commit 2070d28e2bf9c82b45d916e20410703c1630637b
author Joel Stanley <joel@jms.id.au> Thu Jul 15 17:27:03 2021 +0930
committer Joel Stanley <joel@jms.id.au> Thu Jul 15 17:27:03 2021 +0930
tree 57b32130a3de6bd886c0b04cf9cfb356597844ea
parent 9fa1b0a66d6ecf37765a7da35be08f822039d4aa

kernel: Move to Linux v5.4.132-openpower1

PowerPC related fixes since 5.4.107:

 powerpc: Offline CPU in stop_this_cpu()
 powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()
 powerpc/64s: Fix crashes when toggling entry flush barrier
 powerpc/64s: Fix crashes when toggling stf barrier
 powerpc/iommu: Annotate nested lock for lockdep
 powerpc/smp: Set numa node before updating mask
 powerpc/xive: Fix xmon command "dxi"
 powerpc/perf: Fix PMU constraint check for EBB events
 powerpc/64s: Fix pte update for kernel memory on radix
 powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration
 powerpc/prom: Mark identical_pvr_fixup as __init
 powerpc/fadump: Mark fadump_calculate_reserve_size as __init
 powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h
 powerpc/eeh: Fix EEH handling for hugepages in ioremap space.
 powerpc: Force inlining of cpu_has_feature() to avoid build failure

Additionally, two of the patches that were carried have been merged into
the upstream stable tree:

 x86/efi: move common keyring handler functions to new file
 certs: Add EFI_CERT_X509_GUID support for dbx entries

Signed-off-by: Joel Stanley <joel@jms.id.au>

openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch

diff --git a/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch b/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
new file mode 100644
index 0000000..dcde22e
--- /dev/null
+++ b/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
@@ -0,0 +1,163 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Sun, 10 Nov 2019 21:10:36 -0600
+Subject: [PATCH 11/17] powerpc: Load firmware trusted keys/hashes into kernel
+ keyring
+
+The keys used to verify the Host OS kernel are managed by firmware as
+secure variables. This patch loads the verification keys into the
+.platform keyring and revocation hashes into .blacklist keyring. This
+enables verification and loading of the kernels signed by the boot
+time keys which are trusted by firmware.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Eric Richter <erichte@linux.ibm.com>
+[mpe: Search by compatible in load_powerpc_certs(), not using format]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com
+(cherry picked from commit 8220e22d11a05049aab9693839ab82e5e177ccde)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ security/integrity/Kconfig                    |  9 ++
+ security/integrity/Makefile                   |  4 +-
+ .../integrity/platform_certs/load_powerpc.c   | 96 +++++++++++++++++++
+ 3 files changed, 108 insertions(+), 1 deletion(-)
+ create mode 100644 security/integrity/platform_certs/load_powerpc.c
+
+diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
+index 0bae6adb63a9..71f0177e8716 100644
+--- a/security/integrity/Kconfig
++++ b/security/integrity/Kconfig
+@@ -72,6 +72,15 @@ config LOAD_IPL_KEYS
+        depends on S390
+        def_bool y
+ 
++config LOAD_PPC_KEYS
++	bool "Enable loading of platform and blacklisted keys for POWER"
++	depends on INTEGRITY_PLATFORM_KEYRING
++	depends on PPC_SECURE_BOOT
++	default y
++	help
++	  Enable loading of keys to the .platform keyring and blacklisted
++	  hashes to the .blacklist keyring for powerpc based platforms.
++
+ config INTEGRITY_AUDIT
+ 	bool "Enables integrity auditing support "
+ 	depends on AUDIT
+diff --git a/security/integrity/Makefile b/security/integrity/Makefile
+index 351c9662994b..7ee39d66cf16 100644
+--- a/security/integrity/Makefile
++++ b/security/integrity/Makefile
+@@ -14,6 +14,8 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
+ 				      platform_certs/load_uefi.o \
+ 				      platform_certs/keyring_handler.o
+ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
+-
++integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
++                                     platform_certs/load_powerpc.o \
++                                     platform_certs/keyring_handler.o
+ obj-$(CONFIG_IMA)			+= ima/
+ obj-$(CONFIG_EVM)			+= evm/
+diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
+new file mode 100644
+index 000000000000..a2900cb85357
+--- /dev/null
++++ b/security/integrity/platform_certs/load_powerpc.c
+@@ -0,0 +1,96 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Nayna Jain
++ *
++ *      - loads keys and hashes stored and controlled by the firmware.
++ */
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/cred.h>
++#include <linux/err.h>
++#include <linux/slab.h>
++#include <linux/of.h>
++#include <asm/secure_boot.h>
++#include <asm/secvar.h>
++#include "keyring_handler.h"
++
++/*
++ * Get a certificate list blob from the named secure variable.
++ */
++static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size)
++{
++	int rc;
++	void *db;
++
++	rc = secvar_ops->get(key, keylen, NULL, size);
++	if (rc) {
++		pr_err("Couldn't get size: %d\n", rc);
++		return NULL;
++	}
++
++	db = kmalloc(*size, GFP_KERNEL);
++	if (!db)
++		return NULL;
++
++	rc = secvar_ops->get(key, keylen, db, size);
++	if (rc) {
++		kfree(db);
++		pr_err("Error reading %s var: %d\n", key, rc);
++		return NULL;
++	}
++
++	return db;
++}
++
++/*
++ * Load the certs contained in the keys databases into the platform trusted
++ * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist
++ * keyring.
++ */
++static int __init load_powerpc_certs(void)
++{
++	void *db = NULL, *dbx = NULL;
++	uint64_t dbsize = 0, dbxsize = 0;
++	int rc = 0;
++	struct device_node *node;
++
++	if (!secvar_ops)
++		return -ENODEV;
++
++	/* The following only applies for the edk2-compat backend. */
++	node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
++	if (!node)
++		return -ENODEV;
++
++	/*
++	 * Get db, and dbx. They might not exist, so it isn't an error if we
++	 * can't get them.
++	 */
++	db = get_cert_list("db", 3, &dbsize);
++	if (!db) {
++		pr_err("Couldn't get db list from firmware\n");
++	} else {
++		rc = parse_efi_signature_list("powerpc:db", db, dbsize,
++					      get_handler_for_db);
++		if (rc)
++			pr_err("Couldn't parse db signatures: %d\n", rc);
++		kfree(db);
++	}
++
++	dbx = get_cert_list("dbx", 4,  &dbxsize);
++	if (!dbx) {
++		pr_info("Couldn't get dbx list from firmware\n");
++	} else {
++		rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
++					      get_handler_for_dbx);
++		if (rc)
++			pr_err("Couldn't parse dbx signatures: %d\n", rc);
++		kfree(dbx);
++	}
++
++	of_node_put(node);
++
++	return rc;
++}
++late_initcall(load_powerpc_certs);