diff --git a/openpower/configs/blackbird_defconfig b/openpower/configs/blackbird_defconfig
index 5e723f2..9ef57b3 100644
--- a/openpower/configs/blackbird_defconfig
+++ b/openpower/configs/blackbird_defconfig
@@ -18,7 +18,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/mihawk_defconfig b/openpower/configs/mihawk_defconfig
index d112532..b980240 100644
--- a/openpower/configs/mihawk_defconfig
+++ b/openpower/configs/mihawk_defconfig
@@ -18,7 +18,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/mowgli_defconfig b/openpower/configs/mowgli_defconfig
index 3d42239..985dfdc 100644
--- a/openpower/configs/mowgli_defconfig
+++ b/openpower/configs/mowgli_defconfig
@@ -17,7 +17,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/nicole_defconfig b/openpower/configs/nicole_defconfig
index 90aa06d..be23db5 100644
--- a/openpower/configs/nicole_defconfig
+++ b/openpower/configs/nicole_defconfig
@@ -16,7 +16,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/opal_defconfig b/openpower/configs/opal_defconfig
index 88f427b..54e39f1 100644
--- a/openpower/configs/opal_defconfig
+++ b/openpower/configs/opal_defconfig
@@ -13,7 +13,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/p9dsu_defconfig b/openpower/configs/p9dsu_defconfig
index 84b77ae..8f2ebc0 100644
--- a/openpower/configs/p9dsu_defconfig
+++ b/openpower/configs/p9dsu_defconfig
@@ -17,7 +17,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/romulus_defconfig b/openpower/configs/romulus_defconfig
index 02d94e0..cc22d1d 100644
--- a/openpower/configs/romulus_defconfig
+++ b/openpower/configs/romulus_defconfig
@@ -17,7 +17,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/swift_defconfig b/openpower/configs/swift_defconfig
index 7249f4c..4b2ef74 100644
--- a/openpower/configs/swift_defconfig
+++ b/openpower/configs/swift_defconfig
@@ -17,7 +17,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/witherspoon_defconfig b/openpower/configs/witherspoon_defconfig
index cbf6ad9..baa0eaf 100644
--- a/openpower/configs/witherspoon_defconfig
+++ b/openpower/configs/witherspoon_defconfig
@@ -17,7 +17,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/zaius_defconfig b/openpower/configs/zaius_defconfig
index dba9819..2fe5151 100644
--- a/openpower/configs/zaius_defconfig
+++ b/openpower/configs/zaius_defconfig
@@ -17,7 +17,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/zz_defconfig b/openpower/configs/zz_defconfig
index a72b1ab..cb8a125 100644
--- a/openpower/configs/zz_defconfig
+++ b/openpower/configs/zz_defconfig
@@ -15,7 +15,7 @@
 BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.107"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.132"
 BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
index 02dee24..617d9ba 100644
--- a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Brian King <brking@linux.vnet.ibm.com>
 Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 01/19] xhci: Reset controller on xhci shutdown
+Subject: [PATCH 01/17] xhci: Reset controller on xhci shutdown
 
 Fixes kexec boot. Without a hard reset, some USB chips will fail to
 initialize in a kexec booted kernel.
@@ -14,10 +14,10 @@
  1 file changed, 3 insertions(+)
 
 diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index b5080bc1689e..f9ed0f784a1b 100644
+index a3813c75a3de..92d0334f8b73 100644
 --- a/drivers/usb/host/xhci.c
 +++ b/drivers/usb/host/xhci.c
-@@ -789,6 +789,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
+@@ -793,6 +793,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
  	xhci_dbg_trace(xhci, trace_xhci_dbg_init,
  			"xhci_shutdown completed - status = %x",
  			readl(&xhci->op_regs->status));
diff --git a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
index b275c9c..86c59c0 100644
--- a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
+++ b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Tue, 5 Nov 2019 17:00:22 -0600
-Subject: [PATCH 02/19] powerpc: Detect the secure boot mode of the system
+Subject: [PATCH 02/17] powerpc: Detect the secure boot mode of the system
 
 This patch defines a function to detect the secure boot state of a
 PowerNV system.
@@ -26,7 +26,7 @@
  create mode 100644 arch/powerpc/kernel/secure_boot.c
 
 diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index c4cbb65e742f..1a2db06962c7 100644
+index 757175ccf53c..f57f563f4e45 100644
 --- a/arch/powerpc/Kconfig
 +++ b/arch/powerpc/Kconfig
 @@ -936,6 +936,16 @@ config PPC_MEM_KEYS
diff --git a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
index d9657c7..1064b6e 100644
--- a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
+++ b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:27 -0400
-Subject: [PATCH 03/19] powerpc/ima: Add support to initialize ima policy rules
+Subject: [PATCH 03/17] powerpc/ima: Add support to initialize ima policy rules
 
 PowerNV systems use a Linux-based bootloader, which rely on the IMA
 subsystem to enforce different secure boot modes. Since the
@@ -29,7 +29,7 @@
  create mode 100644 arch/powerpc/kernel/ima_arch.c
 
 diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 1a2db06962c7..9a5b15ab93b6 100644
+index f57f563f4e45..95d3069fc115 100644
 --- a/arch/powerpc/Kconfig
 +++ b/arch/powerpc/Kconfig
 @@ -940,6 +940,7 @@ config PPC_SECURE_BOOT
diff --git a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
index e2c2c78..c6de7a9 100644
--- a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
+++ b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Tue, 5 Nov 2019 17:02:07 -0600
-Subject: [PATCH 04/19] powerpc: Detect the trusted boot state of the system
+Subject: [PATCH 04/17] powerpc: Detect the trusted boot state of the system
 
 While secure boot permits only properly verified signed kernels to be
 booted, trusted boot calculates the file hash of the kernel image and
diff --git a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
index fcd871c..c63c7ff 100644
--- a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
+++ b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:29 -0400
-Subject: [PATCH 05/19] powerpc/ima: Define trusted boot policy
+Subject: [PATCH 05/17] powerpc/ima: Define trusted boot policy
 
 This patch defines an arch-specific trusted boot only policy and a
 combined secure and trusted boot policy.
diff --git a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
index 81296b7..43fcbbb 100644
--- a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
+++ b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:30 -0400
-Subject: [PATCH 06/19] ima: Make process_buffer_measurement() generic
+Subject: [PATCH 06/17] ima: Make process_buffer_measurement() generic
 
 process_buffer_measurement() is limited to measuring the kexec boot
 command line. This patch makes process_buffer_measurement() more
diff --git a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch b/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
deleted file mode 100644
index 971a544..0000000
--- a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:31 -0400
-Subject: [PATCH 07/19] certs: Add wrapper function to check blacklisted binary
- hash
-
-The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
-misleading when called for checking against blacklisted hash of a
-binary.
-
-This patch adds a wrapper function is_binary_blacklisted() to return
--EPERM error if binary is blacklisted.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-7-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 2434f7d2d488c3301ae81f1031e1c66c6f076fb7)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- certs/blacklist.c             | 9 +++++++++
- include/keys/system_keyring.h | 6 ++++++
- 2 files changed, 15 insertions(+)
-
-diff --git a/certs/blacklist.c b/certs/blacklist.c
-index 025a41de28fd..f1c434b04b5e 100644
---- a/certs/blacklist.c
-+++ b/certs/blacklist.c
-@@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
- }
- EXPORT_SYMBOL_GPL(is_hash_blacklisted);
- 
-+int is_binary_blacklisted(const u8 *hash, size_t hash_len)
-+{
-+	if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
-+		return -EPERM;
-+
-+	return 0;
-+}
-+EXPORT_SYMBOL_GPL(is_binary_blacklisted);
-+
- /*
-  * Initialise the blacklist
-  */
-diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index c1a96fdf598b..fb8b07daa9d1 100644
---- a/include/keys/system_keyring.h
-+++ b/include/keys/system_keyring.h
-@@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
- extern int mark_hash_blacklisted(const char *hash);
- extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
- 			       const char *type);
-+extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
- #else
- static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
- 				      const char *type)
- {
- 	return 0;
- }
-+
-+static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
-+{
-+	return 0;
-+}
- #endif
- 
- #ifdef CONFIG_IMA_BLACKLIST_KEYRING
diff --git a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch b/openpower/linux/0007-ima-Check-against-blacklisted-hashes-for-files-with-.patch
similarity index 99%
rename from openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
rename to openpower/linux/0007-ima-Check-against-blacklisted-hashes-for-files-with-.patch
index 2665bd4..7a5f24c 100644
--- a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
+++ b/openpower/linux/0007-ima-Check-against-blacklisted-hashes-for-files-with-.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:32 -0400
-Subject: [PATCH 08/19] ima: Check against blacklisted hashes for files with
+Subject: [PATCH 07/17] ima: Check against blacklisted hashes for files with
  modsig
 
 Asymmetric private keys are used to sign multiple files. The kernel
diff --git a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch b/openpower/linux/0008-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
similarity index 96%
rename from openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
rename to openpower/linux/0008-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
index 921a675..3610e6e 100644
--- a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
+++ b/openpower/linux/0008-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:33 -0400
-Subject: [PATCH 09/19] powerpc/ima: Update ima arch policy to check for
+Subject: [PATCH 08/17] powerpc/ima: Update ima arch policy to check for
  blacklist
 
 This patch updates the arch-specific policies for PowerNV system to
diff --git a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch b/openpower/linux/0009-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
similarity index 99%
rename from openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
rename to openpower/linux/0009-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
index ec1815b..014d09f 100644
--- a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
+++ b/openpower/linux/0009-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Sun, 10 Nov 2019 21:10:33 -0600
-Subject: [PATCH 10/19] powerpc/powernv: Add OPAL API interface to access
+Subject: [PATCH 09/17] powerpc/powernv: Add OPAL API interface to access
  secure variable
 
 The X.509 certificates trusted by the platform and required to secure
diff --git a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch b/openpower/linux/0010-powerpc-expose-secure-variables-to-userspace-via-sys.patch
similarity index 98%
rename from openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
rename to openpower/linux/0010-powerpc-expose-secure-variables-to-userspace-via-sys.patch
index cbca21f..ea98464 100644
--- a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
+++ b/openpower/linux/0010-powerpc-expose-secure-variables-to-userspace-via-sys.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Sun, 10 Nov 2019 21:10:34 -0600
-Subject: [PATCH 11/19] powerpc: expose secure variables to userspace via sysfs
+Subject: [PATCH 10/17] powerpc: expose secure variables to userspace via sysfs
 
 PowerNV secure variables, which store the keys used for OS kernel
 verification, are managed by the firmware. These secure variables need to
@@ -80,7 +80,7 @@
 +		variable. The size of the file represents the maximum size of
 +		the variable data that can be written.
 diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 9a5b15ab93b6..159a25017c7f 100644
+index 95d3069fc115..20212908dd67 100644
 --- a/arch/powerpc/Kconfig
 +++ b/arch/powerpc/Kconfig
 @@ -947,6 +947,17 @@ config PPC_SECURE_BOOT
diff --git a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch b/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
similarity index 98%
rename from openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
rename to openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
index 83a0346..dcde22e 100644
--- a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
+++ b/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Sun, 10 Nov 2019 21:10:36 -0600
-Subject: [PATCH 13/19] powerpc: Load firmware trusted keys/hashes into kernel
+Subject: [PATCH 11/17] powerpc: Load firmware trusted keys/hashes into kernel
  keyring
 
 The keys used to verify the Host OS kernel are managed by firmware as
diff --git a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch b/openpower/linux/0012-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
similarity index 97%
rename from openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
rename to openpower/linux/0012-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
index 5559a8a..744447a 100644
--- a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
+++ b/openpower/linux/0012-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: "Christopher M. Riedl" <cmr@informatik.wtf>
 Date: Sat, 7 Sep 2019 01:11:23 -0500
-Subject: [PATCH 14/19] powerpc/xmon: Allow listing and clearing breakpoints in
+Subject: [PATCH 12/17] powerpc/xmon: Allow listing and clearing breakpoints in
  read-only mode
 
 Read-only mode should not prevent listing and clearing any active
diff --git a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch b/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
deleted file mode 100644
index e0b01c9..0000000
--- a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:35 -0600
-Subject: [PATCH 12/19] x86/efi: move common keyring handler functions to new
- file
-
-The handlers to add the keys to the .platform keyring and blacklisted
-hashes to the .blacklist keyring is common for both the uefi and powerpc
-mechanisms of loading the keys/hashes from the firmware.
-
-This patch moves the common code from load_uefi.c to keyring_handler.c
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Acked-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-4-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit ad723674d6758478829ee766e3f1a2a24d56236f)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/Makefile                   |  3 +-
- .../platform_certs/keyring_handler.c          | 80 +++++++++++++++++++
- .../platform_certs/keyring_handler.h          | 32 ++++++++
- security/integrity/platform_certs/load_uefi.c | 67 +---------------
- 4 files changed, 115 insertions(+), 67 deletions(-)
- create mode 100644 security/integrity/platform_certs/keyring_handler.c
- create mode 100644 security/integrity/platform_certs/keyring_handler.h
-
-diff --git a/security/integrity/Makefile b/security/integrity/Makefile
-index 35e6ca773734..351c9662994b 100644
---- a/security/integrity/Makefile
-+++ b/security/integrity/Makefile
-@@ -11,7 +11,8 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
- integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
- integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o
- integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
--					platform_certs/load_uefi.o
-+				      platform_certs/load_uefi.o \
-+				      platform_certs/keyring_handler.o
- integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
- 
- obj-$(CONFIG_IMA)			+= ima/
-diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
-new file mode 100644
-index 000000000000..c5ba695c10e3
---- /dev/null
-+++ b/security/integrity/platform_certs/keyring_handler.c
-@@ -0,0 +1,80 @@
-+// SPDX-License-Identifier: GPL-2.0
-+
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/cred.h>
-+#include <linux/err.h>
-+#include <linux/efi.h>
-+#include <linux/slab.h>
-+#include <keys/asymmetric-type.h>
-+#include <keys/system_keyring.h>
-+#include "../integrity.h"
-+
-+static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
-+static efi_guid_t efi_cert_x509_sha256_guid __initdata =
-+	EFI_CERT_X509_SHA256_GUID;
-+static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
-+
-+/*
-+ * Blacklist a hash.
-+ */
-+static __init void uefi_blacklist_hash(const char *source, const void *data,
-+				       size_t len, const char *type,
-+				       size_t type_len)
-+{
-+	char *hash, *p;
-+
-+	hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
-+	if (!hash)
-+		return;
-+	p = memcpy(hash, type, type_len);
-+	p += type_len;
-+	bin2hex(p, data, len);
-+	p += len * 2;
-+	*p = 0;
-+
-+	mark_hash_blacklisted(hash);
-+	kfree(hash);
-+}
-+
-+/*
-+ * Blacklist an X509 TBS hash.
-+ */
-+static __init void uefi_blacklist_x509_tbs(const char *source,
-+					   const void *data, size_t len)
-+{
-+	uefi_blacklist_hash(source, data, len, "tbs:", 4);
-+}
-+
-+/*
-+ * Blacklist the hash of an executable.
-+ */
-+static __init void uefi_blacklist_binary(const char *source,
-+					 const void *data, size_t len)
-+{
-+	uefi_blacklist_hash(source, data, len, "bin:", 4);
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI db and MokListRT tables.
-+ */
-+__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
-+{
-+	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
-+		return add_to_platform_keyring;
-+	return 0;
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI dbx and MokListXRT tables.
-+ */
-+__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
-+{
-+	if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
-+		return uefi_blacklist_x509_tbs;
-+	if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
-+		return uefi_blacklist_binary;
-+	return 0;
-+}
-diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
-new file mode 100644
-index 000000000000..2462bfa08fe3
---- /dev/null
-+++ b/security/integrity/platform_certs/keyring_handler.h
-@@ -0,0 +1,32 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+
-+#ifndef PLATFORM_CERTS_INTERNAL_H
-+#define PLATFORM_CERTS_INTERNAL_H
-+
-+#include <linux/efi.h>
-+
-+void blacklist_hash(const char *source, const void *data,
-+		    size_t len, const char *type,
-+		    size_t type_len);
-+
-+/*
-+ * Blacklist an X509 TBS hash.
-+ */
-+void blacklist_x509_tbs(const char *source, const void *data, size_t len);
-+
-+/*
-+ * Blacklist the hash of an executable.
-+ */
-+void blacklist_binary(const char *source, const void *data, size_t len);
-+
-+/*
-+ * Return the handler for particular signature list types found in the db.
-+ */
-+efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
-+
-+/*
-+ * Return the handler for particular signature list types found in the dbx.
-+ */
-+efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
-+
-+#endif
-diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
-index 020fc7a11ef0..aa874d84e413 100644
---- a/security/integrity/platform_certs/load_uefi.c
-+++ b/security/integrity/platform_certs/load_uefi.c
-@@ -9,6 +9,7 @@
- #include <keys/asymmetric-type.h>
- #include <keys/system_keyring.h>
- #include "../integrity.h"
-+#include "keyring_handler.h"
- 
- static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
- static efi_guid_t efi_cert_x509_sha256_guid __initdata =
-@@ -69,72 +70,6 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
- 	return db;
- }
- 
--/*
-- * Blacklist a hash.
-- */
--static __init void uefi_blacklist_hash(const char *source, const void *data,
--				       size_t len, const char *type,
--				       size_t type_len)
--{
--	char *hash, *p;
--
--	hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
--	if (!hash)
--		return;
--	p = memcpy(hash, type, type_len);
--	p += type_len;
--	bin2hex(p, data, len);
--	p += len * 2;
--	*p = 0;
--
--	mark_hash_blacklisted(hash);
--	kfree(hash);
--}
--
--/*
-- * Blacklist an X509 TBS hash.
-- */
--static __init void uefi_blacklist_x509_tbs(const char *source,
--					   const void *data, size_t len)
--{
--	uefi_blacklist_hash(source, data, len, "tbs:", 4);
--}
--
--/*
-- * Blacklist the hash of an executable.
-- */
--static __init void uefi_blacklist_binary(const char *source,
--					 const void *data, size_t len)
--{
--	uefi_blacklist_hash(source, data, len, "bin:", 4);
--}
--
--/*
-- * Return the appropriate handler for particular signature list types found in
-- * the UEFI db and MokListRT tables.
-- */
--static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *
--						       sig_type)
--{
--	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
--		return add_to_platform_keyring;
--	return 0;
--}
--
--/*
-- * Return the appropriate handler for particular signature list types found in
-- * the UEFI dbx and MokListXRT tables.
-- */
--static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *
--							sig_type)
--{
--	if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
--		return uefi_blacklist_x509_tbs;
--	if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
--		return uefi_blacklist_binary;
--	return 0;
--}
--
- /*
-  * Load the certs contained in the UEFI databases into the platform trusted
-  * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
diff --git a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch b/openpower/linux/0013-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
similarity index 96%
rename from openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
rename to openpower/linux/0013-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
index 69f5314..14dde39 100644
--- a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
+++ b/openpower/linux/0013-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Mimi Zohar <zohar@linux.ibm.com>
 Date: Wed, 30 Oct 2019 23:31:34 -0400
-Subject: [PATCH 15/19] powerpc/ima: Indicate kernel modules appended
+Subject: [PATCH 13/17] powerpc/ima: Indicate kernel modules appended
  signatures are enforced
 
 The arch specific kernel module policy rule requires kernel modules to
diff --git a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch b/openpower/linux/0014-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
similarity index 97%
rename from openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
rename to openpower/linux/0014-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
index 1ba2c2f..fc8ccc6 100644
--- a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
+++ b/openpower/linux/0014-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Nayna Jain <nayna@linux.ibm.com>
 Date: Fri, 1 May 2020 10:16:52 -0400
-Subject: [PATCH 16/19] powerpc/ima: Fix secure boot rules in ima arch policy
+Subject: [PATCH 14/17] powerpc/ima: Fix secure boot rules in ima arch policy
 
 To prevent verifying the kernel module appended signature
 twice (finit_module), once by the module_sig_check() and again by IMA,
diff --git a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch b/openpower/linux/0015-powerpc-configs-Update-to-upstream-and-enable-secure.patch
similarity index 99%
rename from openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
rename to openpower/linux/0015-powerpc-configs-Update-to-upstream-and-enable-secure.patch
index 3fbe01a..c6d622f 100644
--- a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
+++ b/openpower/linux/0015-powerpc-configs-Update-to-upstream-and-enable-secure.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Joel Stanley <joel@jms.id.au>
 Date: Tue, 23 Jun 2020 16:22:10 +0930
-Subject: [PATCH 17/19] powerpc/configs: Update to upstream and enable
+Subject: [PATCH 15/17] powerpc/configs: Update to upstream and enable
  secureboot
 
 Pulls in the following updates from upstream:
diff --git a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch b/openpower/linux/0016-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
similarity index 97%
rename from openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
rename to openpower/linux/0016-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
index b679564..cea9ebb 100644
--- a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
+++ b/openpower/linux/0016-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Joel Stanley <joel@jms.id.au>
 Date: Tue, 29 Sep 2020 16:07:53 +0930
-Subject: [PATCH 18/19] linux: configure CONFIG_I2C_OPAL as in-built.
+Subject: [PATCH 16/17] linux: configure CONFIG_I2C_OPAL as in-built.
 
 Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
 module rather than builtin, even if CONFIG_I2C=y is defined. This
diff --git a/openpower/linux/0019-Release-OpenPower-kernel.patch b/openpower/linux/0017-Release-OpenPower-kernel.patch
similarity index 75%
rename from openpower/linux/0019-Release-OpenPower-kernel.patch
rename to openpower/linux/0017-Release-OpenPower-kernel.patch
index 7a522a2..adee575 100644
--- a/openpower/linux/0019-Release-OpenPower-kernel.patch
+++ b/openpower/linux/0017-Release-OpenPower-kernel.patch
@@ -1,7 +1,7 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Joel Stanley <joel@jms.id.au>
-Date: Wed, 24 Mar 2021 14:48:20 +1030
-Subject: [PATCH 19/19] Release OpenPower kernel
+Date: Thu, 15 Jul 2021 17:21:55 +0930
+Subject: [PATCH 17/17] Release OpenPower kernel
 
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 ---
@@ -9,13 +9,13 @@
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 43159b21a83f..00326dcb8d4d 100644
+index 58ea876fa183..acd516ba62d8 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -2,7 +2,7 @@
  VERSION = 5
  PATCHLEVEL = 4
- SUBLEVEL = 107
+ SUBLEVEL = 132
 -EXTRAVERSION =
 +EXTRAVERSION = -openpower1
  NAME = Kleptomaniac Octopus