diff --git a/.gitmodules b/.gitmodules
index 499afdf..27c5792 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,4 +1,4 @@
 [submodule "buildroot"]
 	path = buildroot
-	branch = 2020.08.2-op-build
+	branch = 2021.02-op-build
 	url = https://github.com/open-power/buildroot
diff --git a/buildroot b/buildroot
index a84aaae..2c7a998 160000
--- a/buildroot
+++ b/buildroot
@@ -1 +1 @@
-Subproject commit a84aaaeacbd1a69053cde2e50f26250e9328de1e
+Subproject commit 2c7a9984796b03506a1a2b1ccf3f76fc85733c17
diff --git a/openpower/configs/denali_defconfig b/openpower/configs/denali_defconfig
index ed3f2dd..d621a7a 100644
--- a/openpower/configs/denali_defconfig
+++ b/openpower/configs/denali_defconfig
@@ -1,5 +1,7 @@
 BR2_powerpc64le=y
 BR2_powerpc_power8=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y
+BR2_BINUTILS_VERSION_2_32_X=y
 BR2_BINUTILS_EXTRA_CONFIG_OPTIONS="--enable-targets=powerpc64-linux"
 BR2_EXTRA_GCC_CONFIG_OPTIONS="--enable-targets=powerpc64-linux --disable-libsanitizer"
 BR2_TARGET_GENERIC_HOSTNAME="skiroot"
@@ -13,10 +15,9 @@
 BR2_ROOTFS_OVERLAY="../openpower/overlay"
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
-BR2_LINUX_KERNEL_CUSTOM_GIT=y
-BR2_LINUX_KERNEL_CUSTOM_REPO_URL="git@github.ibm.com:p10/linux.git"
-BR2_LINUX_KERNEL_CUSTOM_REPO_VERSION="e4f7620c0a1e46e93ab9130f30bfa28b32322ca1"
-BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux-p10"
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.50"
+BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
 BR2_LINUX_KERNEL_ZIMAGE_EPAPR=y
diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
index 41688c7..a555adb 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -47,7 +47,7 @@
 CONFIG_PPC_64K_PAGES=y
 CONFIG_SCHED_SMT=y
 CONFIG_CMDLINE_BOOL=y
-CONFIG_CMDLINE="console=tty0 console=hvc0 debug ignore_loglevel bootmem_debug sched_debug"
+CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
 # CONFIG_SECCOMP is not set
 # CONFIG_PPC_MEM_KEYS is not set
 CONFIG_PPC_SECURE_BOOT=y
@@ -89,6 +89,9 @@
 CONFIG_SCSI_CONSTANTS=y
 CONFIG_SCSI_SCAN_ASYNC=y
 CONFIG_SCSI_FC_ATTRS=y
+CONFIG_SCSI_CXGB3_ISCSI=m
+CONFIG_SCSI_CXGB4_ISCSI=m
+CONFIG_SCSI_BNX2_ISCSI=m
 CONFIG_SCSI_AACRAID=m
 CONFIG_MEGARAID_NEWGEN=y
 CONFIG_MEGARAID_MM=m
@@ -99,6 +102,7 @@
 # CONFIG_SCSI_IPR_TRACE is not set
 # CONFIG_SCSI_IPR_DUMP is not set
 CONFIG_SCSI_QLA_FC=m
+CONFIG_SCSI_QLA_ISCSI=m
 CONFIG_SCSI_LPFC=m
 CONFIG_SCSI_VIRTIO=m
 CONFIG_SCSI_DH=y
@@ -121,11 +125,12 @@
 CONFIG_DM_MIRROR=m
 CONFIG_DM_ZERO=m
 CONFIG_DM_MULTIPATH=m
-CONFIG_NETDEVICES=y
 # CONFIG_NET_VENDOR_3COM is not set
 # CONFIG_NET_VENDOR_ADAPTEC is not set
 # CONFIG_NET_VENDOR_AGERE is not set
 # CONFIG_NET_VENDOR_ALACRITECH is not set
+CONFIG_ACENIC=m
+CONFIG_ACENIC_OMIT_TIGON_I=y
 # CONFIG_NET_VENDOR_AMAZON is not set
 # CONFIG_NET_VENDOR_AMD is not set
 # CONFIG_NET_VENDOR_AQUANTIA is not set
@@ -138,8 +143,6 @@
 # CONFIG_NET_VENDOR_CADENCE is not set
 # CONFIG_NET_VENDOR_CAVIUM is not set
 CONFIG_CHELSIO_T1=m
-CONFIG_CHELSIO_T3=m
-CONFIG_CHELSIO_T4=m
 # CONFIG_NET_VENDOR_CISCO is not set
 # CONFIG_NET_VENDOR_CORTINA is not set
 # CONFIG_NET_VENDOR_DEC is not set
@@ -161,7 +164,9 @@
 # CONFIG_MLX5_EN_RXNFC is not set
 # CONFIG_NET_VENDOR_MICREL is not set
 # CONFIG_NET_VENDOR_MICROSEMI is not set
+CONFIG_MYRI10GE=m
 # CONFIG_NET_VENDOR_NATSEMI is not set
+CONFIG_S2IO=m
 # CONFIG_NET_VENDOR_NETRONOME is not set
 # CONFIG_NET_VENDOR_NI is not set
 # CONFIG_NET_VENDOR_NVIDIA is not set
@@ -177,6 +182,7 @@
 # CONFIG_NET_VENDOR_ROCKER is not set
 # CONFIG_NET_VENDOR_SAMSUNG is not set
 # CONFIG_NET_VENDOR_SEEQ is not set
+CONFIG_SFC=m
 # CONFIG_NET_VENDOR_SILAN is not set
 # CONFIG_NET_VENDOR_SIS is not set
 # CONFIG_NET_VENDOR_SMSC is not set
@@ -210,6 +216,7 @@
 CONFIG_I2C_CHARDEV=y
 # CONFIG_I2C_HELPER_AUTO is not set
 CONFIG_I2C_ALGOBIT=y
+CONFIG_I2C_OPAL=y
 CONFIG_PPS=y
 CONFIG_SENSORS_IBMPOWERNV=m
 CONFIG_DRM=m
diff --git a/openpower/configs/p10ebmc_defconfig b/openpower/configs/p10ebmc_defconfig
index 2fc53e9..934dd51 100644
--- a/openpower/configs/p10ebmc_defconfig
+++ b/openpower/configs/p10ebmc_defconfig
@@ -1,5 +1,7 @@
 BR2_powerpc64le=y
 BR2_powerpc_power8=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y
+BR2_BINUTILS_VERSION_2_32_X=y
 BR2_BINUTILS_EXTRA_CONFIG_OPTIONS="--enable-targets=powerpc64-linux"
 BR2_GCC_VERSION_8_X=y
 BR2_EXTRA_GCC_CONFIG_OPTIONS="--enable-targets=powerpc64-linux --disable-libsanitizer"
@@ -15,10 +17,9 @@
 BR2_ROOTFS_OVERLAY="../openpower/overlay"
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
-BR2_LINUX_KERNEL_CUSTOM_GIT=y
-BR2_LINUX_KERNEL_CUSTOM_REPO_URL="git@github.ibm.com:p10/linux.git"
-BR2_LINUX_KERNEL_CUSTOM_REPO_VERSION="e4f7620c0a1e46e93ab9130f30bfa28b32322ca1"
-BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux-p10"
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.50"
+BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
 BR2_LINUX_KERNEL_ZIMAGE_EPAPR=y
diff --git a/openpower/custom/patches/busybox/0001-init-Only-print-shutdown-messages-to-log.patch b/openpower/custom/patches/busybox/0001-init-Only-print-shutdown-messages-to-log.patch
index 196567a..89efe07 100644
--- a/openpower/custom/patches/busybox/0001-init-Only-print-shutdown-messages-to-log.patch
+++ b/openpower/custom/patches/busybox/0001-init-Only-print-shutdown-messages-to-log.patch
@@ -1,4 +1,4 @@
-From eb48b173dc3d09db483b97c4210303eee27df1db Mon Sep 17 00:00:00 2001
+From 1939276efa4a12ef9e14ea139a525c887de2bb77 Mon Sep 17 00:00:00 2001
 From: Joel Stanley <joel@jms.id.au>
 Date: Thu, 25 Oct 2018 15:18:56 +1030
 Subject: [PATCH] init: Only print shutdown messages to log
@@ -17,10 +17,10 @@
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/init/init.c b/init/init.c
-index 6439e2bcd862..11561143e5f1 100644
+index efab5dcb44c0..afac0fd7dee5 100644
 --- a/init/init.c
 +++ b/init/init.c
-@@ -763,16 +763,16 @@ static void run_shutdown_and_kill_processes(void)
+@@ -762,16 +762,16 @@ static void run_shutdown_and_kill_processes(void)
  	 * shut things down gracefully... */
  	run_actions(SHUTDOWN);
  
@@ -32,14 +32,14 @@
 -	message(L_CONSOLE, "Sent SIG%s to all processes", "TERM");
 +	message(L_LOG, "Sent SIG%s to all processes", "TERM");
  	sync();
- 	sleep(1);
+ 	sleep1();
  
  	kill(-1, SIGKILL);
 -	message(L_CONSOLE, "Sent SIG%s to all processes", "KILL");
 +	message(L_LOG, "Sent SIG%s to all processes", "KILL");
  	sync();
- 	/*sleep(1); - callers take care about making a pause */
+ 	/*sleep1(); - callers take care about making a pause */
  }
 -- 
-2.19.1
+2.32.0
 
diff --git a/openpower/linux-p10/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux-p10/0001-xhci-Reset-controller-on-xhci-shutdown.patch
deleted file mode 100644
index 952b977..0000000
--- a/openpower/linux-p10/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From eb9ba66045e92706878d619e0b8c94669cc993f9 Mon Sep 17 00:00:00 2001
-From: Brian King <brking@linux.vnet.ibm.com>
-Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 1/2] xhci: Reset controller on xhci shutdown
-
-Fixes kexec boot. Without a hard reset, some USB chips will fail to
-initialize in a kexec booted kernel.
-
-Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
-Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- drivers/usb/host/xhci.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index ed468ee..e881cde 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -789,6 +789,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
- 	xhci_dbg_trace(xhci, trace_xhci_dbg_init,
- 			"xhci_shutdown completed - status = %x",
- 			readl(&xhci->op_regs->status));
-+
-+	/* TI XHCI controllers do not come back after kexec without this hack */
-+	pci_reset_function_locked(to_pci_dev(hcd->self.sysdev));
- }
- EXPORT_SYMBOL_GPL(xhci_shutdown);
- 
--- 
-1.9.4
-
diff --git a/openpower/linux-p10/0002-Openpower-kernel-release-5.8-rc1-openpower1.patch b/openpower/linux-p10/0002-Openpower-kernel-release-5.8-rc1-openpower1.patch
deleted file mode 100644
index b6b622b..0000000
--- a/openpower/linux-p10/0002-Openpower-kernel-release-5.8-rc1-openpower1.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 5c5b9e604cb11e580bf1d8e269bc8ceb8f1cc008 Mon Sep 17 00:00:00 2001
-From: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
-Date: Thu, 17 Sep 2020 14:38:00 -0500
-Subject: [PATCH 2/2] Openpower kernel release 5.8-rc1-openpower1
-
-Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 24a4c1b..f25f3d7 100644
---- a/Makefile
-+++ b/Makefile
-@@ -2,7 +2,7 @@
- VERSION = 5
- PATCHLEVEL = 8
- SUBLEVEL = 0
--EXTRAVERSION =
-+EXTRAVERSION = -openpower1
- NAME = Kleptomaniac Octopus
- 
- # *DOCUMENTATION*
--- 
-1.9.4
-
diff --git a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
index bb1f1b4..9380398 100644
--- a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Brian King <brking@linux.vnet.ibm.com>
 Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 01/19] xhci: Reset controller on xhci shutdown
+Subject: [PATCH 1/2] xhci: Reset controller on xhci shutdown
 
 Fixes kexec boot. Without a hard reset, some USB chips will fail to
 initialize in a kexec booted kernel.
@@ -14,10 +14,10 @@
  1 file changed, 3 insertions(+)
 
 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index bad154f446f8..19a9bde309a6 100644
+index a8d97e23f601..308ab396bd88 100644
 --- a/drivers/usb/host/xhci.c
 +++ b/drivers/usb/host/xhci.c
-@@ -789,6 +789,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
+@@ -793,6 +793,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
  	xhci_dbg_trace(xhci, trace_xhci_dbg_init,
  			"xhci_shutdown completed - status = %x",
  			readl(&xhci->op_regs->status));
diff --git a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
deleted file mode 100644
index 2d6f5a5..0000000
--- a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Tue, 5 Nov 2019 17:00:22 -0600
-Subject: [PATCH 02/19] powerpc: Detect the secure boot mode of the system
-
-This patch defines a function to detect the secure boot state of a
-PowerNV system.
-
-The PPC_SECURE_BOOT config represents the base enablement of secure
-boot for powerpc.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Fold in change from Nayna to add "ibm,secureboot" to ids]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/46b003b9-3225-6bf7-9101-ed6580bb748c@linux.ibm.com
-(cherry picked from commit 1a8916ee3ac29054322cdac687d36e1b5894d272)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/Kconfig                   | 10 ++++++++
- arch/powerpc/include/asm/secure_boot.h | 23 +++++++++++++++++
- arch/powerpc/kernel/Makefile           |  2 ++
- arch/powerpc/kernel/secure_boot.c      | 35 ++++++++++++++++++++++++++
- 4 files changed, 70 insertions(+)
- create mode 100644 arch/powerpc/include/asm/secure_boot.h
- create mode 100644 arch/powerpc/kernel/secure_boot.c
-
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index ad620637cbd1..d654bdc9e4dc 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -935,6 +935,16 @@ config PPC_MEM_KEYS
- 
- 	  If unsure, say y.
- 
-+config PPC_SECURE_BOOT
-+	prompt "Enable secure boot support"
-+	bool
-+	depends on PPC_POWERNV
-+	help
-+	  Systems with firmware secure boot enabled need to define security
-+	  policies to extend secure boot to the OS. This config allows a user
-+	  to enable OS secure boot on systems that have firmware support for
-+	  it. If in doubt say N.
-+
- endmenu
- 
- config ISA_DMA_API
-diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
-new file mode 100644
-index 000000000000..07d0fe0ca81f
---- /dev/null
-+++ b/arch/powerpc/include/asm/secure_boot.h
-@@ -0,0 +1,23 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+/*
-+ * Secure boot definitions
-+ *
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+#ifndef _ASM_POWER_SECURE_BOOT_H
-+#define _ASM_POWER_SECURE_BOOT_H
-+
-+#ifdef CONFIG_PPC_SECURE_BOOT
-+
-+bool is_ppc_secureboot_enabled(void);
-+
-+#else
-+
-+static inline bool is_ppc_secureboot_enabled(void)
-+{
-+	return false;
-+}
-+
-+#endif
-+#endif
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index dc0780f930d5..40170ee52178 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,6 +158,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y				+= ucall.o
- endif
- 
-+obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o
-+
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
- KCOV_INSTRUMENT_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
-new file mode 100644
-index 000000000000..583c2c4edaf0
---- /dev/null
-+++ b/arch/powerpc/kernel/secure_boot.c
-@@ -0,0 +1,35 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+#include <linux/types.h>
-+#include <linux/of.h>
-+#include <asm/secure_boot.h>
-+
-+static struct device_node *get_ppc_fw_sb_node(void)
-+{
-+	static const struct of_device_id ids[] = {
-+		{ .compatible = "ibm,secureboot", },
-+		{ .compatible = "ibm,secureboot-v1", },
-+		{ .compatible = "ibm,secureboot-v2", },
-+		{},
-+	};
-+
-+	return of_find_matching_node(NULL, ids);
-+}
-+
-+bool is_ppc_secureboot_enabled(void)
-+{
-+	struct device_node *node;
-+	bool enabled = false;
-+
-+	node = get_ppc_fw_sb_node();
-+	enabled = of_property_read_bool(node, "os-secureboot-enforcing");
-+
-+	of_node_put(node);
-+
-+	pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
-+
-+	return enabled;
-+}
diff --git a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
deleted file mode 100644
index eef8e16..0000000
--- a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:27 -0400
-Subject: [PATCH 03/19] powerpc/ima: Add support to initialize ima policy rules
-
-PowerNV systems use a Linux-based bootloader, which rely on the IMA
-subsystem to enforce different secure boot modes. Since the
-verification policy may differ based on the secure boot mode of the
-system, the policies must be defined at runtime.
-
-This patch implements arch-specific support to define IMA policy rules
-based on the runtime secure boot mode of the system.
-
-This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
-config is enabled.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/Kconfig           |  1 +
- arch/powerpc/kernel/Makefile   |  2 +-
- arch/powerpc/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++
- include/linux/ima.h            |  3 ++-
- 4 files changed, 47 insertions(+), 2 deletions(-)
- create mode 100644 arch/powerpc/kernel/ima_arch.c
-
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index d654bdc9e4dc..32ce6c0b43f1 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -939,6 +939,7 @@ config PPC_SECURE_BOOT
- 	prompt "Enable secure boot support"
- 	bool
- 	depends on PPC_POWERNV
-+	depends on IMA_ARCH_POLICY
- 	help
- 	  Systems with firmware secure boot enabled need to define security
- 	  policies to extend secure boot to the OS. This config allows a user
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index 40170ee52178..b82f7f5e5121 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y				+= ucall.o
- endif
- 
--obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o
-+obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o
- 
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-new file mode 100644
-index 000000000000..d88913dc0da7
---- /dev/null
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -0,0 +1,43 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+
-+#include <linux/ima.h>
-+#include <asm/secure_boot.h>
-+
-+bool arch_ima_get_secureboot(void)
-+{
-+	return is_ppc_secureboot_enabled();
-+}
-+
-+/*
-+ * The "secure_rules" are enabled only on "secureboot" enabled systems.
-+ * These rules verify the file signatures against known good values.
-+ * The "appraise_type=imasig|modsig" option allows the known good signature
-+ * to be stored as an xattr or as an appended signature.
-+ *
-+ * To avoid duplicate signature verification as much as possible, the IMA
-+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
-+ * is not enabled.
-+ */
-+static const char *const secure_rules[] = {
-+	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+#ifndef CONFIG_MODULE_SIG_FORCE
-+	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+#endif
-+	NULL
-+};
-+
-+/*
-+ * Returns the relevant IMA arch-specific policies based on the system secure
-+ * boot state.
-+ */
-+const char *const *arch_get_ima_policy(void)
-+{
-+	if (is_ppc_secureboot_enabled())
-+		return secure_rules;
-+
-+	return NULL;
-+}
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 1c37f17f7203..6d904754d858 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size);
- extern void ima_add_kexec_buffer(struct kimage *image);
- #endif
- 
--#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390)
-+#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \
-+	|| defined(CONFIG_PPC_SECURE_BOOT)
- extern bool arch_ima_get_secureboot(void);
- extern const char * const *arch_get_ima_policy(void);
- #else
diff --git a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
deleted file mode 100644
index e2c2c78..0000000
--- a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Tue, 5 Nov 2019 17:02:07 -0600
-Subject: [PATCH 04/19] powerpc: Detect the trusted boot state of the system
-
-While secure boot permits only properly verified signed kernels to be
-booted, trusted boot calculates the file hash of the kernel image and
-stores the measurement prior to boot, that can be subsequently
-compared against good known values via attestation services.
-
-This patch reads the trusted boot state of a PowerNV system. The state
-is used to conditionally enable additional measurement rules in the
-IMA arch-specific policies.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com
-(cherry picked from commit 2702809a4a1ab414d75c00936cda70ea77c8234e)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/include/asm/secure_boot.h |  6 ++++++
- arch/powerpc/kernel/secure_boot.c      | 15 +++++++++++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
-index 07d0fe0ca81f..a2ff556916c6 100644
---- a/arch/powerpc/include/asm/secure_boot.h
-+++ b/arch/powerpc/include/asm/secure_boot.h
-@@ -11,6 +11,7 @@
- #ifdef CONFIG_PPC_SECURE_BOOT
- 
- bool is_ppc_secureboot_enabled(void);
-+bool is_ppc_trustedboot_enabled(void);
- 
- #else
- 
-@@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
- 	return false;
- }
- 
-+static inline bool is_ppc_trustedboot_enabled(void)
-+{
-+	return false;
-+}
-+
- #endif
- #endif
-diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
-index 583c2c4edaf0..4b982324d368 100644
---- a/arch/powerpc/kernel/secure_boot.c
-+++ b/arch/powerpc/kernel/secure_boot.c
-@@ -33,3 +33,18 @@ bool is_ppc_secureboot_enabled(void)
- 
- 	return enabled;
- }
-+
-+bool is_ppc_trustedboot_enabled(void)
-+{
-+	struct device_node *node;
-+	bool enabled = false;
-+
-+	node = get_ppc_fw_sb_node();
-+	enabled = of_property_read_bool(node, "trusted-enabled");
-+
-+	of_node_put(node);
-+
-+	pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
-+
-+	return enabled;
-+}
diff --git a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
deleted file mode 100644
index fcd871c..0000000
--- a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:29 -0400
-Subject: [PATCH 05/19] powerpc/ima: Define trusted boot policy
-
-This patch defines an arch-specific trusted boot only policy and a
-combined secure and trusted boot policy.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-5-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 1917855f4e0658c313e280671ad87774dbfb7b24)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 33 ++++++++++++++++++++++++++++++++-
- 1 file changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index d88913dc0da7..0ef5956c9753 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -30,6 +30,32 @@ static const char *const secure_rules[] = {
- 	NULL
- };
- 
-+/*
-+ * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
-+ * These rules add the kexec kernel image and kernel modules file hashes to
-+ * the IMA measurement list.
-+ */
-+static const char *const trusted_rules[] = {
-+	"measure func=KEXEC_KERNEL_CHECK",
-+	"measure func=MODULE_CHECK",
-+	NULL
-+};
-+
-+/*
-+ * The "secure_and_trusted_rules" contains rules for both the secure boot and
-+ * trusted boot. The "template=ima-modsig" option includes the appended
-+ * signature, when available, in the IMA measurement list.
-+ */
-+static const char *const secure_and_trusted_rules[] = {
-+	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
-+	"measure func=MODULE_CHECK template=ima-modsig",
-+	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+#ifndef CONFIG_MODULE_SIG_FORCE
-+	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+#endif
-+	NULL
-+};
-+
- /*
-  * Returns the relevant IMA arch-specific policies based on the system secure
-  * boot state.
-@@ -37,7 +63,12 @@ static const char *const secure_rules[] = {
- const char *const *arch_get_ima_policy(void)
- {
- 	if (is_ppc_secureboot_enabled())
--		return secure_rules;
-+		if (is_ppc_trustedboot_enabled())
-+			return secure_and_trusted_rules;
-+		else
-+			return secure_rules;
-+	else if (is_ppc_trustedboot_enabled())
-+		return trusted_rules;
- 
- 	return NULL;
- }
diff --git a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
deleted file mode 100644
index 7fd748f..0000000
--- a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:30 -0400
-Subject: [PATCH 06/19] ima: Make process_buffer_measurement() generic
-
-process_buffer_measurement() is limited to measuring the kexec boot
-command line. This patch makes process_buffer_measurement() more
-generic, allowing it to measure other types of buffer data (e.g.
-blacklisted binary hashes or key hashes).
-
-process_buffer_measurement() may be called directly from an IMA hook
-or as an auxiliary measurement record. In both cases the buffer
-measurement is based on policy. This patch modifies the function to
-conditionally retrieve the policy defined PCR and template for the IMA
-hook case.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-[zohar@linux.ibm.com: added comment in process_buffer_measurement()]
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-6-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit e14555e3d0e9edfad0a6840c0152f71aba97e793)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/ima/ima.h      |  3 ++
- security/integrity/ima/ima_main.c | 58 +++++++++++++++++++++----------
- 2 files changed, 43 insertions(+), 18 deletions(-)
-
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index 8173982e00ab..04800f7f2351 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -219,6 +219,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
- 			   struct evm_ima_xattr_data *xattr_value,
- 			   int xattr_len, const struct modsig *modsig, int pcr,
- 			   struct ima_template_desc *template_desc);
-+void process_buffer_measurement(const void *buf, int size,
-+				const char *eventname, enum ima_hooks func,
-+				int pcr);
- void ima_audit_measurement(struct integrity_iint_cache *iint,
- 			   const unsigned char *filename);
- int ima_alloc_init_template(struct ima_event_data *event_data,
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index a768f37a0a4d..bc730e553053 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -626,14 +626,14 @@ int ima_load_data(enum kernel_load_data_id id)
-  * @buf: pointer to the buffer that needs to be added to the log.
-  * @size: size of buffer(in bytes).
-  * @eventname: event name to be used for the buffer entry.
-- * @cred: a pointer to a credentials structure for user validation.
-- * @secid: the secid of the task to be validated.
-+ * @func: IMA hook
-+ * @pcr: pcr to extend the measurement
-  *
-  * Based on policy, the buffer is measured into the ima log.
-  */
--static void process_buffer_measurement(const void *buf, int size,
--				       const char *eventname,
--				       const struct cred *cred, u32 secid)
-+void process_buffer_measurement(const void *buf, int size,
-+				const char *eventname, enum ima_hooks func,
-+				int pcr)
- {
- 	int ret = 0;
- 	struct ima_template_entry *entry = NULL;
-@@ -642,19 +642,45 @@ static void process_buffer_measurement(const void *buf, int size,
- 					    .filename = eventname,
- 					    .buf = buf,
- 					    .buf_len = size};
--	struct ima_template_desc *template_desc = NULL;
-+	struct ima_template_desc *template = NULL;
- 	struct {
- 		struct ima_digest_data hdr;
- 		char digest[IMA_MAX_DIGEST_SIZE];
- 	} hash = {};
- 	int violation = 0;
--	int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
- 	int action = 0;
-+	u32 secid;
- 
--	action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
--				&template_desc);
--	if (!(action & IMA_MEASURE))
--		return;
-+	/*
-+	 * Both LSM hooks and auxilary based buffer measurements are
-+	 * based on policy.  To avoid code duplication, differentiate
-+	 * between the LSM hooks and auxilary buffer measurements,
-+	 * retrieving the policy rule information only for the LSM hook
-+	 * buffer measurements.
-+	 */
-+	if (func) {
-+		security_task_getsecid(current, &secid);
-+		action = ima_get_action(NULL, current_cred(), secid, 0, func,
-+					&pcr, &template);
-+		if (!(action & IMA_MEASURE))
-+			return;
-+	}
-+
-+	if (!pcr)
-+		pcr = CONFIG_IMA_MEASURE_PCR_IDX;
-+
-+	if (!template) {
-+		template = lookup_template_desc("ima-buf");
-+		ret = template_desc_init_fields(template->fmt,
-+						&(template->fields),
-+						&(template->num_fields));
-+		if (ret < 0) {
-+			pr_err("template %s init failed, result: %d\n",
-+			       (strlen(template->name) ?
-+				template->name : template->fmt), ret);
-+			return;
-+		}
-+	}
- 
- 	iint.ima_hash = &hash.hdr;
- 	iint.ima_hash->algo = ima_hash_algo;
-@@ -664,7 +690,7 @@ static void process_buffer_measurement(const void *buf, int size,
- 	if (ret < 0)
- 		goto out;
- 
--	ret = ima_alloc_init_template(&event_data, &entry, template_desc);
-+	ret = ima_alloc_init_template(&event_data, &entry, template);
- 	if (ret < 0)
- 		goto out;
- 
-@@ -686,13 +712,9 @@ static void process_buffer_measurement(const void *buf, int size,
-  */
- void ima_kexec_cmdline(const void *buf, int size)
- {
--	u32 secid;
--
--	if (buf && size != 0) {
--		security_task_getsecid(current, &secid);
-+	if (buf && size != 0)
- 		process_buffer_measurement(buf, size, "kexec-cmdline",
--					   current_cred(), secid);
--	}
-+					   KEXEC_CMDLINE, 0);
- }
- 
- static int __init init_ima(void)
diff --git a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch b/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
deleted file mode 100644
index e33fc06..0000000
--- a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:31 -0400
-Subject: [PATCH 07/19] certs: Add wrapper function to check blacklisted binary
- hash
-
-The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
-misleading when called for checking against blacklisted hash of a
-binary.
-
-This patch adds a wrapper function is_binary_blacklisted() to return
--EPERM error if binary is blacklisted.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-7-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 2434f7d2d488c3301ae81f1031e1c66c6f076fb7)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- certs/blacklist.c             | 9 +++++++++
- include/keys/system_keyring.h | 6 ++++++
- 2 files changed, 15 insertions(+)
-
-diff --git a/certs/blacklist.c b/certs/blacklist.c
-index ec00bf337eb6..6514f9ebc943 100644
---- a/certs/blacklist.c
-+++ b/certs/blacklist.c
-@@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
- }
- EXPORT_SYMBOL_GPL(is_hash_blacklisted);
- 
-+int is_binary_blacklisted(const u8 *hash, size_t hash_len)
-+{
-+	if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
-+		return -EPERM;
-+
-+	return 0;
-+}
-+EXPORT_SYMBOL_GPL(is_binary_blacklisted);
-+
- /*
-  * Initialise the blacklist
-  */
-diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index c1a96fdf598b..fb8b07daa9d1 100644
---- a/include/keys/system_keyring.h
-+++ b/include/keys/system_keyring.h
-@@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
- extern int mark_hash_blacklisted(const char *hash);
- extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
- 			       const char *type);
-+extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
- #else
- static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
- 				      const char *type)
- {
- 	return 0;
- }
-+
-+static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
-+{
-+	return 0;
-+}
- #endif
- 
- #ifdef CONFIG_IMA_BLACKLIST_KEYRING
diff --git a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch b/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
deleted file mode 100644
index 7d18cc7..0000000
--- a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
+++ /dev/null
@@ -1,261 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:32 -0400
-Subject: [PATCH 08/19] ima: Check against blacklisted hashes for files with
- modsig
-
-Asymmetric private keys are used to sign multiple files. The kernel
-currently supports checking against blacklisted keys. However, if the
-public key is blacklisted, any file signed by the blacklisted key will
-automatically fail signature verification. Blacklisting the public key
-is not fine enough granularity, as we might want to only blacklist a
-particular file.
-
-This patch adds support for checking against the blacklisted hash of
-the file, without the appended signature, based on the IMA policy. It
-defines a new policy option "appraise_flag=check_blacklist".
-
-In addition to the blacklisted binary hashes stored in the firmware
-"dbx" variable, the Linux kernel may be configured to load blacklisted
-binary hashes onto the .blacklist keyring as well. The following
-example shows how to blacklist a specific kernel module hash.
-
-  $ sha256sum kernel/kheaders.ko
-  77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-  kernel/kheaders.ko
-
-  $ grep BLACKLIST .config
-  CONFIG_SYSTEM_BLACKLIST_KEYRING=y
-  CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
-
-  $ cat certs/blacklist-hash-list
-  "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
-
-Update the IMA custom measurement and appraisal policy
-rules (/etc/ima-policy):
-
-  measure func=MODULE_CHECK template=ima-modsig
-  appraise func=MODULE_CHECK appraise_flag=check_blacklist
-  appraise_type=imasig|modsig
-
-After building, installing, and rebooting the kernel:
-
-   545660333 ---lswrv      0     0   \_ blacklist:
-  bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-
-  measure func=MODULE_CHECK template=ima-modsig
-  appraise func=MODULE_CHECK appraise_flag=check_blacklist
-  appraise_type=imasig|modsig
-
-  modprobe: ERROR: could not insert 'kheaders': Permission denied
-
-  10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
-  sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
-  2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
-
-  10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
-  sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
-  2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko  sha256:77fa889b3
-  5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-  3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
-  016503040201300b06092a864886f70d01070131820264....
-
-  10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
-  sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
-  b blacklisted-hash
-  77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-[zohar@linux.ibm.com: updated patch description]
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 273df864cf7466fb170b8dcc1abd672cd08ad8d3)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Documentation/ABI/testing/ima_policy  |  4 ++++
- security/integrity/ima/ima.h          |  8 +++++++
- security/integrity/ima/ima_appraise.c | 33 +++++++++++++++++++++++++++
- security/integrity/ima/ima_main.c     | 12 ++++++----
- security/integrity/ima/ima_policy.c   | 12 ++++++++--
- security/integrity/integrity.h        |  1 +
- 6 files changed, 64 insertions(+), 6 deletions(-)
-
-diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
-index 29ebe9afdac4..29aaedf33246 100644
---- a/Documentation/ABI/testing/ima_policy
-+++ b/Documentation/ABI/testing/ima_policy
-@@ -25,6 +25,7 @@ Description:
- 			lsm:	[[subj_user=] [subj_role=] [subj_type=]
- 				 [obj_user=] [obj_role=] [obj_type=]]
- 			option:	[[appraise_type=]] [template=] [permit_directio]
-+				[appraise_flag=]
- 		base: 	func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
- 				[FIRMWARE_CHECK]
- 				[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
-@@ -38,6 +39,9 @@ Description:
- 			fowner:= decimal value
- 		lsm:  	are LSM specific
- 		option:	appraise_type:= [imasig] [imasig|modsig]
-+			appraise_flag:= [check_blacklist]
-+			Currently, blacklist check is only for files signed with appended
-+			signature.
- 			template:= name of a defined IMA template type
- 			(eg, ima-ng). Only valid when action is "measure".
- 			pcr:= decimal value
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index 04800f7f2351..7d855f2c80fa 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -258,6 +258,8 @@ int ima_policy_show(struct seq_file *m, void *v);
- #define IMA_APPRAISE_KEXEC	0x40
- 
- #ifdef CONFIG_IMA_APPRAISE
-+int ima_check_blacklist(struct integrity_iint_cache *iint,
-+			const struct modsig *modsig, int pcr);
- int ima_appraise_measurement(enum ima_hooks func,
- 			     struct integrity_iint_cache *iint,
- 			     struct file *file, const unsigned char *filename,
-@@ -273,6 +275,12 @@ int ima_read_xattr(struct dentry *dentry,
- 		   struct evm_ima_xattr_data **xattr_value);
- 
- #else
-+static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
-+				      const struct modsig *modsig, int pcr)
-+{
-+	return 0;
-+}
-+
- static inline int ima_appraise_measurement(enum ima_hooks func,
- 					   struct integrity_iint_cache *iint,
- 					   struct file *file,
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 23b04c6521b2..176249e4a7ac 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -12,6 +12,7 @@
- #include <linux/magic.h>
- #include <linux/ima.h>
- #include <linux/evm.h>
-+#include <keys/system_keyring.h>
- 
- #include "ima.h"
- 
-@@ -309,6 +310,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
- 	return rc;
- }
- 
-+/*
-+ * ima_check_blacklist - determine if the binary is blacklisted.
-+ *
-+ * Add the hash of the blacklisted binary to the measurement list, based
-+ * on policy.
-+ *
-+ * Returns -EPERM if the hash is blacklisted.
-+ */
-+int ima_check_blacklist(struct integrity_iint_cache *iint,
-+			const struct modsig *modsig, int pcr)
-+{
-+	enum hash_algo hash_algo;
-+	const u8 *digest = NULL;
-+	u32 digestsize = 0;
-+	int rc = 0;
-+
-+	if (!(iint->flags & IMA_CHECK_BLACKLIST))
-+		return 0;
-+
-+	if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
-+		ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
-+
-+		rc = is_binary_blacklisted(digest, digestsize);
-+		if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
-+			process_buffer_measurement(digest, digestsize,
-+						   "blacklisted-hash", NONE,
-+						   pcr);
-+	}
-+
-+	return rc;
-+}
-+
- /*
-  * ima_appraise_measurement - appraise file measurement
-  *
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index bc730e553053..a16c148ed90d 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -335,10 +335,14 @@ static int process_measurement(struct file *file, const struct cred *cred,
- 				      xattr_value, xattr_len, modsig, pcr,
- 				      template_desc);
- 	if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
--		inode_lock(inode);
--		rc = ima_appraise_measurement(func, iint, file, pathname,
--					      xattr_value, xattr_len, modsig);
--		inode_unlock(inode);
-+		rc = ima_check_blacklist(iint, modsig, pcr);
-+		if (rc != -EPERM) {
-+			inode_lock(inode);
-+			rc = ima_appraise_measurement(func, iint, file,
-+						      pathname, xattr_value,
-+						      xattr_len, modsig);
-+			inode_unlock(inode);
-+		}
- 		if (!rc)
- 			rc = mmap_violation_check(func, file, &pathbuf,
- 						  &pathname, filename);
-diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index e725d4187271..42f0970b3054 100644
---- a/security/integrity/ima/ima_policy.c
-+++ b/security/integrity/ima/ima_policy.c
-@@ -769,8 +769,8 @@ enum {
- 	Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
- 	Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
- 	Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
--	Opt_appraise_type, Opt_permit_directio,
--	Opt_pcr, Opt_template, Opt_err
-+	Opt_appraise_type, Opt_appraise_flag,
-+	Opt_permit_directio, Opt_pcr, Opt_template, Opt_err
- };
- 
- static const match_table_t policy_tokens = {
-@@ -802,6 +802,7 @@ static const match_table_t policy_tokens = {
- 	{Opt_euid_lt, "euid<%s"},
- 	{Opt_fowner_lt, "fowner<%s"},
- 	{Opt_appraise_type, "appraise_type=%s"},
-+	{Opt_appraise_flag, "appraise_flag=%s"},
- 	{Opt_permit_directio, "permit_directio"},
- 	{Opt_pcr, "pcr=%s"},
- 	{Opt_template, "template=%s"},
-@@ -1182,6 +1183,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
- 			else
- 				result = -EINVAL;
- 			break;
-+		case Opt_appraise_flag:
-+			ima_log_string(ab, "appraise_flag", args[0].from);
-+			if (strstr(args[0].from, "blacklist"))
-+				entry->flags |= IMA_CHECK_BLACKLIST;
-+			break;
- 		case Opt_permit_directio:
- 			entry->flags |= IMA_PERMIT_DIRECTIO;
- 			break;
-@@ -1510,6 +1516,8 @@ int ima_policy_show(struct seq_file *m, void *v)
- 		else
- 			seq_puts(m, "appraise_type=imasig ");
- 	}
-+	if (entry->flags & IMA_CHECK_BLACKLIST)
-+		seq_puts(m, "appraise_flag=check_blacklist ");
- 	if (entry->flags & IMA_PERMIT_DIRECTIO)
- 		seq_puts(m, "permit_directio ");
- 	rcu_read_unlock();
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index d9323d31a3a8..73fc286834d7 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -32,6 +32,7 @@
- #define EVM_IMMUTABLE_DIGSIG	0x08000000
- #define IMA_FAIL_UNVERIFIABLE_SIGS	0x10000000
- #define IMA_MODSIG_ALLOWED	0x20000000
-+#define IMA_CHECK_BLACKLIST	0x40000000
- 
- #define IMA_DO_MASK		(IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
- 				 IMA_HASH | IMA_APPRAISE_SUBMASK)
diff --git a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch b/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
deleted file mode 100644
index 921a675..0000000
--- a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:33 -0400
-Subject: [PATCH 09/19] powerpc/ima: Update ima arch policy to check for
- blacklist
-
-This patch updates the arch-specific policies for PowerNV system to
-make sure that the binary hash is not blacklisted.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-9-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit dc87f18615db9dc74a75cfb4a57ed33b07a3903a)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index 0ef5956c9753..b9de0fb45bb9 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void)
-  * is not enabled.
-  */
- static const char *const secure_rules[] = {
--	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #ifndef CONFIG_MODULE_SIG_FORCE
--	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- 	NULL
- };
-@@ -49,9 +49,9 @@ static const char *const trusted_rules[] = {
- static const char *const secure_and_trusted_rules[] = {
- 	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
- 	"measure func=MODULE_CHECK template=ima-modsig",
--	"appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #ifndef CONFIG_MODULE_SIG_FORCE
--	"appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- 	NULL
- };
diff --git a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch b/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
deleted file mode 100644
index 8875930..0000000
--- a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
+++ /dev/null
@@ -1,329 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:33 -0600
-Subject: [PATCH 10/19] powerpc/powernv: Add OPAL API interface to access
- secure variable
-
-The X.509 certificates trusted by the platform and required to secure
-boot the OS kernel are wrapped in secure variables, which are
-controlled by OPAL.
-
-This patch adds firmware/kernel interface to read and write OPAL
-secure variables based on the unique key.
-
-This support can be enabled using CONFIG_OPAL_SECVAR.
-
-Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Make secvar_ops __ro_after_init, only build opal-secvar.c if PPC_SECURE_BOOT=y]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-2-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit 9155e2341aa8b5df057dc1c77633b33d1a4f17d2)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/include/asm/opal-api.h          |   5 +-
- arch/powerpc/include/asm/opal.h              |   7 +
- arch/powerpc/include/asm/secvar.h            |  35 +++++
- arch/powerpc/kernel/Makefile                 |   2 +-
- arch/powerpc/kernel/secvar-ops.c             |  17 +++
- arch/powerpc/platforms/powernv/Makefile      |   1 +
- arch/powerpc/platforms/powernv/opal-call.c   |   3 +
- arch/powerpc/platforms/powernv/opal-secvar.c | 140 +++++++++++++++++++
- arch/powerpc/platforms/powernv/opal.c        |   3 +
- 9 files changed, 211 insertions(+), 2 deletions(-)
- create mode 100644 arch/powerpc/include/asm/secvar.h
- create mode 100644 arch/powerpc/kernel/secvar-ops.c
- create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
-
-diff --git a/arch/powerpc/include/asm/opal-api.h b/arch/powerpc/include/asm/opal-api.h
-index 378e3997845a..c1f25a760eb1 100644
---- a/arch/powerpc/include/asm/opal-api.h
-+++ b/arch/powerpc/include/asm/opal-api.h
-@@ -211,7 +211,10 @@
- #define OPAL_MPIPL_UPDATE			173
- #define OPAL_MPIPL_REGISTER_TAG			174
- #define OPAL_MPIPL_QUERY_TAG			175
--#define OPAL_LAST				175
-+#define OPAL_SECVAR_GET				176
-+#define OPAL_SECVAR_GET_NEXT			177
-+#define OPAL_SECVAR_ENQUEUE_UPDATE		178
-+#define OPAL_LAST				178
- 
- #define QUIESCE_HOLD			1 /* Spin all calls at entry */
- #define QUIESCE_REJECT			2 /* Fail all calls with OPAL_BUSY */
-diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h
-index a0cf8fba4d12..9986ac34b8e2 100644
---- a/arch/powerpc/include/asm/opal.h
-+++ b/arch/powerpc/include/asm/opal.h
-@@ -298,6 +298,13 @@ int opal_sensor_group_clear(u32 group_hndl, int token);
- int opal_sensor_group_enable(u32 group_hndl, int token, bool enable);
- int opal_nx_coproc_init(uint32_t chip_id, uint32_t ct);
- 
-+int opal_secvar_get(const char *key, uint64_t key_len, u8 *data,
-+		    uint64_t *data_size);
-+int opal_secvar_get_next(const char *key, uint64_t *key_len,
-+			 uint64_t key_buf_size);
-+int opal_secvar_enqueue_update(const char *key, uint64_t key_len, u8 *data,
-+			       uint64_t data_size);
-+
- s64 opal_mpipl_update(enum opal_mpipl_ops op, u64 src, u64 dest, u64 size);
- s64 opal_mpipl_register_tag(enum opal_mpipl_tags tag, u64 addr);
- s64 opal_mpipl_query_tag(enum opal_mpipl_tags tag, u64 *addr);
-diff --git a/arch/powerpc/include/asm/secvar.h b/arch/powerpc/include/asm/secvar.h
-new file mode 100644
-index 000000000000..4cc35b58b986
---- /dev/null
-+++ b/arch/powerpc/include/asm/secvar.h
-@@ -0,0 +1,35 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * PowerPC secure variable operations.
-+ */
-+#ifndef SECVAR_OPS_H
-+#define SECVAR_OPS_H
-+
-+#include <linux/types.h>
-+#include <linux/errno.h>
-+
-+extern const struct secvar_operations *secvar_ops;
-+
-+struct secvar_operations {
-+	int (*get)(const char *key, uint64_t key_len, u8 *data,
-+		   uint64_t *data_size);
-+	int (*get_next)(const char *key, uint64_t *key_len,
-+			uint64_t keybufsize);
-+	int (*set)(const char *key, uint64_t key_len, u8 *data,
-+		   uint64_t data_size);
-+};
-+
-+#ifdef CONFIG_PPC_SECURE_BOOT
-+
-+extern void set_secvar_ops(const struct secvar_operations *ops);
-+
-+#else
-+
-+static inline void set_secvar_ops(const struct secvar_operations *ops) { }
-+
-+#endif
-+
-+#endif
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index b82f7f5e5121..93b0336090f2 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y				+= ucall.o
- endif
- 
--obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o
-+obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o secvar-ops.o
- 
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secvar-ops.c b/arch/powerpc/kernel/secvar-ops.c
-new file mode 100644
-index 000000000000..6a29777d6a2d
---- /dev/null
-+++ b/arch/powerpc/kernel/secvar-ops.c
-@@ -0,0 +1,17 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * This file initializes secvar operations for PowerPC Secureboot
-+ */
-+
-+#include <linux/cache.h>
-+#include <asm/secvar.h>
-+
-+const struct secvar_operations *secvar_ops __ro_after_init;
-+
-+void set_secvar_ops(const struct secvar_operations *ops)
-+{
-+	secvar_ops = ops;
-+}
-diff --git a/arch/powerpc/platforms/powernv/Makefile b/arch/powerpc/platforms/powernv/Makefile
-index a3ac9646119d..c0f8120045c3 100644
---- a/arch/powerpc/platforms/powernv/Makefile
-+++ b/arch/powerpc/platforms/powernv/Makefile
-@@ -20,3 +20,4 @@ obj-$(CONFIG_PPC_MEMTRACE)	+= memtrace.o
- obj-$(CONFIG_PPC_VAS)	+= vas.o vas-window.o vas-debug.o
- obj-$(CONFIG_OCXL_BASE)	+= ocxl.o
- obj-$(CONFIG_SCOM_DEBUGFS) += opal-xscom.o
-+obj-$(CONFIG_PPC_SECURE_BOOT) += opal-secvar.o
-diff --git a/arch/powerpc/platforms/powernv/opal-call.c b/arch/powerpc/platforms/powernv/opal-call.c
-index a2aa5e433ac8..5cd0f52d258f 100644
---- a/arch/powerpc/platforms/powernv/opal-call.c
-+++ b/arch/powerpc/platforms/powernv/opal-call.c
-@@ -290,3 +290,6 @@ OPAL_CALL(opal_nx_coproc_init,			OPAL_NX_COPROC_INIT);
- OPAL_CALL(opal_mpipl_update,			OPAL_MPIPL_UPDATE);
- OPAL_CALL(opal_mpipl_register_tag,		OPAL_MPIPL_REGISTER_TAG);
- OPAL_CALL(opal_mpipl_query_tag,			OPAL_MPIPL_QUERY_TAG);
-+OPAL_CALL(opal_secvar_get,			OPAL_SECVAR_GET);
-+OPAL_CALL(opal_secvar_get_next,			OPAL_SECVAR_GET_NEXT);
-+OPAL_CALL(opal_secvar_enqueue_update,		OPAL_SECVAR_ENQUEUE_UPDATE);
-diff --git a/arch/powerpc/platforms/powernv/opal-secvar.c b/arch/powerpc/platforms/powernv/opal-secvar.c
-new file mode 100644
-index 000000000000..14133e120bdd
---- /dev/null
-+++ b/arch/powerpc/platforms/powernv/opal-secvar.c
-@@ -0,0 +1,140 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * PowerNV code for secure variables
-+ *
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Claudio Carvalho
-+ *         Nayna Jain
-+ *
-+ * APIs to access secure variables managed by OPAL.
-+ */
-+
-+#define pr_fmt(fmt) "secvar: "fmt
-+
-+#include <linux/types.h>
-+#include <linux/platform_device.h>
-+#include <linux/of_platform.h>
-+#include <asm/opal.h>
-+#include <asm/secvar.h>
-+#include <asm/secure_boot.h>
-+
-+static int opal_status_to_err(int rc)
-+{
-+	int err;
-+
-+	switch (rc) {
-+	case OPAL_SUCCESS:
-+		err = 0;
-+		break;
-+	case OPAL_UNSUPPORTED:
-+		err = -ENXIO;
-+		break;
-+	case OPAL_PARAMETER:
-+		err = -EINVAL;
-+		break;
-+	case OPAL_RESOURCE:
-+		err = -ENOSPC;
-+		break;
-+	case OPAL_HARDWARE:
-+		err = -EIO;
-+		break;
-+	case OPAL_NO_MEM:
-+		err = -ENOMEM;
-+		break;
-+	case OPAL_EMPTY:
-+		err = -ENOENT;
-+		break;
-+	case OPAL_PARTIAL:
-+		err = -EFBIG;
-+		break;
-+	default:
-+		err = -EINVAL;
-+	}
-+
-+	return err;
-+}
-+
-+static int opal_get_variable(const char *key, uint64_t ksize,
-+			     u8 *data, uint64_t *dsize)
-+{
-+	int rc;
-+
-+	if (!key || !dsize)
-+		return -EINVAL;
-+
-+	*dsize = cpu_to_be64(*dsize);
-+
-+	rc = opal_secvar_get(key, ksize, data, dsize);
-+
-+	*dsize = be64_to_cpu(*dsize);
-+
-+	return opal_status_to_err(rc);
-+}
-+
-+static int opal_get_next_variable(const char *key, uint64_t *keylen,
-+				  uint64_t keybufsize)
-+{
-+	int rc;
-+
-+	if (!key || !keylen)
-+		return -EINVAL;
-+
-+	*keylen = cpu_to_be64(*keylen);
-+
-+	rc = opal_secvar_get_next(key, keylen, keybufsize);
-+
-+	*keylen = be64_to_cpu(*keylen);
-+
-+	return opal_status_to_err(rc);
-+}
-+
-+static int opal_set_variable(const char *key, uint64_t ksize, u8 *data,
-+			     uint64_t dsize)
-+{
-+	int rc;
-+
-+	if (!key || !data)
-+		return -EINVAL;
-+
-+	rc = opal_secvar_enqueue_update(key, ksize, data, dsize);
-+
-+	return opal_status_to_err(rc);
-+}
-+
-+static const struct secvar_operations opal_secvar_ops = {
-+	.get = opal_get_variable,
-+	.get_next = opal_get_next_variable,
-+	.set = opal_set_variable,
-+};
-+
-+static int opal_secvar_probe(struct platform_device *pdev)
-+{
-+	if (!opal_check_token(OPAL_SECVAR_GET)
-+			|| !opal_check_token(OPAL_SECVAR_GET_NEXT)
-+			|| !opal_check_token(OPAL_SECVAR_ENQUEUE_UPDATE)) {
-+		pr_err("OPAL doesn't support secure variables\n");
-+		return -ENODEV;
-+	}
-+
-+	set_secvar_ops(&opal_secvar_ops);
-+
-+	return 0;
-+}
-+
-+static const struct of_device_id opal_secvar_match[] = {
-+	{ .compatible = "ibm,secvar-backend",},
-+	{},
-+};
-+
-+static struct platform_driver opal_secvar_driver = {
-+	.driver = {
-+		.name = "secvar",
-+		.of_match_table = opal_secvar_match,
-+	},
-+};
-+
-+static int __init opal_secvar_init(void)
-+{
-+	return platform_driver_probe(&opal_secvar_driver, opal_secvar_probe);
-+}
-+device_initcall(opal_secvar_init);
-diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
-index 38e90270280b..8355bcd00f93 100644
---- a/arch/powerpc/platforms/powernv/opal.c
-+++ b/arch/powerpc/platforms/powernv/opal.c
-@@ -1002,6 +1002,9 @@ static int __init opal_init(void)
- 	/* Initialise OPAL Power control interface */
- 	opal_power_control_init();
- 
-+	/* Initialize OPAL secure variables */
-+	opal_pdev_init("ibm,secvar-backend");
-+
- 	return 0;
- }
- machine_subsys_initcall(powernv, opal_init);
diff --git a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch b/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
deleted file mode 100644
index 518b9c3..0000000
--- a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
+++ /dev/null
@@ -1,369 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:34 -0600
-Subject: [PATCH 11/19] powerpc: expose secure variables to userspace via sysfs
-
-PowerNV secure variables, which store the keys used for OS kernel
-verification, are managed by the firmware. These secure variables need to
-be accessed by the userspace for addition/deletion of the certificates.
-
-This patch adds the sysfs interface to expose secure variables for PowerNV
-secureboot. The users shall use this interface for manipulating
-the keys stored in the secure variables.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-3-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Documentation/ABI/testing/sysfs-secvar |  46 +++++
- arch/powerpc/Kconfig                   |  11 ++
- arch/powerpc/kernel/Makefile           |   1 +
- arch/powerpc/kernel/secvar-sysfs.c     | 248 +++++++++++++++++++++++++
- 4 files changed, 306 insertions(+)
- create mode 100644 Documentation/ABI/testing/sysfs-secvar
- create mode 100644 arch/powerpc/kernel/secvar-sysfs.c
-
-diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar
-new file mode 100644
-index 000000000000..feebb8c57294
---- /dev/null
-+++ b/Documentation/ABI/testing/sysfs-secvar
-@@ -0,0 +1,46 @@
-+What:		/sys/firmware/secvar
-+Date:		August 2019
-+Contact:	Nayna Jain <nayna@linux.ibm.com>
-+Description:	This directory is created if the POWER firmware supports OS
-+		secureboot, thereby secure variables. It exposes interface
-+		for reading/writing the secure variables
-+
-+What:		/sys/firmware/secvar/vars
-+Date:		August 2019
-+Contact:	Nayna Jain <nayna@linux.ibm.com>
-+Description:	This directory lists all the secure variables that are supported
-+		by the firmware.
-+
-+What:		/sys/firmware/secvar/format
-+Date:		August 2019
-+Contact:	Nayna Jain <nayna@linux.ibm.com>
-+Description:	A string indicating which backend is in use by the firmware.
-+		This determines the format of the variable and the accepted
-+		format of variable updates.
-+
-+What:		/sys/firmware/secvar/vars/<variable name>
-+Date:		August 2019
-+Contact:	Nayna Jain <nayna@linux.ibm.com>
-+Description:	Each secure variable is represented as a directory named as
-+		<variable_name>. The variable name is unique and is in ASCII
-+		representation. The data and size can be determined by reading
-+		their respective attribute files.
-+
-+What:		/sys/firmware/secvar/vars/<variable_name>/size
-+Date:		August 2019
-+Contact:	Nayna Jain <nayna@linux.ibm.com>
-+Description:	An integer representation of the size of the content of the
-+		variable. In other words, it represents the size of the data.
-+
-+What:		/sys/firmware/secvar/vars/<variable_name>/data
-+Date:		August 2019
-+Contact:	Nayna Jain h<nayna@linux.ibm.com>
-+Description:	A read-only file containing the value of the variable. The size
-+		of the file represents the maximum size of the variable data.
-+
-+What:		/sys/firmware/secvar/vars/<variable_name>/update
-+Date:		August 2019
-+Contact:	Nayna Jain <nayna@linux.ibm.com>
-+Description:	A write-only file that is used to submit the new value for the
-+		variable. The size of the file represents the maximum size of
-+		the variable data that can be written.
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 32ce6c0b43f1..cc6cdf821604 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -946,6 +946,17 @@ config PPC_SECURE_BOOT
- 	  to enable OS secure boot on systems that have firmware support for
- 	  it. If in doubt say N.
- 
-+config PPC_SECVAR_SYSFS
-+	bool "Enable sysfs interface for POWER secure variables"
-+	default y
-+	depends on PPC_SECURE_BOOT
-+	depends on SYSFS
-+	help
-+	  POWER secure variables are managed and controlled by firmware.
-+	  These variables are exposed to userspace via sysfs to enable
-+	  read/write operations on these variables. Say Y if you have
-+	  secure boot enabled and want to expose variables to userspace.
-+
- endmenu
- 
- config ISA_DMA_API
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index 93b0336090f2..b97c018a2f53 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -159,6 +159,7 @@ obj-y				+= ucall.o
- endif
- 
- obj-$(CONFIG_PPC_SECURE_BOOT)	+= secure_boot.o ima_arch.o secvar-ops.o
-+obj-$(CONFIG_PPC_SECVAR_SYSFS)	+= secvar-sysfs.o
- 
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secvar-sysfs.c b/arch/powerpc/kernel/secvar-sysfs.c
-new file mode 100644
-index 000000000000..a0a78aba2083
---- /dev/null
-+++ b/arch/powerpc/kernel/secvar-sysfs.c
-@@ -0,0 +1,248 @@
-+// SPDX-License-Identifier: GPL-2.0+
-+/*
-+ * Copyright (C) 2019 IBM Corporation <nayna@linux.ibm.com>
-+ *
-+ * This code exposes secure variables to user via sysfs
-+ */
-+
-+#define pr_fmt(fmt) "secvar-sysfs: "fmt
-+
-+#include <linux/slab.h>
-+#include <linux/compat.h>
-+#include <linux/string.h>
-+#include <linux/of.h>
-+#include <asm/secvar.h>
-+
-+#define NAME_MAX_SIZE	   1024
-+
-+static struct kobject *secvar_kobj;
-+static struct kset *secvar_kset;
-+
-+static ssize_t format_show(struct kobject *kobj, struct kobj_attribute *attr,
-+			   char *buf)
-+{
-+	ssize_t rc = 0;
-+	struct device_node *node;
-+	const char *format;
-+
-+	node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
-+	if (!of_device_is_available(node))
-+		return -ENODEV;
-+
-+	rc = of_property_read_string(node, "format", &format);
-+	if (rc)
-+		return rc;
-+
-+	rc = sprintf(buf, "%s\n", format);
-+
-+	of_node_put(node);
-+
-+	return rc;
-+}
-+
-+
-+static ssize_t size_show(struct kobject *kobj, struct kobj_attribute *attr,
-+			 char *buf)
-+{
-+	uint64_t dsize;
-+	int rc;
-+
-+	rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
-+	if (rc) {
-+		pr_err("Error retrieving %s variable size %d\n", kobj->name,
-+		       rc);
-+		return rc;
-+	}
-+
-+	return sprintf(buf, "%llu\n", dsize);
-+}
-+
-+static ssize_t data_read(struct file *filep, struct kobject *kobj,
-+			 struct bin_attribute *attr, char *buf, loff_t off,
-+			 size_t count)
-+{
-+	uint64_t dsize;
-+	char *data;
-+	int rc;
-+
-+	rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
-+	if (rc) {
-+		pr_err("Error getting %s variable size %d\n", kobj->name, rc);
-+		return rc;
-+	}
-+	pr_debug("dsize is %llu\n", dsize);
-+
-+	data = kzalloc(dsize, GFP_KERNEL);
-+	if (!data)
-+		return -ENOMEM;
-+
-+	rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, data, &dsize);
-+	if (rc) {
-+		pr_err("Error getting %s variable %d\n", kobj->name, rc);
-+		goto data_fail;
-+	}
-+
-+	rc = memory_read_from_buffer(buf, count, &off, data, dsize);
-+
-+data_fail:
-+	kfree(data);
-+	return rc;
-+}
-+
-+static ssize_t update_write(struct file *filep, struct kobject *kobj,
-+			    struct bin_attribute *attr, char *buf, loff_t off,
-+			    size_t count)
-+{
-+	int rc;
-+
-+	pr_debug("count is %ld\n", count);
-+	rc = secvar_ops->set(kobj->name, strlen(kobj->name) + 1, buf, count);
-+	if (rc) {
-+		pr_err("Error setting the %s variable %d\n", kobj->name, rc);
-+		return rc;
-+	}
-+
-+	return count;
-+}
-+
-+static struct kobj_attribute format_attr = __ATTR_RO(format);
-+
-+static struct kobj_attribute size_attr = __ATTR_RO(size);
-+
-+static struct bin_attribute data_attr = __BIN_ATTR_RO(data, 0);
-+
-+static struct bin_attribute update_attr = __BIN_ATTR_WO(update, 0);
-+
-+static struct bin_attribute *secvar_bin_attrs[] = {
-+	&data_attr,
-+	&update_attr,
-+	NULL,
-+};
-+
-+static struct attribute *secvar_attrs[] = {
-+	&size_attr.attr,
-+	NULL,
-+};
-+
-+static const struct attribute_group secvar_attr_group = {
-+	.attrs = secvar_attrs,
-+	.bin_attrs = secvar_bin_attrs,
-+};
-+__ATTRIBUTE_GROUPS(secvar_attr);
-+
-+static struct kobj_type secvar_ktype = {
-+	.sysfs_ops	= &kobj_sysfs_ops,
-+	.default_groups = secvar_attr_groups,
-+};
-+
-+static int update_kobj_size(void)
-+{
-+
-+	struct device_node *node;
-+	u64 varsize;
-+	int rc = 0;
-+
-+	node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
-+	if (!of_device_is_available(node)) {
-+		rc = -ENODEV;
-+		goto out;
-+	}
-+
-+	rc = of_property_read_u64(node, "max-var-size", &varsize);
-+	if (rc)
-+		goto out;
-+
-+	data_attr.size = varsize;
-+	update_attr.size = varsize;
-+
-+out:
-+	of_node_put(node);
-+
-+	return rc;
-+}
-+
-+static int secvar_sysfs_load(void)
-+{
-+	char *name;
-+	uint64_t namesize = 0;
-+	struct kobject *kobj;
-+	int rc;
-+
-+	name = kzalloc(NAME_MAX_SIZE, GFP_KERNEL);
-+	if (!name)
-+		return -ENOMEM;
-+
-+	do {
-+		rc = secvar_ops->get_next(name, &namesize, NAME_MAX_SIZE);
-+		if (rc) {
-+			if (rc != -ENOENT)
-+				pr_err("error getting secvar from firmware %d\n",
-+				       rc);
-+			break;
-+		}
-+
-+		kobj = kzalloc(sizeof(*kobj), GFP_KERNEL);
-+		if (!kobj) {
-+			rc = -ENOMEM;
-+			break;
-+		}
-+
-+		kobject_init(kobj, &secvar_ktype);
-+
-+		rc = kobject_add(kobj, &secvar_kset->kobj, "%s", name);
-+		if (rc) {
-+			pr_warn("kobject_add error %d for attribute: %s\n", rc,
-+				name);
-+			kobject_put(kobj);
-+			kobj = NULL;
-+		}
-+
-+		if (kobj)
-+			kobject_uevent(kobj, KOBJ_ADD);
-+
-+	} while (!rc);
-+
-+	kfree(name);
-+	return rc;
-+}
-+
-+static int secvar_sysfs_init(void)
-+{
-+	int rc;
-+
-+	if (!secvar_ops) {
-+		pr_warn("secvar: failed to retrieve secvar operations.\n");
-+		return -ENODEV;
-+	}
-+
-+	secvar_kobj = kobject_create_and_add("secvar", firmware_kobj);
-+	if (!secvar_kobj) {
-+		pr_err("secvar: Failed to create firmware kobj\n");
-+		return -ENOMEM;
-+	}
-+
-+	rc = sysfs_create_file(secvar_kobj, &format_attr.attr);
-+	if (rc) {
-+		kobject_put(secvar_kobj);
-+		return -ENOMEM;
-+	}
-+
-+	secvar_kset = kset_create_and_add("vars", NULL, secvar_kobj);
-+	if (!secvar_kset) {
-+		pr_err("secvar: sysfs kobject registration failed.\n");
-+		kobject_put(secvar_kobj);
-+		return -ENOMEM;
-+	}
-+
-+	rc = update_kobj_size();
-+	if (rc) {
-+		pr_err("Cannot read the size of the attribute\n");
-+		return rc;
-+	}
-+
-+	secvar_sysfs_load();
-+
-+	return 0;
-+}
-+
-+late_initcall(secvar_sysfs_init);
diff --git a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch b/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
deleted file mode 100644
index e0b01c9..0000000
--- a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:35 -0600
-Subject: [PATCH 12/19] x86/efi: move common keyring handler functions to new
- file
-
-The handlers to add the keys to the .platform keyring and blacklisted
-hashes to the .blacklist keyring is common for both the uefi and powerpc
-mechanisms of loading the keys/hashes from the firmware.
-
-This patch moves the common code from load_uefi.c to keyring_handler.c
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Acked-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-4-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit ad723674d6758478829ee766e3f1a2a24d56236f)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/Makefile                   |  3 +-
- .../platform_certs/keyring_handler.c          | 80 +++++++++++++++++++
- .../platform_certs/keyring_handler.h          | 32 ++++++++
- security/integrity/platform_certs/load_uefi.c | 67 +---------------
- 4 files changed, 115 insertions(+), 67 deletions(-)
- create mode 100644 security/integrity/platform_certs/keyring_handler.c
- create mode 100644 security/integrity/platform_certs/keyring_handler.h
-
-diff --git a/security/integrity/Makefile b/security/integrity/Makefile
-index 35e6ca773734..351c9662994b 100644
---- a/security/integrity/Makefile
-+++ b/security/integrity/Makefile
-@@ -11,7 +11,8 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
- integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
- integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o
- integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
--					platform_certs/load_uefi.o
-+				      platform_certs/load_uefi.o \
-+				      platform_certs/keyring_handler.o
- integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
- 
- obj-$(CONFIG_IMA)			+= ima/
-diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
-new file mode 100644
-index 000000000000..c5ba695c10e3
---- /dev/null
-+++ b/security/integrity/platform_certs/keyring_handler.c
-@@ -0,0 +1,80 @@
-+// SPDX-License-Identifier: GPL-2.0
-+
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/cred.h>
-+#include <linux/err.h>
-+#include <linux/efi.h>
-+#include <linux/slab.h>
-+#include <keys/asymmetric-type.h>
-+#include <keys/system_keyring.h>
-+#include "../integrity.h"
-+
-+static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
-+static efi_guid_t efi_cert_x509_sha256_guid __initdata =
-+	EFI_CERT_X509_SHA256_GUID;
-+static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
-+
-+/*
-+ * Blacklist a hash.
-+ */
-+static __init void uefi_blacklist_hash(const char *source, const void *data,
-+				       size_t len, const char *type,
-+				       size_t type_len)
-+{
-+	char *hash, *p;
-+
-+	hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
-+	if (!hash)
-+		return;
-+	p = memcpy(hash, type, type_len);
-+	p += type_len;
-+	bin2hex(p, data, len);
-+	p += len * 2;
-+	*p = 0;
-+
-+	mark_hash_blacklisted(hash);
-+	kfree(hash);
-+}
-+
-+/*
-+ * Blacklist an X509 TBS hash.
-+ */
-+static __init void uefi_blacklist_x509_tbs(const char *source,
-+					   const void *data, size_t len)
-+{
-+	uefi_blacklist_hash(source, data, len, "tbs:", 4);
-+}
-+
-+/*
-+ * Blacklist the hash of an executable.
-+ */
-+static __init void uefi_blacklist_binary(const char *source,
-+					 const void *data, size_t len)
-+{
-+	uefi_blacklist_hash(source, data, len, "bin:", 4);
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI db and MokListRT tables.
-+ */
-+__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
-+{
-+	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
-+		return add_to_platform_keyring;
-+	return 0;
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI dbx and MokListXRT tables.
-+ */
-+__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
-+{
-+	if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
-+		return uefi_blacklist_x509_tbs;
-+	if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
-+		return uefi_blacklist_binary;
-+	return 0;
-+}
-diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
-new file mode 100644
-index 000000000000..2462bfa08fe3
---- /dev/null
-+++ b/security/integrity/platform_certs/keyring_handler.h
-@@ -0,0 +1,32 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+
-+#ifndef PLATFORM_CERTS_INTERNAL_H
-+#define PLATFORM_CERTS_INTERNAL_H
-+
-+#include <linux/efi.h>
-+
-+void blacklist_hash(const char *source, const void *data,
-+		    size_t len, const char *type,
-+		    size_t type_len);
-+
-+/*
-+ * Blacklist an X509 TBS hash.
-+ */
-+void blacklist_x509_tbs(const char *source, const void *data, size_t len);
-+
-+/*
-+ * Blacklist the hash of an executable.
-+ */
-+void blacklist_binary(const char *source, const void *data, size_t len);
-+
-+/*
-+ * Return the handler for particular signature list types found in the db.
-+ */
-+efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
-+
-+/*
-+ * Return the handler for particular signature list types found in the dbx.
-+ */
-+efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
-+
-+#endif
-diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
-index 020fc7a11ef0..aa874d84e413 100644
---- a/security/integrity/platform_certs/load_uefi.c
-+++ b/security/integrity/platform_certs/load_uefi.c
-@@ -9,6 +9,7 @@
- #include <keys/asymmetric-type.h>
- #include <keys/system_keyring.h>
- #include "../integrity.h"
-+#include "keyring_handler.h"
- 
- static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
- static efi_guid_t efi_cert_x509_sha256_guid __initdata =
-@@ -69,72 +70,6 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
- 	return db;
- }
- 
--/*
-- * Blacklist a hash.
-- */
--static __init void uefi_blacklist_hash(const char *source, const void *data,
--				       size_t len, const char *type,
--				       size_t type_len)
--{
--	char *hash, *p;
--
--	hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
--	if (!hash)
--		return;
--	p = memcpy(hash, type, type_len);
--	p += type_len;
--	bin2hex(p, data, len);
--	p += len * 2;
--	*p = 0;
--
--	mark_hash_blacklisted(hash);
--	kfree(hash);
--}
--
--/*
-- * Blacklist an X509 TBS hash.
-- */
--static __init void uefi_blacklist_x509_tbs(const char *source,
--					   const void *data, size_t len)
--{
--	uefi_blacklist_hash(source, data, len, "tbs:", 4);
--}
--
--/*
-- * Blacklist the hash of an executable.
-- */
--static __init void uefi_blacklist_binary(const char *source,
--					 const void *data, size_t len)
--{
--	uefi_blacklist_hash(source, data, len, "bin:", 4);
--}
--
--/*
-- * Return the appropriate handler for particular signature list types found in
-- * the UEFI db and MokListRT tables.
-- */
--static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *
--						       sig_type)
--{
--	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
--		return add_to_platform_keyring;
--	return 0;
--}
--
--/*
-- * Return the appropriate handler for particular signature list types found in
-- * the UEFI dbx and MokListXRT tables.
-- */
--static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *
--							sig_type)
--{
--	if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
--		return uefi_blacklist_x509_tbs;
--	if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
--		return uefi_blacklist_binary;
--	return 0;
--}
--
- /*
-  * Load the certs contained in the UEFI databases into the platform trusted
-  * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
diff --git a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch b/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
deleted file mode 100644
index 83a0346..0000000
--- a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:36 -0600
-Subject: [PATCH 13/19] powerpc: Load firmware trusted keys/hashes into kernel
- keyring
-
-The keys used to verify the Host OS kernel are managed by firmware as
-secure variables. This patch loads the verification keys into the
-.platform keyring and revocation hashes into .blacklist keyring. This
-enables verification and loading of the kernels signed by the boot
-time keys which are trusted by firmware.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Search by compatible in load_powerpc_certs(), not using format]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit 8220e22d11a05049aab9693839ab82e5e177ccde)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/Kconfig                    |  9 ++
- security/integrity/Makefile                   |  4 +-
- .../integrity/platform_certs/load_powerpc.c   | 96 +++++++++++++++++++
- 3 files changed, 108 insertions(+), 1 deletion(-)
- create mode 100644 security/integrity/platform_certs/load_powerpc.c
-
-diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
-index 0bae6adb63a9..71f0177e8716 100644
---- a/security/integrity/Kconfig
-+++ b/security/integrity/Kconfig
-@@ -72,6 +72,15 @@ config LOAD_IPL_KEYS
-        depends on S390
-        def_bool y
- 
-+config LOAD_PPC_KEYS
-+	bool "Enable loading of platform and blacklisted keys for POWER"
-+	depends on INTEGRITY_PLATFORM_KEYRING
-+	depends on PPC_SECURE_BOOT
-+	default y
-+	help
-+	  Enable loading of keys to the .platform keyring and blacklisted
-+	  hashes to the .blacklist keyring for powerpc based platforms.
-+
- config INTEGRITY_AUDIT
- 	bool "Enables integrity auditing support "
- 	depends on AUDIT
-diff --git a/security/integrity/Makefile b/security/integrity/Makefile
-index 351c9662994b..7ee39d66cf16 100644
---- a/security/integrity/Makefile
-+++ b/security/integrity/Makefile
-@@ -14,6 +14,8 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
- 				      platform_certs/load_uefi.o \
- 				      platform_certs/keyring_handler.o
- integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
--
-+integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
-+                                     platform_certs/load_powerpc.o \
-+                                     platform_certs/keyring_handler.o
- obj-$(CONFIG_IMA)			+= ima/
- obj-$(CONFIG_EVM)			+= evm/
-diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
-new file mode 100644
-index 000000000000..a2900cb85357
---- /dev/null
-+++ b/security/integrity/platform_certs/load_powerpc.c
-@@ -0,0 +1,96 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ *      - loads keys and hashes stored and controlled by the firmware.
-+ */
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/cred.h>
-+#include <linux/err.h>
-+#include <linux/slab.h>
-+#include <linux/of.h>
-+#include <asm/secure_boot.h>
-+#include <asm/secvar.h>
-+#include "keyring_handler.h"
-+
-+/*
-+ * Get a certificate list blob from the named secure variable.
-+ */
-+static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size)
-+{
-+	int rc;
-+	void *db;
-+
-+	rc = secvar_ops->get(key, keylen, NULL, size);
-+	if (rc) {
-+		pr_err("Couldn't get size: %d\n", rc);
-+		return NULL;
-+	}
-+
-+	db = kmalloc(*size, GFP_KERNEL);
-+	if (!db)
-+		return NULL;
-+
-+	rc = secvar_ops->get(key, keylen, db, size);
-+	if (rc) {
-+		kfree(db);
-+		pr_err("Error reading %s var: %d\n", key, rc);
-+		return NULL;
-+	}
-+
-+	return db;
-+}
-+
-+/*
-+ * Load the certs contained in the keys databases into the platform trusted
-+ * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist
-+ * keyring.
-+ */
-+static int __init load_powerpc_certs(void)
-+{
-+	void *db = NULL, *dbx = NULL;
-+	uint64_t dbsize = 0, dbxsize = 0;
-+	int rc = 0;
-+	struct device_node *node;
-+
-+	if (!secvar_ops)
-+		return -ENODEV;
-+
-+	/* The following only applies for the edk2-compat backend. */
-+	node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
-+	if (!node)
-+		return -ENODEV;
-+
-+	/*
-+	 * Get db, and dbx. They might not exist, so it isn't an error if we
-+	 * can't get them.
-+	 */
-+	db = get_cert_list("db", 3, &dbsize);
-+	if (!db) {
-+		pr_err("Couldn't get db list from firmware\n");
-+	} else {
-+		rc = parse_efi_signature_list("powerpc:db", db, dbsize,
-+					      get_handler_for_db);
-+		if (rc)
-+			pr_err("Couldn't parse db signatures: %d\n", rc);
-+		kfree(db);
-+	}
-+
-+	dbx = get_cert_list("dbx", 4,  &dbxsize);
-+	if (!dbx) {
-+		pr_info("Couldn't get dbx list from firmware\n");
-+	} else {
-+		rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
-+					      get_handler_for_dbx);
-+		if (rc)
-+			pr_err("Couldn't parse dbx signatures: %d\n", rc);
-+		kfree(dbx);
-+	}
-+
-+	of_node_put(node);
-+
-+	return rc;
-+}
-+late_initcall(load_powerpc_certs);
diff --git a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch b/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
deleted file mode 100644
index 5559a8a..0000000
--- a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Christopher M. Riedl" <cmr@informatik.wtf>
-Date: Sat, 7 Sep 2019 01:11:23 -0500
-Subject: [PATCH 14/19] powerpc/xmon: Allow listing and clearing breakpoints in
- read-only mode
-
-Read-only mode should not prevent listing and clearing any active
-breakpoints.
-
-Tested-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/20190907061124.1947-2-cmr@informatik.wtf
-(cherry picked from commit 96664dee5cf1815777286227b09884b4f019727f)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/xmon/xmon.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
-index 6d130c89fbd8..ab6371aedfcb 100644
---- a/arch/powerpc/xmon/xmon.c
-+++ b/arch/powerpc/xmon/xmon.c
-@@ -1096,10 +1096,6 @@ cmds(struct pt_regs *excp)
- 			set_lpp_cmd();
- 			break;
- 		case 'b':
--			if (xmon_is_ro) {
--				printf(xmon_ro_msg);
--				break;
--			}
- 			bpt_cmds();
- 			break;
- 		case 'C':
-@@ -1368,11 +1364,16 @@ bpt_cmds(void)
- 	struct bpt *bp;
- 
- 	cmd = inchar();
-+
- 	switch (cmd) {
- #ifndef CONFIG_PPC_8xx
- 	static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
- 	int mode;
- 	case 'd':	/* bd - hardware data breakpoint */
-+		if (xmon_is_ro) {
-+			printf(xmon_ro_msg);
-+			break;
-+		}
- 		if (!ppc_breakpoint_available()) {
- 			printf("Hardware data breakpoint not supported on this cpu\n");
- 			break;
-@@ -1400,6 +1401,10 @@ bpt_cmds(void)
- 		break;
- 
- 	case 'i':	/* bi - hardware instr breakpoint */
-+		if (xmon_is_ro) {
-+			printf(xmon_ro_msg);
-+			break;
-+		}
- 		if (!cpu_has_feature(CPU_FTR_ARCH_207S)) {
- 			printf("Hardware instruction breakpoint "
- 			       "not supported on this cpu\n");
-@@ -1458,7 +1463,8 @@ bpt_cmds(void)
- 			break;
- 		}
- 		termch = cmd;
--		if (!scanhex(&a)) {
-+
-+		if (xmon_is_ro || !scanhex(&a)) {
- 			/* print all breakpoints */
- 			printf("   type            address\n");
- 			if (dabr.enabled) {
diff --git a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
deleted file mode 100644
index 69f5314..0000000
--- a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:34 -0400
-Subject: [PATCH 15/19] powerpc/ima: Indicate kernel modules appended
- signatures are enforced
-
-The arch specific kernel module policy rule requires kernel modules to
-be signed, either as an IMA signature, stored as an xattr, or as an
-appended signature. As a result, kernel modules appended signatures
-could be enforced without "sig_enforce" being set or reflected in
-/sys/module/module/parameters/sig_enforce. This patch sets
-"sig_enforce".
-
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index b9de0fb45bb9..e34116255ced 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
-  */
- const char *const *arch_get_ima_policy(void)
- {
--	if (is_ppc_secureboot_enabled())
-+	if (is_ppc_secureboot_enabled()) {
-+		if (IS_ENABLED(CONFIG_MODULE_SIG))
-+			set_module_sig_enforced();
-+
- 		if (is_ppc_trustedboot_enabled())
- 			return secure_and_trusted_rules;
- 		else
- 			return secure_rules;
--	else if (is_ppc_trustedboot_enabled())
-+	} else if (is_ppc_trustedboot_enabled()) {
- 		return trusted_rules;
-+	}
- 
- 	return NULL;
- }
diff --git a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
deleted file mode 100644
index 1ba2c2f..0000000
--- a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Fri, 1 May 2020 10:16:52 -0400
-Subject: [PATCH 16/19] powerpc/ima: Fix secure boot rules in ima arch policy
-
-To prevent verifying the kernel module appended signature
-twice (finit_module), once by the module_sig_check() and again by IMA,
-powerpc secure boot rules define an IMA architecture specific policy
-rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
-unfortunately, does not take into account the ability of enabling
-"sig_enforce" on the boot command line (module.sig_enforce=1).
-
-Including the IMA module appraise rule results in failing the
-finit_module syscall, unless the module signing public key is loaded
-onto the IMA keyring.
-
-This patch fixes secure boot policy rules to be based on
-CONFIG_MODULE_SIG instead.
-
-Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index e34116255ced..957abd592075 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
-  * to be stored as an xattr or as an appended signature.
-  *
-  * To avoid duplicate signature verification as much as possible, the IMA
-- * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
-+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
-  * is not enabled.
-  */
- static const char *const secure_rules[] = {
- 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
--#ifndef CONFIG_MODULE_SIG_FORCE
-+#ifndef CONFIG_MODULE_SIG
- 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- 	NULL
-@@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
- 	"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
- 	"measure func=MODULE_CHECK template=ima-modsig",
- 	"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
--#ifndef CONFIG_MODULE_SIG_FORCE
-+#ifndef CONFIG_MODULE_SIG
- 	"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- 	NULL
diff --git a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
deleted file mode 100644
index 3fbe01a..0000000
--- a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
+++ /dev/null
@@ -1,222 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 23 Jun 2020 16:22:10 +0930
-Subject: [PATCH 17/19] powerpc/configs: Update to upstream and enable
- secureboot
-
-Pulls in the following updates from upstream:
-
- scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
- powerpc/configs/skiroot: Enable some more hardening options
- powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
- powerpc/configs/skiroot: Enable security features
- powerpc/configs/skiroot: Update for symbol movement only
- powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
- powerpc/configs/skiroot: Drop HID_LOGITECH
- powerpc/configs: Drop NET_VENDOR_HP which moved to staging
- powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
- powerpc/configs: Drop CONFIG_QLGE which moved to staging
- powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_*
- powerpc/configs: add FADump awareness to skiroot_defconfig
-
-In addition, it enables IMA and secureboot options.
-
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/configs/skiroot_defconfig | 83 ++++++++++++++++----------
- 1 file changed, 53 insertions(+), 30 deletions(-)
-
-diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
-index 2e25b264f70f..44309e12d84a 100644
---- a/arch/powerpc/configs/skiroot_defconfig
-+++ b/arch/powerpc/configs/skiroot_defconfig
-@@ -1,13 +1,9 @@
--CONFIG_PPC64=y
--CONFIG_ALTIVEC=y
--CONFIG_VSX=y
--CONFIG_NR_CPUS=2048
--CONFIG_CPU_LITTLE_ENDIAN=y
- CONFIG_KERNEL_XZ=y
- # CONFIG_SWAP is not set
- CONFIG_SYSVIPC=y
- CONFIG_POSIX_MQUEUE=y
- # CONFIG_CROSS_MEMORY_ATTACH is not set
-+CONFIG_AUDIT=y
- CONFIG_NO_HZ=y
- CONFIG_HIGH_RES_TIMERS=y
- # CONFIG_CPU_ISOLATION is not set
-@@ -28,17 +24,15 @@ CONFIG_EXPERT=y
- # CONFIG_AIO is not set
- CONFIG_PERF_EVENTS=y
- # CONFIG_COMPAT_BRK is not set
-+# CONFIG_SLAB_MERGE_DEFAULT is not set
-+CONFIG_SLAB_FREELIST_RANDOM=y
- CONFIG_SLAB_FREELIST_HARDENED=y
--CONFIG_JUMP_LABEL=y
--CONFIG_STRICT_KERNEL_RWX=y
--CONFIG_MODULES=y
--CONFIG_MODULE_UNLOAD=y
--CONFIG_MODULE_SIG=y
--CONFIG_MODULE_SIG_FORCE=y
--CONFIG_MODULE_SIG_SHA512=y
--CONFIG_PARTITION_ADVANCED=y
--# CONFIG_MQ_IOSCHED_DEADLINE is not set
--# CONFIG_MQ_IOSCHED_KYBER is not set
-+CONFIG_PPC64=y
-+CONFIG_ALTIVEC=y
-+CONFIG_VSX=y
-+CONFIG_NR_CPUS=2048
-+CONFIG_CPU_LITTLE_ENDIAN=y
-+CONFIG_PANIC_TIMEOUT=30
- # CONFIG_PPC_VAS is not set
- # CONFIG_PPC_PSERIES is not set
- # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set
-@@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
- CONFIG_CPU_IDLE=y
- CONFIG_HZ_100=y
- CONFIG_KEXEC=y
-+CONFIG_KEXEC_FILE=y
-+CONFIG_PRESERVE_FA_DUMP=y
- CONFIG_IRQ_ALL_CPUS=y
- CONFIG_NUMA=y
--# CONFIG_COMPACTION is not set
--# CONFIG_MIGRATION is not set
- CONFIG_PPC_64K_PAGES=y
- CONFIG_SCHED_SMT=y
- CONFIG_CMDLINE_BOOL=y
- CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
- # CONFIG_SECCOMP is not set
- # CONFIG_PPC_MEM_KEYS is not set
-+CONFIG_PPC_SECURE_BOOT=y
-+CONFIG_JUMP_LABEL=y
-+CONFIG_MODULES=y
-+CONFIG_MODULE_UNLOAD=y
-+CONFIG_MODULE_SIG_FORCE=y
-+CONFIG_MODULE_SIG_SHA512=y
-+CONFIG_PARTITION_ADVANCED=y
-+# CONFIG_MQ_IOSCHED_DEADLINE is not set
-+# CONFIG_MQ_IOSCHED_KYBER is not set
-+# CONFIG_COMPACTION is not set
-+# CONFIG_MIGRATION is not set
- CONFIG_NET=y
- CONFIG_PACKET=y
- CONFIG_UNIX=y
-@@ -63,9 +68,6 @@ CONFIG_INET=y
- CONFIG_IP_MULTICAST=y
- CONFIG_NET_IPIP=y
- CONFIG_SYN_COOKIES=y
--# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
--# CONFIG_INET_XFRM_MODE_TUNNEL is not set
--# CONFIG_INET_XFRM_MODE_BEET is not set
- CONFIG_DNS_RESOLVER=y
- # CONFIG_WIRELESS is not set
- CONFIG_DEVTMPFS=y
-@@ -139,7 +141,6 @@ CONFIG_TIGON3=m
- CONFIG_BNX2X=m
- # CONFIG_NET_VENDOR_BROCADE is not set
- # CONFIG_NET_VENDOR_CADENCE is not set
--# CONFIG_NET_CADENCE is not set
- # CONFIG_NET_VENDOR_CAVIUM is not set
- CONFIG_CHELSIO_T1=m
- # CONFIG_NET_VENDOR_CISCO is not set
-@@ -148,7 +149,6 @@ CONFIG_CHELSIO_T1=m
- # CONFIG_NET_VENDOR_DLINK is not set
- CONFIG_BE2NET=m
- # CONFIG_NET_VENDOR_EZCHIP is not set
--# CONFIG_NET_VENDOR_HP is not set
- # CONFIG_NET_VENDOR_HUAWEI is not set
- CONFIG_E1000=m
- CONFIG_E1000E=m
-@@ -156,7 +156,6 @@ CONFIG_IGB=m
- CONFIG_IXGB=m
- CONFIG_IXGBE=m
- CONFIG_I40E=m
--CONFIG_S2IO=m
- # CONFIG_NET_VENDOR_MARVELL is not set
- CONFIG_MLX4_EN=m
- # CONFIG_MLX4_CORE_GEN2 is not set
-@@ -167,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
- # CONFIG_NET_VENDOR_MICROSEMI is not set
- CONFIG_MYRI10GE=m
- # CONFIG_NET_VENDOR_NATSEMI is not set
-+CONFIG_S2IO=m
- # CONFIG_NET_VENDOR_NETRONOME is not set
- # CONFIG_NET_VENDOR_NI is not set
- # CONFIG_NET_VENDOR_NVIDIA is not set
- # CONFIG_NET_VENDOR_OKI is not set
- # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
--CONFIG_QLGE=m
- CONFIG_NETXEN_NIC=m
- CONFIG_QED=m
- CONFIG_QEDE=m
-@@ -210,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
- CONFIG_IPMI_POWERNV=y
- CONFIG_IPMI_WATCHDOG=y
- CONFIG_HW_RANDOM=y
--CONFIG_TCG_TPM=y
- CONFIG_TCG_TIS_I2C_NUVOTON=y
- # CONFIG_DEVPORT is not set
- CONFIG_I2C=y
-@@ -239,7 +237,6 @@ CONFIG_HID_CYPRESS=y
- CONFIG_HID_EZKEY=y
- CONFIG_HID_ITE=y
- CONFIG_HID_KENSINGTON=y
--CONFIG_HID_LOGITECH=y
- CONFIG_HID_MICROSOFT=y
- CONFIG_HID_MONTEREY=y
- CONFIG_USB_HIDDEV=y
-@@ -276,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ASCII=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_NLS_UTF8=y
-+CONFIG_ENCRYPTED_KEYS=y
-+CONFIG_SECURITY=y
-+CONFIG_HARDENED_USERCOPY=y
-+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
-+CONFIG_HARDENED_USERCOPY_PAGESPAN=y
-+CONFIG_FORTIFY_SOURCE=y
-+CONFIG_SECURITY_LOCKDOWN_LSM=y
-+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
-+CONFIG_INTEGRITY_SIGNATURE=y
-+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
-+CONFIG_IMA=y
-+CONFIG_IMA_KEXEC=y
-+CONFIG_IMA_SIG_TEMPLATE=y
-+CONFIG_IMA_DEFAULT_HASH_SHA256=y
-+CONFIG_IMA_READ_POLICY=y
-+CONFIG_IMA_APPRAISE=y
-+CONFIG_IMA_ARCH_POLICY=y
-+CONFIG_IMA_APPRAISE_MODSIG=y
-+CONFIG_LSM="yama,loadpin,safesetid,integrity"
-+# CONFIG_CRYPTO_HW is not set
-+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
- CONFIG_CRC16=y
- CONFIG_CRC_ITU_T=y
- CONFIG_LIBCRC32C=y
-@@ -286,17 +306,20 @@ CONFIG_LIBCRC32C=y
- # CONFIG_XZ_DEC_SPARC is not set
- CONFIG_PRINTK_TIME=y
- CONFIG_MAGIC_SYSRQ=y
-+CONFIG_SLUB_DEBUG_ON=y
- CONFIG_DEBUG_STACKOVERFLOW=y
- CONFIG_SOFTLOCKUP_DETECTOR=y
- CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
- CONFIG_HARDLOCKUP_DETECTOR=y
- CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
- CONFIG_WQ_WATCHDOG=y
-+CONFIG_PANIC_ON_OOPS=y
- # CONFIG_SCHED_DEBUG is not set
-+CONFIG_SCHED_STACK_END_CHECK=y
-+CONFIG_DEBUG_SG=y
-+CONFIG_DEBUG_NOTIFIERS=y
-+CONFIG_DEBUG_CREDENTIALS=y
- # CONFIG_FTRACE is not set
- # CONFIG_RUNTIME_TESTING_MENU is not set
-+CONFIG_BUG_ON_DATA_CORRUPTION=y
- CONFIG_XMON=y
--CONFIG_XMON_DEFAULT=y
--CONFIG_ENCRYPTED_KEYS=y
--# CONFIG_CRYPTO_ECHAINIV is not set
--# CONFIG_CRYPTO_HW is not set
diff --git a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch b/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
deleted file mode 100644
index b679564..0000000
--- a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 29 Sep 2020 16:07:53 +0930
-Subject: [PATCH 18/19] linux: configure CONFIG_I2C_OPAL as in-built.
-
-Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
-module rather than builtin, even if CONFIG_I2C=y is defined. This
-results in a delay in the TPM initialization, causing IMA to go into
-TPM bypass mode. As a result, the IMA measurements are added to the
-measurement list, but do not extend the TPM. Because of this, it is
-impossible to verify or attest to the system's integrity, either from
-skiroot or the target Host OS.
-
-Mimi Zohar <zohar@linux.ibm.com> explains more:
-
-  The concept of trusted boot requires the measurement to be added to the
-  measurement list and extend the TPM, prior to allowing access to the
-  file. By allowing access to a file before its measurement is included
-  in the measurement list and extended into the TPM PCR, a malicious file
-  could potentially prevent its own measurement from being added. As the
-  PCRs are tamper proof, measuring and extending the TPM prior to giving
-  access to the file, guarantees that all file measurements are included
-  in the measurement list, including the malicious file.
-
-  IMA needs to be enabled before any files are accessed in order to
-  verify a file's integrity and extend the TPM with the file
-  measurement.  Queueing file measurements breaks the measure and extend,
-  before usage, trusted boot paradigm.
-
-  The ima-evm-utils package includes a test for walking the IMA
-  measurement list, calculating the expected TPM PCRs, and comparing the
-  calculated PCR values with the physical TPM.  Testing is important to
-  ensure the TPM is initialized prior to IMA.  Failure to validate the
-  IMA measurement list may indicate IMA went into TPM bypass mode, like
-  in this case.
-
-Reported-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/configs/skiroot_defconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
-index 44309e12d84a..a555adb23591 100644
---- a/arch/powerpc/configs/skiroot_defconfig
-+++ b/arch/powerpc/configs/skiroot_defconfig
-@@ -216,7 +216,7 @@ CONFIG_I2C=y
- CONFIG_I2C_CHARDEV=y
- # CONFIG_I2C_HELPER_AUTO is not set
- CONFIG_I2C_ALGOBIT=y
--CONFIG_I2C_OPAL=m
-+CONFIG_I2C_OPAL=y
- CONFIG_PPS=y
- CONFIG_SENSORS_IBMPOWERNV=m
- CONFIG_DRM=m
diff --git a/openpower/linux/0019-Release-OpenPower-kernel.patch b/openpower/linux/0019-Release-OpenPower-kernel.patch
deleted file mode 100644
index 46af0ec..0000000
--- a/openpower/linux/0019-Release-OpenPower-kernel.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 29 Sep 2020 15:39:53 +0930
-Subject: [PATCH 19/19] Release OpenPower kernel
-
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index acb2499d9b05..6f2e1028c57b 100644
---- a/Makefile
-+++ b/Makefile
-@@ -2,7 +2,7 @@
- VERSION = 5
- PATCHLEVEL = 4
- SUBLEVEL = 68
--EXTRAVERSION =
-+EXTRAVERSION = -openpower1
- NAME = Kleptomaniac Octopus
- 
- # *DOCUMENTATION*
diff --git a/openpower/package/hcode-p10/Config.in b/openpower/package/hcode-p10/Config.in
index 037eedb..04c595c 100644
--- a/openpower/package/hcode-p10/Config.in
+++ b/openpower/package/hcode-p10/Config.in
@@ -31,7 +31,7 @@
 
 config BR2_HCODE_P10_VERSION
 	string
-	default "hw111221a.opmst10" if BR2_HCODE_P10_LATEST_VERSION
+	default "hw111521a.opmst10" if BR2_HCODE_P10_LATEST_VERSION
 	default BR2_HCODE_P10_CUSTOM_VERSION_VALUE \
 		if BR2_HCODE_P10_CUSTOM_VERSION
 
diff --git a/openpower/package/hostboot-binaries/Config.in b/openpower/package/hostboot-binaries/Config.in
index ff34070..05b7b15 100644
--- a/openpower/package/hostboot-binaries/Config.in
+++ b/openpower/package/hostboot-binaries/Config.in
@@ -24,7 +24,7 @@
 
 config BR2_HOSTBOOT_BINARIES_VERSION
 	string
-	default "hw111221a.opmst10" if BR2_HOSTBOOT_BINARIES_LATEST_VERSION
+	default "hw111521a.opmst10" if BR2_HOSTBOOT_BINARIES_LATEST_VERSION
 	default BR2_HOSTBOOT_BINARIES_CUSTOM_VERSION_VALUE \
 		if BR2_HOSTBOOT_BINARIES_CUSTOM_VERSION
 
diff --git a/openpower/package/hostboot-p10/Config.in b/openpower/package/hostboot-p10/Config.in
index 3883747..71a0e8a 100644
--- a/openpower/package/hostboot-p10/Config.in
+++ b/openpower/package/hostboot-p10/Config.in
@@ -25,7 +25,7 @@
 
 config BR2_HOSTBOOT_P10_VERSION
 	string
-	default "ee55aa8960424dc5156f34621a306b3ea01fd7bf" if BR2_HOSTBOOT_P10_LATEST_VERSION
+	default "5a7acf7f5166daf0920b355d8eea4d92114c208a" if BR2_HOSTBOOT_P10_LATEST_VERSION
 	default BR2_HOSTBOOT_P10_CUSTOM_VERSION_VALUE \
 		if BR2_HOSTBOOT_P10_CUSTOM_VERSION