Enabling the lockdown module required the enabling of module signature checking
which in turn marked the kernel as tainted because our kernel was not signed.
Currently the kernel only supports signing with already defeated the SHA-1
algorithm which makes the feature less useful in the first place.
Also the current model only works when there's a central authority that signs
all modules or you compile the kernel yourself and use your own key for the
signatures. We could sign all kernel modules distributed with the kernel with
a randomly generated key so they could be verified but that would make out-of-tree
modules taint the kernel again. Since adding another key to the keyring requires
the key used at build time, it would not be possible to add your own keys to the
keyring without having the private key and distributing that one would fundamentally
break the public key cryptography security model.
So to solve this issue and since the modules weren't signed anyway, disable
lsm_lockdown and signature checking for now. If you need a locked down kernel,
for now please compile it yourself, enable both features and use your own
keypair so you can safely sign all in-tree and custom built modules and they
can be properly verified.
This also adds a patch for iwlwifi that together with upstream reverts solves
issues with some Intel wifi chipsets.
fixes#18384fixes#18355
Glibc wraps were enabled by accident and break musl and ppc.
Gtk integration in the recent release was problematic at least
on some targets, with hanging on a random condvar; it would seem
that it is no longer necessary to enable gtk integration because
the functionality it provides also works otherwise, so disable.