
+  *			and timers
+@@ -153,12 +153,12 @@ enum  hrtimer_base_type {
+  * @cpu:		cpu number
+  * @active_bases:	Bitfield to mark bases with active timers
+  * @clock_was_set_seq:	Sequence counter of clock was set events
+- * @expires_next:	absolute time of the next event which was scheduled
+- *			via clock_set_next_event()
+- * @next_timer:		Pointer to the first expiring timer
+  * @in_hrtirq:		hrtimer_interrupt() is currently executing
+  * @hres_active:	State of high resolution mode
+  * @hang_detected:	The last hrtimer interrupt detected a hang
+ * @expires_next:	absolute time of the next event, is required for remote
+ *			hrtimer enqueue
+ * @next_timer:		Pointer to the first expiring timer
+  * @nr_events:		Total number of hrtimer interrupt events
+  * @nr_retries:		Total number of hrtimer interrupt retries
+  * @nr_hangs:		Total number of hrtimer interrupt hangs
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0022-hrtimer-Cleanup-clock-argument-in-schedule_hrtimeout.patch
+++ b/kernel/patches-4.14.x-rt/0022-hrtimer-Cleanup-clock-argument-in-schedule_hrtimeout.patch
@@ -0,0 +1,88 @@
+From 3f2ef191049442d38c95443f4a85062a403cb21a Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:53 +0100
+Subject: [PATCH 022/418] hrtimer: Cleanup clock argument in
+ schedule_hrtimeout_range_clock()
+
+schedule_hrtimeout_range_clock() uses an integer for the clock id
+instead of the predefined type "clockid_t". The ID of the clock is
+indicated in hrtimer code as clock_id. Therefore change the name of
+the variable as well to make it consistent.
+
+While at it, clean up the description for the function parameters clock_id
+and mode. The clock modes and the clock ids are not restricted as the
+comment suggests. Fix the mode description as well for the callers of
+schedule_hrtimeout_range_clock().
+
+No functional change.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h |  2 +-
+ kernel/time/hrtimer.c   | 12 ++++++------
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index b3a382be8db0..931ce9c89c93 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -462,7 +462,7 @@ extern int schedule_hrtimeout_range(ktime_t *expires, u64 delta,
+ extern int schedule_hrtimeout_range_clock(ktime_t *expires,
+ 					  u64 delta,
+ 					  const enum hrtimer_mode mode,
+-					  int clock);
+					  clockid_t clock_id);
+ extern int schedule_hrtimeout(ktime_t *expires, const enum hrtimer_mode mode);
+ 
+ /* Soft interrupt function to run the hrtimer queues: */
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 65543d31af32..790841b59433 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -1672,12 +1672,12 @@ void __init hrtimers_init(void)
+  * schedule_hrtimeout_range_clock - sleep until timeout
+  * @expires:	timeout value (ktime_t)
+  * @delta:	slack in expires timeout (ktime_t)
+- * @mode:	timer mode, HRTIMER_MODE_ABS or HRTIMER_MODE_REL
+- * @clock:	timer clock, CLOCK_MONOTONIC or CLOCK_REALTIME
+ * @mode:	timer mode
+ * @clock_id:	timer clock to be used
+  */
+ int __sched
+ schedule_hrtimeout_range_clock(ktime_t *expires, u64 delta,
+-			       const enum hrtimer_mode mode, int clock)
+			       const enum hrtimer_mode mode, clockid_t clock_id)
+ {
+ 	struct hrtimer_sleeper t;
+ 
+@@ -1698,7 +1698,7 @@ schedule_hrtimeout_range_clock(ktime_t *expires, u64 delta,
+ 		return -EINTR;
+ 	}
+ 
+-	hrtimer_init_on_stack(&t.timer, clock, mode);
+	hrtimer_init_on_stack(&t.timer, clock_id, mode);
+ 	hrtimer_set_expires_range_ns(&t.timer, *expires, delta);
+ 
+ 	hrtimer_init_sleeper(&t, current);
+@@ -1720,7 +1720,7 @@ schedule_hrtimeout_range_clock(ktime_t *expires, u64 delta,
+  * schedule_hrtimeout_range - sleep until timeout
+  * @expires:	timeout value (ktime_t)
+  * @delta:	slack in expires timeout (ktime_t)
+- * @mode:	timer mode, HRTIMER_MODE_ABS or HRTIMER_MODE_REL
+ * @mode:	timer mode
+  *
+  * Make the current task sleep until the given expiry time has
+  * elapsed. The routine will return immediately unless
+@@ -1759,7 +1759,7 @@ EXPORT_SYMBOL_GPL(schedule_hrtimeout_range);
+ /**
+  * schedule_hrtimeout - sleep until timeout
+  * @expires:	timeout value (ktime_t)
+- * @mode:	timer mode, HRTIMER_MODE_ABS or HRTIMER_MODE_REL
+ * @mode:	timer mode
+  *
+  * Make the current task sleep until the given expiry time has
+  * elapsed. The routine will return immediately unless
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0023-hrtimer-Fix-hrtimer-function-description.patch
+++ b/kernel/patches-4.14.x-rt/0023-hrtimer-Fix-hrtimer-function-description.patch
@@ -0,0 +1,68 @@
+From 7bceac6c2181a2ce1ba209d1fc6afb626dbab4c7 Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:54 +0100
+Subject: [PATCH 023/418] hrtimer: Fix hrtimer function description
+
+The hrtimer_start[_range_ns]() starts a timer reliable on this CPU only
+when HRTIMER_MODE_PINNED is set. Furthermore the HRTIMER_MODE_PINNED mode
+is not considered, when a hrtimer is initialized.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h | 6 +++---
+ kernel/time/hrtimer.c   | 9 +++++----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 931ce9c89c93..4e6a8841dcbe 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -361,11 +361,11 @@ extern void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ 				   u64 range_ns, const enum hrtimer_mode mode);
+ 
+ /**
+- * hrtimer_start - (re)start an hrtimer on the current CPU
+ * hrtimer_start - (re)start an hrtimer
+  * @timer:	the timer to be added
+  * @tim:	expiry time
+- * @mode:	expiry mode: absolute (HRTIMER_MODE_ABS) or
+- *		relative (HRTIMER_MODE_REL)
+ * @mode:	timer mode: absolute (HRTIMER_MODE_ABS) or
+ *		relative (HRTIMER_MODE_REL), and pinned (HRTIMER_MODE_PINNED)
+  */
+ static inline void hrtimer_start(struct hrtimer *timer, ktime_t tim,
+ 				 const enum hrtimer_mode mode)
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 790841b59433..6460aa2d9b25 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -928,12 +928,12 @@ static inline ktime_t hrtimer_update_lowres(struct hrtimer *timer, ktime_t tim,
+ }
+ 
+ /**
+- * hrtimer_start_range_ns - (re)start an hrtimer on the current CPU
+ * hrtimer_start_range_ns - (re)start an hrtimer
+  * @timer:	the timer to be added
+  * @tim:	expiry time
+  * @delta_ns:	"slack" range for the timer
+- * @mode:	expiry mode: absolute (HRTIMER_MODE_ABS) or
+- *		relative (HRTIMER_MODE_REL)
+ * @mode:	timer mode: absolute (HRTIMER_MODE_ABS) or
+ *		relative (HRTIMER_MODE_REL), and pinned (HRTIMER_MODE_PINNED)
+  */
+ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ 			    u64 delta_ns, const enum hrtimer_mode mode)
+@@ -1116,7 +1116,8 @@ static void __hrtimer_init(struct hrtimer *timer, clockid_t clock_id,
+  * hrtimer_init - initialize a timer to the given clock
+  * @timer:	the timer to be initialized
+  * @clock_id:	the clock to be used
+- * @mode:	timer mode abs/rel
+ * @mode:	timer mode: absolute (HRTIMER_MODE_ABS) or
+ *		relative (HRTIMER_MODE_REL); pinned is not considered here!
+  */
+ void hrtimer_init(struct hrtimer *timer, clockid_t clock_id,
+ 		  enum hrtimer_mode mode)
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0024-hrtimer-Cleanup-hrtimer_mode-enum.patch
+++ b/kernel/patches-4.14.x-rt/0024-hrtimer-Cleanup-hrtimer_mode-enum.patch
@@ -0,0 +1,51 @@
+From 79c700b613fe56d7318ab41bc9184cd8572006ec Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:56 +0100
+Subject: [PATCH 024/418] hrtimer: Cleanup hrtimer_mode enum
+
+It's not obvious that the HRTIMER_MODE variants are bit combinations
+because all modes are hard coded constants.
+
+Change it so the bit meanings are clear and use the symbols for creating
+modes which combine bits.
+
+While at it get rid of the ugly tail comments.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 4e6a8841dcbe..28f267cf2851 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -28,13 +28,19 @@ struct hrtimer_cpu_base;
+ 
+ /*
+  * Mode arguments of xxx_hrtimer functions:
+ *
+ * HRTIMER_MODE_ABS		- Time value is absolute
+ * HRTIMER_MODE_REL		- Time value is relative to now
+ * HRTIMER_MODE_PINNED		- Timer is bound to CPU (is only considered
+ *				  when starting the timer)
+  */
+ enum hrtimer_mode {
+-	HRTIMER_MODE_ABS = 0x0,		/* Time value is absolute */
+-	HRTIMER_MODE_REL = 0x1,		/* Time value is relative to now */
+-	HRTIMER_MODE_PINNED = 0x02,	/* Timer is bound to CPU */
+-	HRTIMER_MODE_ABS_PINNED = 0x02,
+-	HRTIMER_MODE_REL_PINNED = 0x03,
+	HRTIMER_MODE_ABS	= 0x00,
+	HRTIMER_MODE_REL	= 0x01,
+	HRTIMER_MODE_PINNED	= 0x02,
+
+	HRTIMER_MODE_ABS_PINNED = HRTIMER_MODE_ABS | HRTIMER_MODE_PINNED,
+	HRTIMER_MODE_REL_PINNED = HRTIMER_MODE_REL | HRTIMER_MODE_PINNED,
+ };
+ 
+ /*
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0025-tracing-hrtimer-Print-hrtimer-mode-in-hrtimer_start-.patch
+++ b/kernel/patches-4.14.x-rt/0025-tracing-hrtimer-Print-hrtimer-mode-in-hrtimer_start-.patch
@@ -0,0 +1,121 @@
+From 734fc4622933368429263530e951f67c458070eb Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:58 +0100
+Subject: [PATCH 025/418] tracing/hrtimer: Print hrtimer mode in hrtimer_start
+ tracepoint
+
+The hrtimer_start tracepoint lacks the mode information. The mode is
+important because consecutive starts can switch from ABS to REL or from
+PINNED to non PINNED.
+
+Add the mode information.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/trace/events/timer.h | 13 ++++++++-----
+ kernel/time/hrtimer.c        | 16 +++++++++-------
+ 2 files changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/include/trace/events/timer.h b/include/trace/events/timer.h
+index c6f728037c53..744b4310b24b 100644
+--- a/include/trace/events/timer.h
+++ b/include/trace/events/timer.h
+@@ -186,15 +186,16 @@ TRACE_EVENT(hrtimer_init,
+  */
+ TRACE_EVENT(hrtimer_start,
+ 
+-	TP_PROTO(struct hrtimer *hrtimer),
+	TP_PROTO(struct hrtimer *hrtimer, enum hrtimer_mode mode),
+ 
+-	TP_ARGS(hrtimer),
+	TP_ARGS(hrtimer, mode),
+ 
+ 	TP_STRUCT__entry(
+ 		__field( void *,	hrtimer		)
+ 		__field( void *,	function	)
+ 		__field( s64,		expires		)
+ 		__field( s64,		softexpires	)
+		__field( enum hrtimer_mode,	mode	)
+ 	),
+ 
+ 	TP_fast_assign(
+@@ -202,12 +203,14 @@ TRACE_EVENT(hrtimer_start,
+ 		__entry->function	= hrtimer->function;
+ 		__entry->expires	= hrtimer_get_expires(hrtimer);
+ 		__entry->softexpires	= hrtimer_get_softexpires(hrtimer);
+		__entry->mode		= mode;
+ 	),
+ 
+-	TP_printk("hrtimer=%p function=%pf expires=%llu softexpires=%llu",
+-		  __entry->hrtimer, __entry->function,
+	TP_printk("hrtimer=%p function=%pf expires=%llu softexpires=%llu "
+		  "mode=%s", __entry->hrtimer, __entry->function,
+ 		  (unsigned long long) __entry->expires,
+-		  (unsigned long long) __entry->softexpires)
+		  (unsigned long long) __entry->softexpires,
+		  decode_hrtimer_mode(__entry->mode))
+ );
+ 
+ /**
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 6460aa2d9b25..476fe683e8ed 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -435,10 +435,11 @@ debug_init(struct hrtimer *timer, clockid_t clockid,
+ 	trace_hrtimer_init(timer, clockid, mode);
+ }
+ 
+-static inline void debug_activate(struct hrtimer *timer)
+static inline void debug_activate(struct hrtimer *timer,
+				  enum hrtimer_mode mode)
+ {
+ 	debug_hrtimer_activate(timer);
+-	trace_hrtimer_start(timer);
+	trace_hrtimer_start(timer, mode);
+ }
+ 
+ static inline void debug_deactivate(struct hrtimer *timer)
+@@ -832,9 +833,10 @@ EXPORT_SYMBOL_GPL(hrtimer_forward);
+  * Returns 1 when the new timer is the leftmost timer in the tree.
+  */
+ static int enqueue_hrtimer(struct hrtimer *timer,
+-			   struct hrtimer_clock_base *base)
+			   struct hrtimer_clock_base *base,
+			   enum hrtimer_mode mode)
+ {
+-	debug_activate(timer);
+	debug_activate(timer, mode);
+ 
+ 	base->cpu_base->active_bases |= 1 << base->index;
+ 
+@@ -957,7 +959,7 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ 	/* Switch the timer base, if necessary: */
+ 	new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
+ 
+-	leftmost = enqueue_hrtimer(timer, new_base);
+	leftmost = enqueue_hrtimer(timer, new_base, mode);
+ 	if (!leftmost)
+ 		goto unlock;
+ 
+@@ -1226,7 +1228,7 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
+ 	 */
+ 	if (restart != HRTIMER_NORESTART &&
+ 	    !(timer->state & HRTIMER_STATE_ENQUEUED))
+-		enqueue_hrtimer(timer, base);
+		enqueue_hrtimer(timer, base, HRTIMER_MODE_ABS);
+ 
+ 	/*
+ 	 * Separate the ->running assignment from the ->state assignment.
+@@ -1626,7 +1628,7 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
+ 		 * sort out already expired timers and reprogram the
+ 		 * event device.
+ 		 */
+-		enqueue_hrtimer(timer, new_base);
+		enqueue_hrtimer(timer, new_base, HRTIMER_MODE_ABS);
+ 	}
+ }
+ 
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0026-hrtimer-Switch-for-loop-to-_ffs-evaluation.patch
+++ b/kernel/patches-4.14.x-rt/0026-hrtimer-Switch-for-loop-to-_ffs-evaluation.patch
@@ -0,0 +1,90 @@
+From 551c25858df0438915d8addafa70afbb12779d35 Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:12:59 +0100
+Subject: [PATCH 026/418] hrtimer: Switch for loop to _ffs() evaluation
+
+Looping over all clock bases to find active bits is suboptimal if not all
+bases are active.
+
+Avoid this by converting it to a __ffs() evaluation. The functionallity is
+outsourced into an own function and is called via a macro as suggested by
+Peter Zijlstra.
+
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ kernel/time/hrtimer.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 476fe683e8ed..85f9335d0d60 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -448,6 +448,23 @@ static inline void debug_deactivate(struct hrtimer *timer)
+ 	trace_hrtimer_cancel(timer);
+ }
+ 
+static struct hrtimer_clock_base *
+__next_base(struct hrtimer_cpu_base *cpu_base, unsigned int *active)
+{
+	unsigned int idx;
+
+	if (!*active)
+		return NULL;
+
+	idx = __ffs(*active);
+	*active &= ~(1U << idx);
+
+	return &cpu_base->clock_base[idx];
+}
+
+#define for_each_active_base(base, cpu_base, active)	\
+	while ((base = __next_base((cpu_base), &(active))))
+
+ #if defined(CONFIG_NO_HZ_COMMON) || defined(CONFIG_HIGH_RES_TIMERS)
+ static inline void hrtimer_update_next_timer(struct hrtimer_cpu_base *cpu_base,
+ 					     struct hrtimer *timer)
+@@ -459,18 +476,15 @@ static inline void hrtimer_update_next_timer(struct hrtimer_cpu_base *cpu_base,
+ 
+ static ktime_t __hrtimer_get_next_event(struct hrtimer_cpu_base *cpu_base)
+ {
+-	struct hrtimer_clock_base *base = cpu_base->clock_base;
+	struct hrtimer_clock_base *base;
+ 	unsigned int active = cpu_base->active_bases;
+ 	ktime_t expires, expires_next = KTIME_MAX;
+ 
+ 	hrtimer_update_next_timer(cpu_base, NULL);
+-	for (; active; base++, active >>= 1) {
+	for_each_active_base(base, cpu_base, active) {
+ 		struct timerqueue_node *next;
+ 		struct hrtimer *timer;
+ 
+-		if (!(active & 0x01))
+-			continue;
+-
+ 		next = timerqueue_getnext(&base->active);
+ 		timer = container_of(next, struct hrtimer, node);
+ 		expires = ktime_sub(hrtimer_get_expires(timer), base->offset);
+@@ -1245,16 +1259,13 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
+ 
+ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now)
+ {
+-	struct hrtimer_clock_base *base = cpu_base->clock_base;
+	struct hrtimer_clock_base *base;
+ 	unsigned int active = cpu_base->active_bases;
+ 
+-	for (; active; base++, active >>= 1) {
+	for_each_active_base(base, cpu_base, active) {
+ 		struct timerqueue_node *node;
+ 		ktime_t basenow;
+ 
+-		if (!(active & 0x01))
+-			continue;
+-
+ 		basenow = ktime_add(now, base->offset);
+ 
+ 		while ((node = timerqueue_getnext(&base->active))) {
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0027-hrtimer-Store-running-timer-in-hrtimer_clock_base.patch
+++ b/kernel/patches-4.14.x-rt/0027-hrtimer-Store-running-timer-in-hrtimer_clock_base.patch
@@ -0,0 +1,199 @@
+From 1ca83795806184362986a22e2a4dd0d5ac30eddd Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:00 +0100
+Subject: [PATCH 027/418] hrtimer: Store running timer in hrtimer_clock_base
+
+The pointer to the currently running timer is stored in hrtimer_cpu_base
+before the base lock is dropped and the callback is invoked.
+
+This results in two levels of indirections and the upcoming support for
+softirq based hrtimer requires splitting the "running" storage into soft
+and hard irq context expiry.
+
+Storing both in the cpu base would require conditionals in all code paths
+accessing that information.
+
+It's possible to have a per clock base sequence count and running pointer
+without changing the semantics of the related mechanisms because the timer
+base pointer cannot be changed while a timer is running the callback.
+
+Unfortunately this makes cpu_clock base larger than 32 bytes on 32bit
+kernels. Instead of having huge gaps due to alignment, remove the alignment
+and let the compiler pack cpu base for 32bit. The resulting cache access
+patterns are fortunately not really different from the current
+behaviour. On 64bit kernels the 64byte alignment stays and the behaviour is
+unchanged. This was determined by analyzing the resulting layout and
+looking at the number of cache lines involved for the frequently used
+clocks.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h | 20 +++++++++-----------
+ kernel/time/hrtimer.c   | 28 +++++++++++++---------------
+ 2 files changed, 22 insertions(+), 26 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 28f267cf2851..1bae7b9f071d 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -118,9 +118,9 @@ struct hrtimer_sleeper {
+ };
+ 
+ #ifdef CONFIG_64BIT
+-# define HRTIMER_CLOCK_BASE_ALIGN	64
+# define __hrtimer_clock_base_align	____cacheline_aligned
+ #else
+-# define HRTIMER_CLOCK_BASE_ALIGN	32
+# define __hrtimer_clock_base_align
+ #endif
+ 
+ /**
+@@ -129,18 +129,22 @@ struct hrtimer_sleeper {
+  * @index:		clock type index for per_cpu support when moving a
+  *			timer to a base on another cpu.
+  * @clockid:		clock id for per_cpu support
+ * @seq:		seqcount around __run_hrtimer
+ * @running:		pointer to the currently running hrtimer
+  * @active:		red black tree root node for the active timers
+  * @get_time:		function to retrieve the current time of the clock
+  * @offset:		offset of this clock to the monotonic base
+  */
+ struct hrtimer_clock_base {
+ 	struct hrtimer_cpu_base	*cpu_base;
+-	int			index;
+	unsigned int		index;
+ 	clockid_t		clockid;
+	seqcount_t		seq;
+	struct hrtimer		*running;
+ 	struct timerqueue_head	active;
+ 	ktime_t			(*get_time)(void);
+ 	ktime_t			offset;
+-} __attribute__((__aligned__(HRTIMER_CLOCK_BASE_ALIGN)));
+} __hrtimer_clock_base_align;
+ 
+ enum  hrtimer_base_type {
+ 	HRTIMER_BASE_MONOTONIC,
+@@ -154,8 +158,6 @@ enum  hrtimer_base_type {
+  * struct hrtimer_cpu_base - the per cpu clock bases
+  * @lock:		lock protecting the base and associated clock bases
+  *			and timers
+- * @seq:		seqcount around __run_hrtimer
+- * @running:		pointer to the currently running hrtimer
+  * @cpu:		cpu number
+  * @active_bases:	Bitfield to mark bases with active timers
+  * @clock_was_set_seq:	Sequence counter of clock was set events
+@@ -177,8 +179,6 @@ enum  hrtimer_base_type {
+  */
+ struct hrtimer_cpu_base {
+ 	raw_spinlock_t			lock;
+-	seqcount_t			seq;
+-	struct hrtimer			*running;
+ 	unsigned int			cpu;
+ 	unsigned int			active_bases;
+ 	unsigned int			clock_was_set_seq;
+@@ -198,8 +198,6 @@ struct hrtimer_cpu_base {
+ 
+ static inline void hrtimer_set_expires(struct hrtimer *timer, ktime_t time)
+ {
+-	BUILD_BUG_ON(sizeof(struct hrtimer_clock_base) > HRTIMER_CLOCK_BASE_ALIGN);
+-
+ 	timer->node.expires = time;
+ 	timer->_softexpires = time;
+ }
+@@ -424,7 +422,7 @@ static inline int hrtimer_is_queued(struct hrtimer *timer)
+  */
+ static inline int hrtimer_callback_running(struct hrtimer *timer)
+ {
+-	return timer->base->cpu_base->running == timer;
+	return timer->base->running == timer;
+ }
+ 
+ /* Forward a hrtimer so it expires after now: */
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 85f9335d0d60..bedfc2865901 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -70,7 +70,6 @@
+ DEFINE_PER_CPU(struct hrtimer_cpu_base, hrtimer_bases) =
+ {
+ 	.lock = __RAW_SPIN_LOCK_UNLOCKED(hrtimer_bases.lock),
+-	.seq = SEQCNT_ZERO(hrtimer_bases.seq),
+ 	.clock_base =
+ 	{
+ 		{
+@@ -118,7 +117,6 @@ static const int hrtimer_clock_to_base_table[MAX_CLOCKS] = {
+  * timer->base->cpu_base
+  */
+ static struct hrtimer_cpu_base migration_cpu_base = {
+-	.seq = SEQCNT_ZERO(migration_cpu_base),
+ 	.clock_base = { { .cpu_base = &migration_cpu_base, }, },
+ };
+ 
+@@ -1152,19 +1150,19 @@ EXPORT_SYMBOL_GPL(hrtimer_init);
+  */
+ bool hrtimer_active(const struct hrtimer *timer)
+ {
+-	struct hrtimer_cpu_base *cpu_base;
+	struct hrtimer_clock_base *base;
+ 	unsigned int seq;
+ 
+ 	do {
+-		cpu_base = READ_ONCE(timer->base->cpu_base);
+-		seq = raw_read_seqcount_begin(&cpu_base->seq);
+		base = READ_ONCE(timer->base);
+		seq = raw_read_seqcount_begin(&base->seq);
+ 
+ 		if (timer->state != HRTIMER_STATE_INACTIVE ||
+-		    cpu_base->running == timer)
+		    base->running == timer)
+ 			return true;
+ 
+-	} while (read_seqcount_retry(&cpu_base->seq, seq) ||
+-		 cpu_base != READ_ONCE(timer->base->cpu_base));
+	} while (read_seqcount_retry(&base->seq, seq) ||
+		 base != READ_ONCE(timer->base));
+ 
+ 	return false;
+ }
+@@ -1198,16 +1196,16 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
+ 	lockdep_assert_held(&cpu_base->lock);
+ 
+ 	debug_deactivate(timer);
+-	cpu_base->running = timer;
+	base->running = timer;
+ 
+ 	/*
+ 	 * Separate the ->running assignment from the ->state assignment.
+ 	 *
+ 	 * As with a regular write barrier, this ensures the read side in
+-	 * hrtimer_active() cannot observe cpu_base->running == NULL &&
+	 * hrtimer_active() cannot observe base->running == NULL &&
+ 	 * timer->state == INACTIVE.
+ 	 */
+-	raw_write_seqcount_barrier(&cpu_base->seq);
+	raw_write_seqcount_barrier(&base->seq);
+ 
+ 	__remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE, 0);
+ 	fn = timer->function;
+@@ -1248,13 +1246,13 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
+ 	 * Separate the ->running assignment from the ->state assignment.
+ 	 *
+ 	 * As with a regular write barrier, this ensures the read side in
+-	 * hrtimer_active() cannot observe cpu_base->running == NULL &&
+	 * hrtimer_active() cannot observe base->running.timer == NULL &&
+ 	 * timer->state == INACTIVE.
+ 	 */
+-	raw_write_seqcount_barrier(&cpu_base->seq);
+	raw_write_seqcount_barrier(&base->seq);
+ 
+-	WARN_ON_ONCE(cpu_base->running != timer);
+-	cpu_base->running = NULL;
+	WARN_ON_ONCE(base->running != timer);
+	base->running = NULL;
+ }
+ 
+ static void __hrtimer_run_queues(struct hrtimer_cpu_base *cpu_base, ktime_t now)
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0028-hrtimer-Make-room-in-struct-hrtimer_cpu_base.patch
+++ b/kernel/patches-4.14.x-rt/0028-hrtimer-Make-room-in-struct-hrtimer_cpu_base.patch
@@ -0,0 +1,39 @@
+From bbc2c2e88a6682df03351e2a3c19593de4c08d3e Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:01 +0100
+Subject: [PATCH 028/418] hrtimer: Make room in struct hrtimer_cpu_base
+
+The upcoming softirq based hrtimers support requires an additional field in
+the hrtimer_cpu_base struct, which would grow the struct size beyond a
+cache line.
+
+The struct members nr_retries and nr_hangs of hrtimer_cpu_base are solely
+used for diagnostic output and have no requirement to be unsigned int.
+
+Make them unsigned short to create room for the new struct member. No
+functional change.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 1bae7b9f071d..56e56bcb6f0f 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -189,8 +189,8 @@ struct hrtimer_cpu_base {
+ 	ktime_t				expires_next;
+ 	struct hrtimer			*next_timer;
+ 	unsigned int			nr_events;
+-	unsigned int			nr_retries;
+-	unsigned int			nr_hangs;
+	unsigned short			nr_retries;
+	unsigned short			nr_hangs;
+ 	unsigned int			max_hang_time;
+ #endif
+ 	struct hrtimer_clock_base	clock_base[HRTIMER_MAX_CLOCK_BASES];
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0029-hrtimer-Reduce-conditional-code-hres_active.patch
+++ b/kernel/patches-4.14.x-rt/0029-hrtimer-Reduce-conditional-code-hres_active.patch
@@ -0,0 +1,157 @@
+From 036160e2bf23c43f7a7eb4482cd372c2c5983389 Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:02 +0100
+Subject: [PATCH 029/418] hrtimer: Reduce conditional code (hres_active)
+
+The hrtimer_cpu_base struct has the CONFIG_HIGH_RES_TIMERS conditional
+struct member hres_active. All related functions to this member are
+conditional as well.
+
+There is no functional change, when the hres_active member is
+unconditional with all related functions and is set to zero during
+initialization.
+
+The conditional code sections can be avoided by adding IS_ENABLED(HIGHRES)
+conditionals into common functions, which ensures dead code elimination.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h | 20 ++++++++------------
+ kernel/time/hrtimer.c   | 31 +++++++++++++++----------------
+ 2 files changed, 23 insertions(+), 28 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 56e56bcb6f0f..22627b3a33fe 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -161,8 +161,8 @@ enum  hrtimer_base_type {
+  * @cpu:		cpu number
+  * @active_bases:	Bitfield to mark bases with active timers
+  * @clock_was_set_seq:	Sequence counter of clock was set events
+- * @in_hrtirq:		hrtimer_interrupt() is currently executing
+  * @hres_active:	State of high resolution mode
+ * @in_hrtirq:		hrtimer_interrupt() is currently executing
+  * @hang_detected:	The last hrtimer interrupt detected a hang
+  * @expires_next:	absolute time of the next event, is required for remote
+  *			hrtimer enqueue
+@@ -182,9 +182,9 @@ struct hrtimer_cpu_base {
+ 	unsigned int			cpu;
+ 	unsigned int			active_bases;
+ 	unsigned int			clock_was_set_seq;
+	unsigned int			hres_active	: 1;
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ 	unsigned int			in_hrtirq	: 1,
+-					hres_active	: 1,
+ 					hang_detected	: 1;
+ 	ktime_t				expires_next;
+ 	struct hrtimer			*next_timer;
+@@ -266,16 +266,17 @@ static inline ktime_t hrtimer_cb_get_time(struct hrtimer *timer)
+ 	return timer->base->get_time();
+ }
+ 
+static inline int hrtimer_is_hres_active(struct hrtimer *timer)
+{
+	return IS_ENABLED(CONFIG_HIGH_RES_TIMERS) ?
+		timer->base->cpu_base->hres_active : 0;
+}
+
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ struct clock_event_device;
+ 
+ extern void hrtimer_interrupt(struct clock_event_device *dev);
+ 
+-static inline int hrtimer_is_hres_active(struct hrtimer *timer)
+-{
+-	return timer->base->cpu_base->hres_active;
+-}
+-
+ /*
+  * The resolution of the clocks. The resolution value is returned in
+  * the clock_getres() system call to give application programmers an
+@@ -298,11 +299,6 @@ extern unsigned int hrtimer_resolution;
+ 
+ #define hrtimer_resolution	(unsigned int)LOW_RES_NSEC
+ 
+-static inline int hrtimer_is_hres_active(struct hrtimer *timer)
+-{
+-	return 0;
+-}
+-
+ static inline void clock_was_set_delayed(void) { }
+ 
+ #endif
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index bedfc2865901..7e0490143275 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -512,6 +512,20 @@ static inline ktime_t hrtimer_update_base(struct hrtimer_cpu_base *base)
+ 					    offs_real, offs_boot, offs_tai);
+ }
+ 
+/*
+ * Is the high resolution mode active ?
+ */
+static inline int __hrtimer_hres_active(struct hrtimer_cpu_base *cpu_base)
+{
+	return IS_ENABLED(CONFIG_HIGH_RES_TIMERS) ?
+		cpu_base->hres_active : 0;
+}
+
+static inline int hrtimer_hres_active(void)
+{
+	return __hrtimer_hres_active(this_cpu_ptr(&hrtimer_bases));
+}
+
+ /* High resolution timer related functions */
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ 
+@@ -540,19 +554,6 @@ static inline int hrtimer_is_hres_enabled(void)
+ 	return hrtimer_hres_enabled;
+ }
+ 
+-/*
+- * Is the high resolution mode active ?
+- */
+-static inline int __hrtimer_hres_active(struct hrtimer_cpu_base *cpu_base)
+-{
+-	return cpu_base->hres_active;
+-}
+-
+-static inline int hrtimer_hres_active(void)
+-{
+-	return __hrtimer_hres_active(this_cpu_ptr(&hrtimer_bases));
+-}
+-
+ /*
+  * Reprogram the event source with checking both queues for the
+  * next event
+@@ -662,7 +663,6 @@ static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base)
+ {
+ 	base->expires_next = KTIME_MAX;
+ 	base->hang_detected = 0;
+-	base->hres_active = 0;
+ 	base->next_timer = NULL;
+ }
+ 
+@@ -722,8 +722,6 @@ void clock_was_set_delayed(void)
+ 
+ #else
+ 
+-static inline int __hrtimer_hres_active(struct hrtimer_cpu_base *b) { return 0; }
+-static inline int hrtimer_hres_active(void) { return 0; }
+ static inline int hrtimer_is_hres_enabled(void) { return 0; }
+ static inline void hrtimer_switch_to_hres(void) { }
+ static inline void
+@@ -1605,6 +1603,7 @@ int hrtimers_prepare_cpu(unsigned int cpu)
+ 
+ 	cpu_base->active_bases = 0;
+ 	cpu_base->cpu = cpu;
+	cpu_base->hres_active = 0;
+ 	hrtimer_init_hres(cpu_base);
+ 	return 0;
+ }
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0030-hrtimer-Use-accesor-functions-instead-of-direct-acce.patch
+++ b/kernel/patches-4.14.x-rt/0030-hrtimer-Use-accesor-functions-instead-of-direct-acce.patch
@@ -0,0 +1,42 @@
+From 5f845b534ffc9f5a653f45bddf0dc4e99dd6a510 Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:03 +0100
+Subject: [PATCH 030/418] hrtimer: Use accesor functions instead of direct
+ access
+
+__hrtimer_hres_active() is now available unconditionally. Replace the
+direct access to hrtimer_cpu_base.hres_active.
+
+No functional change.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ kernel/time/hrtimer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 7e0490143275..85882d5da523 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -564,7 +564,7 @@ hrtimer_force_reprogram(struct hrtimer_cpu_base *cpu_base, int skip_equal)
+ {
+ 	ktime_t expires_next;
+ 
+-	if (!cpu_base->hres_active)
+	if (!__hrtimer_hres_active(cpu_base))
+ 		return;
+ 
+ 	expires_next = __hrtimer_get_next_event(cpu_base);
+@@ -675,7 +675,7 @@ static void retrigger_next_event(void *arg)
+ {
+ 	struct hrtimer_cpu_base *base = this_cpu_ptr(&hrtimer_bases);
+ 
+-	if (!base->hres_active)
+	if (!__hrtimer_hres_active(base))
+ 		return;
+ 
+ 	raw_spin_lock(&base->lock);
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0031-hrtimer-Make-the-remote-enqueue-check-unconditional.patch
+++ b/kernel/patches-4.14.x-rt/0031-hrtimer-Make-the-remote-enqueue-check-unconditional.patch
@@ -0,0 +1,144 @@
+From 454c4ff0fb355b4dafad0f616d12cbdf1a6521db Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:04 +0100
+Subject: [PATCH 031/418] hrtimer: Make the remote enqueue check unconditional
+
+hrtimer_cpu_base.expires_next is used to cache the next event armed in the
+timer hardware. The value is used to check whether an hrtimer can be
+enqueued remotely. If the new hrtimer is expiring before expires_next, then
+remote enqueue is not possible as the remote hrtimer hardware cannot be
+accessed for reprogramming to an earlier expiry time.
+
+The remote enqueue check is currently conditional on
+CONFIG_HIGH_RES_TIMERS=y and hrtimer_cpu_base.hres_active. There is no
+compelling reason to make this conditional.
+
+Move hrtimer_cpu_base.expires_next out of the CONFIG_HIGH_RES_TIMERS=y
+guarded area and remove the conditionals in hrtimer_check_target().
+
+The check is currently a NOOP for the CONFIG_HIGH_RES_TIMERS=n and the
+!hrtimer_cpu_base.hres_active case because in these cases nothing updates
+hrtimer_cpu_base.expires_next yet. This will be changed with later patches
+which further reduce the #ifdef zoo in this code.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h |  6 +++---
+ kernel/time/hrtimer.c   | 32 +++++++++-----------------------
+ 2 files changed, 12 insertions(+), 26 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 22627b3a33fe..bb7270e8bc37 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -164,13 +164,13 @@ enum  hrtimer_base_type {
+  * @hres_active:	State of high resolution mode
+  * @in_hrtirq:		hrtimer_interrupt() is currently executing
+  * @hang_detected:	The last hrtimer interrupt detected a hang
+- * @expires_next:	absolute time of the next event, is required for remote
+- *			hrtimer enqueue
+  * @next_timer:		Pointer to the first expiring timer
+  * @nr_events:		Total number of hrtimer interrupt events
+  * @nr_retries:		Total number of hrtimer interrupt retries
+  * @nr_hangs:		Total number of hrtimer interrupt hangs
+  * @max_hang_time:	Maximum time spent in hrtimer_interrupt
+ * @expires_next:	absolute time of the next event, is required for remote
+ *			hrtimer enqueue
+  * @clock_base:		array of clock bases for this cpu
+  *
+  * Note: next_timer is just an optimization for __remove_hrtimer().
+@@ -186,13 +186,13 @@ struct hrtimer_cpu_base {
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ 	unsigned int			in_hrtirq	: 1,
+ 					hang_detected	: 1;
+-	ktime_t				expires_next;
+ 	struct hrtimer			*next_timer;
+ 	unsigned int			nr_events;
+ 	unsigned short			nr_retries;
+ 	unsigned short			nr_hangs;
+ 	unsigned int			max_hang_time;
+ #endif
+	ktime_t				expires_next;
+ 	struct hrtimer_clock_base	clock_base[HRTIMER_MAX_CLOCK_BASES];
+ } ____cacheline_aligned;
+ 
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 85882d5da523..b1016aabc73a 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -154,26 +154,21 @@ struct hrtimer_clock_base *lock_hrtimer_base(const struct hrtimer *timer,
+ }
+ 
+ /*
+- * With HIGHRES=y we do not migrate the timer when it is expiring
+- * before the next event on the target cpu because we cannot reprogram
+- * the target cpu hardware and we would cause it to fire late.
+ * We do not migrate the timer when it is expiring before the next
+ * event on the target cpu. When high resolution is enabled, we cannot
+ * reprogram the target cpu hardware and we would cause it to fire
+ * late. To keep it simple, we handle the high resolution enabled and
+ * disabled case similar.
+  *
+  * Called with cpu_base->lock of target cpu held.
+  */
+ static int
+ hrtimer_check_target(struct hrtimer *timer, struct hrtimer_clock_base *new_base)
+ {
+-#ifdef CONFIG_HIGH_RES_TIMERS
+ 	ktime_t expires;
+ 
+-	if (!new_base->cpu_base->hres_active)
+-		return 0;
+-
+ 	expires = ktime_sub(hrtimer_get_expires(timer), new_base->offset);
+ 	return expires <= new_base->cpu_base->expires_next;
+-#else
+-	return 0;
+-#endif
+ }
+ 
+ static inline
+@@ -656,16 +651,6 @@ static void hrtimer_reprogram(struct hrtimer *timer,
+ 	tick_program_event(expires, 1);
+ }
+ 
+-/*
+- * Initialize the high resolution related parts of cpu_base
+- */
+-static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base)
+-{
+-	base->expires_next = KTIME_MAX;
+-	base->hang_detected = 0;
+-	base->next_timer = NULL;
+-}
+-
+ /*
+  * Retrigger next event is called after clock was set
+  *
+@@ -731,7 +716,6 @@ static inline int hrtimer_reprogram(struct hrtimer *timer,
+ {
+ 	return 0;
+ }
+-static inline void hrtimer_init_hres(struct hrtimer_cpu_base *base) { }
+ static inline void retrigger_next_event(void *arg) { }
+ 
+ #endif /* CONFIG_HIGH_RES_TIMERS */
+@@ -1601,10 +1585,12 @@ int hrtimers_prepare_cpu(unsigned int cpu)
+ 		timerqueue_init_head(&cpu_base->clock_base[i].active);
+ 	}
+ 
+-	cpu_base->active_bases = 0;
+ 	cpu_base->cpu = cpu;
+	cpu_base->active_bases = 0;
+ 	cpu_base->hres_active = 0;
+-	hrtimer_init_hres(cpu_base);
+	cpu_base->hang_detected = 0;
+	cpu_base->next_timer = NULL;
+	cpu_base->expires_next = KTIME_MAX;
+ 	return 0;
+ }
+ 
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0032-hrtimer-Make-hrtimer_cpu_base.next_timer-handling-un.patch
+++ b/kernel/patches-4.14.x-rt/0032-hrtimer-Make-hrtimer_cpu_base.next_timer-handling-un.patch
@@ -0,0 +1,105 @@
+From 0f5e672a02807d10c8772c839d358cb498ec6d9f Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:05 +0100
+Subject: [PATCH 032/418] hrtimer: Make hrtimer_cpu_base.next_timer handling
+ unconditional
+
+hrtimer_cpu_base.next_timer stores the pointer to the next expiring timer
+in a cpu base.
+
+This pointer cannot be dereferenced and is solely used to check whether a
+hrtimer which is removed is the hrtimer which is the first to expire in the
+CPU base. If this is the case, then the timer hardware needs to be
+reprogrammed to avoid an extra interrupt for nothing.
+
+Again, this is conditional functionality, but there is no compelling reason
+to make this conditional. As a preparation, hrtimer_cpu_base.next_timer
+needs to be available unconditonal. Aside of that the upcoming support for
+softirq based hrtimers requires access to this pointer unconditionally.
+
+Make the update of hrtimer_cpu_base.next_timer unconditional and remove the
+ifdef cruft. The impact on CONFIG_HIGH_RES_TIMERS=n && CONFIG_NOHZ=n is
+marginal as it's just a store on an already dirtied cacheline.
+
+No functional change.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h |  4 ++--
+ kernel/time/hrtimer.c   | 12 ++----------
+ 2 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index bb7270e8bc37..2d3e1d678a4d 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -164,13 +164,13 @@ enum  hrtimer_base_type {
+  * @hres_active:	State of high resolution mode
+  * @in_hrtirq:		hrtimer_interrupt() is currently executing
+  * @hang_detected:	The last hrtimer interrupt detected a hang
+- * @next_timer:		Pointer to the first expiring timer
+  * @nr_events:		Total number of hrtimer interrupt events
+  * @nr_retries:		Total number of hrtimer interrupt retries
+  * @nr_hangs:		Total number of hrtimer interrupt hangs
+  * @max_hang_time:	Maximum time spent in hrtimer_interrupt
+  * @expires_next:	absolute time of the next event, is required for remote
+  *			hrtimer enqueue
+ * @next_timer:		Pointer to the first expiring timer
+  * @clock_base:		array of clock bases for this cpu
+  *
+  * Note: next_timer is just an optimization for __remove_hrtimer().
+@@ -186,13 +186,13 @@ struct hrtimer_cpu_base {
+ #ifdef CONFIG_HIGH_RES_TIMERS
+ 	unsigned int			in_hrtirq	: 1,
+ 					hang_detected	: 1;
+-	struct hrtimer			*next_timer;
+ 	unsigned int			nr_events;
+ 	unsigned short			nr_retries;
+ 	unsigned short			nr_hangs;
+ 	unsigned int			max_hang_time;
+ #endif
+ 	ktime_t				expires_next;
+	struct hrtimer			*next_timer;
+ 	struct hrtimer_clock_base	clock_base[HRTIMER_MAX_CLOCK_BASES];
+ } ____cacheline_aligned;
+ 
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index b1016aabc73a..e01c2e78c032 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -459,21 +459,13 @@ __next_base(struct hrtimer_cpu_base *cpu_base, unsigned int *active)
+ 	while ((base = __next_base((cpu_base), &(active))))
+ 
+ #if defined(CONFIG_NO_HZ_COMMON) || defined(CONFIG_HIGH_RES_TIMERS)
+-static inline void hrtimer_update_next_timer(struct hrtimer_cpu_base *cpu_base,
+-					     struct hrtimer *timer)
+-{
+-#ifdef CONFIG_HIGH_RES_TIMERS
+-	cpu_base->next_timer = timer;
+-#endif
+-}
+-
+ static ktime_t __hrtimer_get_next_event(struct hrtimer_cpu_base *cpu_base)
+ {
+ 	struct hrtimer_clock_base *base;
+ 	unsigned int active = cpu_base->active_bases;
+ 	ktime_t expires, expires_next = KTIME_MAX;
+ 
+-	hrtimer_update_next_timer(cpu_base, NULL);
+	cpu_base->next_timer = NULL;
+ 	for_each_active_base(base, cpu_base, active) {
+ 		struct timerqueue_node *next;
+ 		struct hrtimer *timer;
+@@ -483,7 +475,7 @@ static ktime_t __hrtimer_get_next_event(struct hrtimer_cpu_base *cpu_base)
+ 		expires = ktime_sub(hrtimer_get_expires(timer), base->offset);
+ 		if (expires < expires_next) {
+ 			expires_next = expires;
+-			hrtimer_update_next_timer(cpu_base, timer);
+			cpu_base->next_timer = timer;
+ 		}
+ 	}
+ 	/*
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0033-hrtimer-Make-hrtimer_reprogramm-unconditional.patch
+++ b/kernel/patches-4.14.x-rt/0033-hrtimer-Make-hrtimer_reprogramm-unconditional.patch
@@ -0,0 +1,193 @@
+From 528276dfeb134c7e8f46afdced23ebb1c7da0c8b Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:06 +0100
+Subject: [PATCH 033/418] hrtimer: Make hrtimer_reprogramm() unconditional
+
+hrtimer_reprogram() needs to be available unconditionally for softirq based
+hrtimers. Move the function and all required struct members out of the
+CONFIG_HIGH_RES_TIMERS #ifdef.
+
+There is no functional change because hrtimer_reprogram() is only invoked
+when hrtimer_cpu_base.hres_active is true. Making it unconditional
+increases the text size for the CONFIG_HIGH_RES_TIMERS=n case, but avoids
+replication of that code for the upcoming softirq based hrtimers support.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ include/linux/hrtimer.h |   6 +-
+ kernel/time/hrtimer.c   | 129 +++++++++++++++++++---------------------
+ 2 files changed, 65 insertions(+), 70 deletions(-)
+
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 2d3e1d678a4d..98ed35767ac5 100644
+--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
+@@ -182,10 +182,10 @@ struct hrtimer_cpu_base {
+ 	unsigned int			cpu;
+ 	unsigned int			active_bases;
+ 	unsigned int			clock_was_set_seq;
+-	unsigned int			hres_active	: 1;
+-#ifdef CONFIG_HIGH_RES_TIMERS
+-	unsigned int			in_hrtirq	: 1,
+	unsigned int			hres_active	: 1,
+					in_hrtirq	: 1,
+ 					hang_detected	: 1;
+#ifdef CONFIG_HIGH_RES_TIMERS
+ 	unsigned int			nr_events;
+ 	unsigned short			nr_retries;
+ 	unsigned short			nr_hangs;
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index e01c2e78c032..37085a13f19a 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -581,68 +581,6 @@ hrtimer_force_reprogram(struct hrtimer_cpu_base *cpu_base, int skip_equal)
+ 	tick_program_event(cpu_base->expires_next, 1);
+ }
+ 
+-/*
+- * When a timer is enqueued and expires earlier than the already enqueued
+- * timers, we have to check, whether it expires earlier than the timer for
+- * which the clock event device was armed.
+- *
+- * Called with interrupts disabled and base->cpu_base.lock held
+- */
+-static void hrtimer_reprogram(struct hrtimer *timer,
+-			      struct hrtimer_clock_base *base)
+-{
+-	struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases);
+-	ktime_t expires = ktime_sub(hrtimer_get_expires(timer), base->offset);
+-
+-	WARN_ON_ONCE(hrtimer_get_expires_tv64(timer) < 0);
+-
+-	/*
+-	 * If the timer is not on the current cpu, we cannot reprogram
+-	 * the other cpus clock event device.
+-	 */
+-	if (base->cpu_base != cpu_base)
+-		return;
+-
+-	/*
+-	 * If the hrtimer interrupt is running, then it will
+-	 * reevaluate the clock bases and reprogram the clock event
+-	 * device. The callbacks are always executed in hard interrupt
+-	 * context so we don't need an extra check for a running
+-	 * callback.
+-	 */
+-	if (cpu_base->in_hrtirq)
+-		return;
+-
+-	/*
+-	 * CLOCK_REALTIME timer might be requested with an absolute
+-	 * expiry time which is less than base->offset. Set it to 0.
+-	 */
+-	if (expires < 0)
+-		expires = 0;
+-
+-	if (expires >= cpu_base->expires_next)
+-		return;
+-
+-	/* Update the pointer to the next expiring timer */
+-	cpu_base->next_timer = timer;
+-
+-	/*
+-	 * If a hang was detected in the last timer interrupt then we
+-	 * do not schedule a timer which is earlier than the expiry
+-	 * which we enforced in the hang detection. We want the system
+-	 * to make progress.
+-	 */
+-	if (cpu_base->hang_detected)
+-		return;
+-
+-	/*
+-	 * Program the timer hardware. We enforce the expiry for
+-	 * events which are already in the past.
+-	 */
+-	cpu_base->expires_next = expires;
+-	tick_program_event(expires, 1);
+-}
+-
+ /*
+  * Retrigger next event is called after clock was set
+  *
+@@ -703,15 +641,72 @@ static inline int hrtimer_is_hres_enabled(void) { return 0; }
+ static inline void hrtimer_switch_to_hres(void) { }
+ static inline void
+ hrtimer_force_reprogram(struct hrtimer_cpu_base *base, int skip_equal) { }
+-static inline int hrtimer_reprogram(struct hrtimer *timer,
+-				    struct hrtimer_clock_base *base)
+-{
+-	return 0;
+-}
+ static inline void retrigger_next_event(void *arg) { }
+ 
+ #endif /* CONFIG_HIGH_RES_TIMERS */
+ 
+/*
+ * When a timer is enqueued and expires earlier than the already enqueued
+ * timers, we have to check, whether it expires earlier than the timer for
+ * which the clock event device was armed.
+ *
+ * Called with interrupts disabled and base->cpu_base.lock held
+ */
+static void hrtimer_reprogram(struct hrtimer *timer,
+			      struct hrtimer_clock_base *base)
+{
+	struct hrtimer_cpu_base *cpu_base = this_cpu_ptr(&hrtimer_bases);
+	ktime_t expires = ktime_sub(hrtimer_get_expires(timer), base->offset);
+
+	WARN_ON_ONCE(hrtimer_get_expires_tv64(timer) < 0);
+
+	/*
+	 * If the timer is not on the current cpu, we cannot reprogram
+	 * the other cpus clock event device.
+	 */
+	if (base->cpu_base != cpu_base)
+		return;
+
+	/*
+	 * If the hrtimer interrupt is running, then it will
+	 * reevaluate the clock bases and reprogram the clock event
+	 * device. The callbacks are always executed in hard interrupt
+	 * context so we don't need an extra check for a running
+	 * callback.
+	 */
+	if (cpu_base->in_hrtirq)
+		return;
+
+	/*
+	 * CLOCK_REALTIME timer might be requested with an absolute
+	 * expiry time which is less than base->offset. Set it to 0.
+	 */
+	if (expires < 0)
+		expires = 0;
+
+	if (expires >= cpu_base->expires_next)
+		return;
+
+	/* Update the pointer to the next expiring timer */
+	cpu_base->next_timer = timer;
+
+	/*
+	 * If a hang was detected in the last timer interrupt then we
+	 * do not schedule a timer which is earlier than the expiry
+	 * which we enforced in the hang detection. We want the system
+	 * to make progress.
+	 */
+	if (cpu_base->hang_detected)
+		return;
+
+	/*
+	 * Program the timer hardware. We enforce the expiry for
+	 * events which are already in the past.
+	 */
+	cpu_base->expires_next = expires;
+	tick_program_event(expires, 1);
+}
+
+ /*
+  * Clock realtime was set
+  *
+-- 
+2.17.1
+
--- a/kernel/patches-4.14.x-rt/0034-hrtimer-Make-hrtimer_force_reprogramm-unconditionall.patch
+++ b/kernel/patches-4.14.x-rt/0034-hrtimer-Make-hrtimer_force_reprogramm-unconditionall.patch
@@ -0,0 +1,111 @@
+From 679e677ed43106bfa23fcd7fa318acf826e27113 Mon Sep 17 00:00:00 2001
+From: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Date: Wed, 20 Dec 2017 17:13:07 +0100
+Subject: [PATCH 034/418] hrtimer: Make hrtimer_force_reprogramm()
+ unconditionally available
+
+hrtimer_force_reprogram() needs to be available unconditionally for softirq
+based hrtimers. Move the function and all required struct members out of
+the CONFIG_HIGH_RES_TIMERS #ifdef.
+
+There is no functional change because hrtimer_force_reprogram() is only
+invoked when hrtimer_cpu_base.hres_active is true and
+CONFIG_HIGH_RES_TIMERS=y.
+
+Making it unconditional increases the text size for the
+CONFIG_HIGH_RES_TIMERS=n case slightly, but avoids replication of that code
+for the upcoming softirq based hrtimers support. Most of the code gets
+eliminated in the CONFIG_HIGH_RES_TIMERS=n case by the compiler.
+
+Signed-off-by: Anna-Maria Gleixner <anna-maria@linutronix.de>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+---
+ kernel/time/hrtimer.c | 58 +++++++++++++++++++++----------------------
+ 1 file changed, 28 insertions(+), 30 deletions(-)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 37085a13f19a..5fd669dd46be 100644
+--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
+@@ -513,34 +513,6 @@ static inline int hrtimer_hres_active(void)
+ 	return __hrtimer_hres_active(this_cpu_ptr(&hrtimer_bases));
+ }
+ 
+-/* High resolution timer related functions */
+-#ifdef CONFIG_HIGH_RES_TIMERS
+-
+-/*
+- * High resolution timer enabled ?
+- */
+-static bool hrtimer_hres_enabled __read_mostly  = true;
+-unsigned int hrtimer_resolution __read_mostly = LOW_RES_NSEC;
+-EXPORT_SYMBOL_GPL(hrtimer_resolution);
+-
+-/*
+- * Enable / Disable high resolution mode
+- */
+-static int __init setup_hrtimer_hres(char *str)
+-{
+-	return (kstrtobool(str, &hrtimer_hres_enabled) == 0);
+-}
+-
+-__setup("highres=", setup_hrtimer_hres);
+-
+-/*
+- * hrtimer_high_res_enabled - query, if the highres mode is enabled
+- */
+-static inline int hrtimer_is_hres_enabled(void)
+-{
+-	return hrtimer_hres_enabled;
+-}
+-
+ /*
+  * Reprogram the event source with checking both queues for the
+  * next event
+@@ -581,6 +553,34 @@ hrtimer_force_reprogram(struct hrtimer_cpu_base *cpu_base, int skip_equal)
+ 	tick_program_event(cpu_base->expires_next, 1);
+ }
+ 
+/* High resolution timer related functions */
+#ifdef CONFIG_HIGH_RES_TIMERS
+
+/*
+ * High resolution timer enabled ?
+ */
+static bool hrtimer_hres_enabled __read_mostly  = true;
+unsigned int hrtimer_resolution __read_mostly = LOW_RES_NSEC;
+EXPORT_SYMBOL_GPL(hrtimer_resolution);
+
+/*
+ * Enable / Disable high resolution mode
+ */
+static int __init setup_hrtimer_hres(char *str)
+{
+	return (kstrtobool(str, &hrtimer_hres_enabled) == 0);
+}
+
+__setup("highres=", setup_hrtimer_hres);
+
+/*
+ * hrtimer_high_res_enabled - query, if the highres mode is enabled
+ */
+static inline int hrtimer_is_hres_enabled(void)
+{
+	return hrtimer_hres_enabled;
+}
+
+ /*
+  * Retrigger next event is called after clock was set
+  *
+@@ -639,8 +639,6 @@ void clock_was_set_delayed(void)
+ 
+ static inline int hrtimer_is_hres_enabled(void) { return 0; }
+ static inline void hrtimer_switch_to_hres(void) { }
+-static inline void
+-hrtimer_force_reprogram(struct hrtimer_cpu_base *base, int skip_equal) { }
+ static inline void retrigger_next_event(void *arg) { }
+ 
+ #endif /* CONFIG_HIGH_RES_TIMERS */
+-- 
+2.17.1
+
--- a/Show More
+++ b/Show More