p10/kernel: Move to v5.10.50-openpower1
- Updated denali and rainier configs
- Manually rebased to v5.10.50 kernel
- Removed openpower/linux-p10 directory
- Updated skiroot_defconfig based on upstream master
Signed-off-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
diff --git a/openpower/configs/denali_defconfig b/openpower/configs/denali_defconfig
index ed3f2dd..7009fd7 100644
--- a/openpower/configs/denali_defconfig
+++ b/openpower/configs/denali_defconfig
@@ -1,5 +1,6 @@
BR2_powerpc64le=y
BR2_powerpc_power8=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y
BR2_BINUTILS_EXTRA_CONFIG_OPTIONS="--enable-targets=powerpc64-linux"
BR2_EXTRA_GCC_CONFIG_OPTIONS="--enable-targets=powerpc64-linux --disable-libsanitizer"
BR2_TARGET_GENERIC_HOSTNAME="skiroot"
@@ -13,10 +14,9 @@
BR2_ROOTFS_OVERLAY="../openpower/overlay"
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
-BR2_LINUX_KERNEL_CUSTOM_GIT=y
-BR2_LINUX_KERNEL_CUSTOM_REPO_URL="git@github.ibm.com:p10/linux.git"
-BR2_LINUX_KERNEL_CUSTOM_REPO_VERSION="e4f7620c0a1e46e93ab9130f30bfa28b32322ca1"
-BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux-p10"
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.50"
+BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
BR2_LINUX_KERNEL_ZIMAGE_EPAPR=y
diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
index 41688c7..a555adb 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -47,7 +47,7 @@
CONFIG_PPC_64K_PAGES=y
CONFIG_SCHED_SMT=y
CONFIG_CMDLINE_BOOL=y
-CONFIG_CMDLINE="console=tty0 console=hvc0 debug ignore_loglevel bootmem_debug sched_debug"
+CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
# CONFIG_SECCOMP is not set
# CONFIG_PPC_MEM_KEYS is not set
CONFIG_PPC_SECURE_BOOT=y
@@ -89,6 +89,9 @@
CONFIG_SCSI_CONSTANTS=y
CONFIG_SCSI_SCAN_ASYNC=y
CONFIG_SCSI_FC_ATTRS=y
+CONFIG_SCSI_CXGB3_ISCSI=m
+CONFIG_SCSI_CXGB4_ISCSI=m
+CONFIG_SCSI_BNX2_ISCSI=m
CONFIG_SCSI_AACRAID=m
CONFIG_MEGARAID_NEWGEN=y
CONFIG_MEGARAID_MM=m
@@ -99,6 +102,7 @@
# CONFIG_SCSI_IPR_TRACE is not set
# CONFIG_SCSI_IPR_DUMP is not set
CONFIG_SCSI_QLA_FC=m
+CONFIG_SCSI_QLA_ISCSI=m
CONFIG_SCSI_LPFC=m
CONFIG_SCSI_VIRTIO=m
CONFIG_SCSI_DH=y
@@ -121,11 +125,12 @@
CONFIG_DM_MIRROR=m
CONFIG_DM_ZERO=m
CONFIG_DM_MULTIPATH=m
-CONFIG_NETDEVICES=y
# CONFIG_NET_VENDOR_3COM is not set
# CONFIG_NET_VENDOR_ADAPTEC is not set
# CONFIG_NET_VENDOR_AGERE is not set
# CONFIG_NET_VENDOR_ALACRITECH is not set
+CONFIG_ACENIC=m
+CONFIG_ACENIC_OMIT_TIGON_I=y
# CONFIG_NET_VENDOR_AMAZON is not set
# CONFIG_NET_VENDOR_AMD is not set
# CONFIG_NET_VENDOR_AQUANTIA is not set
@@ -138,8 +143,6 @@
# CONFIG_NET_VENDOR_CADENCE is not set
# CONFIG_NET_VENDOR_CAVIUM is not set
CONFIG_CHELSIO_T1=m
-CONFIG_CHELSIO_T3=m
-CONFIG_CHELSIO_T4=m
# CONFIG_NET_VENDOR_CISCO is not set
# CONFIG_NET_VENDOR_CORTINA is not set
# CONFIG_NET_VENDOR_DEC is not set
@@ -161,7 +164,9 @@
# CONFIG_MLX5_EN_RXNFC is not set
# CONFIG_NET_VENDOR_MICREL is not set
# CONFIG_NET_VENDOR_MICROSEMI is not set
+CONFIG_MYRI10GE=m
# CONFIG_NET_VENDOR_NATSEMI is not set
+CONFIG_S2IO=m
# CONFIG_NET_VENDOR_NETRONOME is not set
# CONFIG_NET_VENDOR_NI is not set
# CONFIG_NET_VENDOR_NVIDIA is not set
@@ -177,6 +182,7 @@
# CONFIG_NET_VENDOR_ROCKER is not set
# CONFIG_NET_VENDOR_SAMSUNG is not set
# CONFIG_NET_VENDOR_SEEQ is not set
+CONFIG_SFC=m
# CONFIG_NET_VENDOR_SILAN is not set
# CONFIG_NET_VENDOR_SIS is not set
# CONFIG_NET_VENDOR_SMSC is not set
@@ -210,6 +216,7 @@
CONFIG_I2C_CHARDEV=y
# CONFIG_I2C_HELPER_AUTO is not set
CONFIG_I2C_ALGOBIT=y
+CONFIG_I2C_OPAL=y
CONFIG_PPS=y
CONFIG_SENSORS_IBMPOWERNV=m
CONFIG_DRM=m
diff --git a/openpower/configs/p10ebmc_defconfig b/openpower/configs/p10ebmc_defconfig
index 2fc53e9..ba352f2 100644
--- a/openpower/configs/p10ebmc_defconfig
+++ b/openpower/configs/p10ebmc_defconfig
@@ -1,5 +1,6 @@
BR2_powerpc64le=y
BR2_powerpc_power8=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_10=y
BR2_BINUTILS_EXTRA_CONFIG_OPTIONS="--enable-targets=powerpc64-linux"
BR2_GCC_VERSION_8_X=y
BR2_EXTRA_GCC_CONFIG_OPTIONS="--enable-targets=powerpc64-linux --disable-libsanitizer"
@@ -15,10 +16,9 @@
BR2_ROOTFS_OVERLAY="../openpower/overlay"
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
-BR2_LINUX_KERNEL_CUSTOM_GIT=y
-BR2_LINUX_KERNEL_CUSTOM_REPO_URL="git@github.ibm.com:p10/linux.git"
-BR2_LINUX_KERNEL_CUSTOM_REPO_VERSION="e4f7620c0a1e46e93ab9130f30bfa28b32322ca1"
-BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux-p10"
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.50"
+BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
BR2_LINUX_KERNEL_ZIMAGE_EPAPR=y
diff --git a/openpower/linux-p10/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux-p10/0001-xhci-Reset-controller-on-xhci-shutdown.patch
deleted file mode 100644
index 952b977..0000000
--- a/openpower/linux-p10/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From eb9ba66045e92706878d619e0b8c94669cc993f9 Mon Sep 17 00:00:00 2001
-From: Brian King <brking@linux.vnet.ibm.com>
-Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 1/2] xhci: Reset controller on xhci shutdown
-
-Fixes kexec boot. Without a hard reset, some USB chips will fail to
-initialize in a kexec booted kernel.
-
-Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
-Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- drivers/usb/host/xhci.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index ed468ee..e881cde 100644
---- a/drivers/usb/host/xhci.c
-+++ b/drivers/usb/host/xhci.c
-@@ -789,6 +789,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
- xhci_dbg_trace(xhci, trace_xhci_dbg_init,
- "xhci_shutdown completed - status = %x",
- readl(&xhci->op_regs->status));
-+
-+ /* TI XHCI controllers do not come back after kexec without this hack */
-+ pci_reset_function_locked(to_pci_dev(hcd->self.sysdev));
- }
- EXPORT_SYMBOL_GPL(xhci_shutdown);
-
---
-1.9.4
-
diff --git a/openpower/linux-p10/0002-Openpower-kernel-release-5.8-rc1-openpower1.patch b/openpower/linux-p10/0002-Openpower-kernel-release-5.8-rc1-openpower1.patch
deleted file mode 100644
index b6b622b..0000000
--- a/openpower/linux-p10/0002-Openpower-kernel-release-5.8-rc1-openpower1.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 5c5b9e604cb11e580bf1d8e269bc8ceb8f1cc008 Mon Sep 17 00:00:00 2001
-From: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
-Date: Thu, 17 Sep 2020 14:38:00 -0500
-Subject: [PATCH 2/2] Openpower kernel release 5.8-rc1-openpower1
-
-Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 24a4c1b..f25f3d7 100644
---- a/Makefile
-+++ b/Makefile
-@@ -2,7 +2,7 @@
- VERSION = 5
- PATCHLEVEL = 8
- SUBLEVEL = 0
--EXTRAVERSION =
-+EXTRAVERSION = -openpower1
- NAME = Kleptomaniac Octopus
-
- # *DOCUMENTATION*
---
-1.9.4
-
diff --git a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
index bb1f1b4..9380398 100644
--- a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian King <brking@linux.vnet.ibm.com>
Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 01/19] xhci: Reset controller on xhci shutdown
+Subject: [PATCH 1/2] xhci: Reset controller on xhci shutdown
Fixes kexec boot. Without a hard reset, some USB chips will fail to
initialize in a kexec booted kernel.
@@ -14,10 +14,10 @@
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index bad154f446f8..19a9bde309a6 100644
+index a8d97e23f601..308ab396bd88 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
-@@ -789,6 +789,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
+@@ -793,6 +793,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
xhci_dbg_trace(xhci, trace_xhci_dbg_init,
"xhci_shutdown completed - status = %x",
readl(&xhci->op_regs->status));
diff --git a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
deleted file mode 100644
index 2d6f5a5..0000000
--- a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Tue, 5 Nov 2019 17:00:22 -0600
-Subject: [PATCH 02/19] powerpc: Detect the secure boot mode of the system
-
-This patch defines a function to detect the secure boot state of a
-PowerNV system.
-
-The PPC_SECURE_BOOT config represents the base enablement of secure
-boot for powerpc.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Fold in change from Nayna to add "ibm,secureboot" to ids]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/46b003b9-3225-6bf7-9101-ed6580bb748c@linux.ibm.com
-(cherry picked from commit 1a8916ee3ac29054322cdac687d36e1b5894d272)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/Kconfig | 10 ++++++++
- arch/powerpc/include/asm/secure_boot.h | 23 +++++++++++++++++
- arch/powerpc/kernel/Makefile | 2 ++
- arch/powerpc/kernel/secure_boot.c | 35 ++++++++++++++++++++++++++
- 4 files changed, 70 insertions(+)
- create mode 100644 arch/powerpc/include/asm/secure_boot.h
- create mode 100644 arch/powerpc/kernel/secure_boot.c
-
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index ad620637cbd1..d654bdc9e4dc 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -935,6 +935,16 @@ config PPC_MEM_KEYS
-
- If unsure, say y.
-
-+config PPC_SECURE_BOOT
-+ prompt "Enable secure boot support"
-+ bool
-+ depends on PPC_POWERNV
-+ help
-+ Systems with firmware secure boot enabled need to define security
-+ policies to extend secure boot to the OS. This config allows a user
-+ to enable OS secure boot on systems that have firmware support for
-+ it. If in doubt say N.
-+
- endmenu
-
- config ISA_DMA_API
-diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
-new file mode 100644
-index 000000000000..07d0fe0ca81f
---- /dev/null
-+++ b/arch/powerpc/include/asm/secure_boot.h
-@@ -0,0 +1,23 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+/*
-+ * Secure boot definitions
-+ *
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+#ifndef _ASM_POWER_SECURE_BOOT_H
-+#define _ASM_POWER_SECURE_BOOT_H
-+
-+#ifdef CONFIG_PPC_SECURE_BOOT
-+
-+bool is_ppc_secureboot_enabled(void);
-+
-+#else
-+
-+static inline bool is_ppc_secureboot_enabled(void)
-+{
-+ return false;
-+}
-+
-+#endif
-+#endif
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index dc0780f930d5..40170ee52178 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,6 +158,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y += ucall.o
- endif
-
-+obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o
-+
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
- KCOV_INSTRUMENT_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
-new file mode 100644
-index 000000000000..583c2c4edaf0
---- /dev/null
-+++ b/arch/powerpc/kernel/secure_boot.c
-@@ -0,0 +1,35 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+#include <linux/types.h>
-+#include <linux/of.h>
-+#include <asm/secure_boot.h>
-+
-+static struct device_node *get_ppc_fw_sb_node(void)
-+{
-+ static const struct of_device_id ids[] = {
-+ { .compatible = "ibm,secureboot", },
-+ { .compatible = "ibm,secureboot-v1", },
-+ { .compatible = "ibm,secureboot-v2", },
-+ {},
-+ };
-+
-+ return of_find_matching_node(NULL, ids);
-+}
-+
-+bool is_ppc_secureboot_enabled(void)
-+{
-+ struct device_node *node;
-+ bool enabled = false;
-+
-+ node = get_ppc_fw_sb_node();
-+ enabled = of_property_read_bool(node, "os-secureboot-enforcing");
-+
-+ of_node_put(node);
-+
-+ pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
-+
-+ return enabled;
-+}
diff --git a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
deleted file mode 100644
index eef8e16..0000000
--- a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:27 -0400
-Subject: [PATCH 03/19] powerpc/ima: Add support to initialize ima policy rules
-
-PowerNV systems use a Linux-based bootloader, which rely on the IMA
-subsystem to enforce different secure boot modes. Since the
-verification policy may differ based on the secure boot mode of the
-system, the policies must be defined at runtime.
-
-This patch implements arch-specific support to define IMA policy rules
-based on the runtime secure boot mode of the system.
-
-This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
-config is enabled.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/Kconfig | 1 +
- arch/powerpc/kernel/Makefile | 2 +-
- arch/powerpc/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++
- include/linux/ima.h | 3 ++-
- 4 files changed, 47 insertions(+), 2 deletions(-)
- create mode 100644 arch/powerpc/kernel/ima_arch.c
-
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index d654bdc9e4dc..32ce6c0b43f1 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -939,6 +939,7 @@ config PPC_SECURE_BOOT
- prompt "Enable secure boot support"
- bool
- depends on PPC_POWERNV
-+ depends on IMA_ARCH_POLICY
- help
- Systems with firmware secure boot enabled need to define security
- policies to extend secure boot to the OS. This config allows a user
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index 40170ee52178..b82f7f5e5121 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y += ucall.o
- endif
-
--obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o
-+obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o
-
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-new file mode 100644
-index 000000000000..d88913dc0da7
---- /dev/null
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -0,0 +1,43 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+
-+#include <linux/ima.h>
-+#include <asm/secure_boot.h>
-+
-+bool arch_ima_get_secureboot(void)
-+{
-+ return is_ppc_secureboot_enabled();
-+}
-+
-+/*
-+ * The "secure_rules" are enabled only on "secureboot" enabled systems.
-+ * These rules verify the file signatures against known good values.
-+ * The "appraise_type=imasig|modsig" option allows the known good signature
-+ * to be stored as an xattr or as an appended signature.
-+ *
-+ * To avoid duplicate signature verification as much as possible, the IMA
-+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
-+ * is not enabled.
-+ */
-+static const char *const secure_rules[] = {
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+#ifndef CONFIG_MODULE_SIG_FORCE
-+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+#endif
-+ NULL
-+};
-+
-+/*
-+ * Returns the relevant IMA arch-specific policies based on the system secure
-+ * boot state.
-+ */
-+const char *const *arch_get_ima_policy(void)
-+{
-+ if (is_ppc_secureboot_enabled())
-+ return secure_rules;
-+
-+ return NULL;
-+}
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 1c37f17f7203..6d904754d858 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size);
- extern void ima_add_kexec_buffer(struct kimage *image);
- #endif
-
--#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390)
-+#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \
-+ || defined(CONFIG_PPC_SECURE_BOOT)
- extern bool arch_ima_get_secureboot(void);
- extern const char * const *arch_get_ima_policy(void);
- #else
diff --git a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
deleted file mode 100644
index e2c2c78..0000000
--- a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Tue, 5 Nov 2019 17:02:07 -0600
-Subject: [PATCH 04/19] powerpc: Detect the trusted boot state of the system
-
-While secure boot permits only properly verified signed kernels to be
-booted, trusted boot calculates the file hash of the kernel image and
-stores the measurement prior to boot, that can be subsequently
-compared against good known values via attestation services.
-
-This patch reads the trusted boot state of a PowerNV system. The state
-is used to conditionally enable additional measurement rules in the
-IMA arch-specific policies.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com
-(cherry picked from commit 2702809a4a1ab414d75c00936cda70ea77c8234e)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/include/asm/secure_boot.h | 6 ++++++
- arch/powerpc/kernel/secure_boot.c | 15 +++++++++++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
-index 07d0fe0ca81f..a2ff556916c6 100644
---- a/arch/powerpc/include/asm/secure_boot.h
-+++ b/arch/powerpc/include/asm/secure_boot.h
-@@ -11,6 +11,7 @@
- #ifdef CONFIG_PPC_SECURE_BOOT
-
- bool is_ppc_secureboot_enabled(void);
-+bool is_ppc_trustedboot_enabled(void);
-
- #else
-
-@@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
- return false;
- }
-
-+static inline bool is_ppc_trustedboot_enabled(void)
-+{
-+ return false;
-+}
-+
- #endif
- #endif
-diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
-index 583c2c4edaf0..4b982324d368 100644
---- a/arch/powerpc/kernel/secure_boot.c
-+++ b/arch/powerpc/kernel/secure_boot.c
-@@ -33,3 +33,18 @@ bool is_ppc_secureboot_enabled(void)
-
- return enabled;
- }
-+
-+bool is_ppc_trustedboot_enabled(void)
-+{
-+ struct device_node *node;
-+ bool enabled = false;
-+
-+ node = get_ppc_fw_sb_node();
-+ enabled = of_property_read_bool(node, "trusted-enabled");
-+
-+ of_node_put(node);
-+
-+ pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
-+
-+ return enabled;
-+}
diff --git a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
deleted file mode 100644
index fcd871c..0000000
--- a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:29 -0400
-Subject: [PATCH 05/19] powerpc/ima: Define trusted boot policy
-
-This patch defines an arch-specific trusted boot only policy and a
-combined secure and trusted boot policy.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-5-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 1917855f4e0658c313e280671ad87774dbfb7b24)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 33 ++++++++++++++++++++++++++++++++-
- 1 file changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index d88913dc0da7..0ef5956c9753 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -30,6 +30,32 @@ static const char *const secure_rules[] = {
- NULL
- };
-
-+/*
-+ * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
-+ * These rules add the kexec kernel image and kernel modules file hashes to
-+ * the IMA measurement list.
-+ */
-+static const char *const trusted_rules[] = {
-+ "measure func=KEXEC_KERNEL_CHECK",
-+ "measure func=MODULE_CHECK",
-+ NULL
-+};
-+
-+/*
-+ * The "secure_and_trusted_rules" contains rules for both the secure boot and
-+ * trusted boot. The "template=ima-modsig" option includes the appended
-+ * signature, when available, in the IMA measurement list.
-+ */
-+static const char *const secure_and_trusted_rules[] = {
-+ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
-+ "measure func=MODULE_CHECK template=ima-modsig",
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+#ifndef CONFIG_MODULE_SIG_FORCE
-+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+#endif
-+ NULL
-+};
-+
- /*
- * Returns the relevant IMA arch-specific policies based on the system secure
- * boot state.
-@@ -37,7 +63,12 @@ static const char *const secure_rules[] = {
- const char *const *arch_get_ima_policy(void)
- {
- if (is_ppc_secureboot_enabled())
-- return secure_rules;
-+ if (is_ppc_trustedboot_enabled())
-+ return secure_and_trusted_rules;
-+ else
-+ return secure_rules;
-+ else if (is_ppc_trustedboot_enabled())
-+ return trusted_rules;
-
- return NULL;
- }
diff --git a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
deleted file mode 100644
index 7fd748f..0000000
--- a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:30 -0400
-Subject: [PATCH 06/19] ima: Make process_buffer_measurement() generic
-
-process_buffer_measurement() is limited to measuring the kexec boot
-command line. This patch makes process_buffer_measurement() more
-generic, allowing it to measure other types of buffer data (e.g.
-blacklisted binary hashes or key hashes).
-
-process_buffer_measurement() may be called directly from an IMA hook
-or as an auxiliary measurement record. In both cases the buffer
-measurement is based on policy. This patch modifies the function to
-conditionally retrieve the policy defined PCR and template for the IMA
-hook case.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-[zohar@linux.ibm.com: added comment in process_buffer_measurement()]
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-6-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit e14555e3d0e9edfad0a6840c0152f71aba97e793)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/ima/ima.h | 3 ++
- security/integrity/ima/ima_main.c | 58 +++++++++++++++++++++----------
- 2 files changed, 43 insertions(+), 18 deletions(-)
-
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index 8173982e00ab..04800f7f2351 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -219,6 +219,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
- struct evm_ima_xattr_data *xattr_value,
- int xattr_len, const struct modsig *modsig, int pcr,
- struct ima_template_desc *template_desc);
-+void process_buffer_measurement(const void *buf, int size,
-+ const char *eventname, enum ima_hooks func,
-+ int pcr);
- void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename);
- int ima_alloc_init_template(struct ima_event_data *event_data,
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index a768f37a0a4d..bc730e553053 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -626,14 +626,14 @@ int ima_load_data(enum kernel_load_data_id id)
- * @buf: pointer to the buffer that needs to be added to the log.
- * @size: size of buffer(in bytes).
- * @eventname: event name to be used for the buffer entry.
-- * @cred: a pointer to a credentials structure for user validation.
-- * @secid: the secid of the task to be validated.
-+ * @func: IMA hook
-+ * @pcr: pcr to extend the measurement
- *
- * Based on policy, the buffer is measured into the ima log.
- */
--static void process_buffer_measurement(const void *buf, int size,
-- const char *eventname,
-- const struct cred *cred, u32 secid)
-+void process_buffer_measurement(const void *buf, int size,
-+ const char *eventname, enum ima_hooks func,
-+ int pcr)
- {
- int ret = 0;
- struct ima_template_entry *entry = NULL;
-@@ -642,19 +642,45 @@ static void process_buffer_measurement(const void *buf, int size,
- .filename = eventname,
- .buf = buf,
- .buf_len = size};
-- struct ima_template_desc *template_desc = NULL;
-+ struct ima_template_desc *template = NULL;
- struct {
- struct ima_digest_data hdr;
- char digest[IMA_MAX_DIGEST_SIZE];
- } hash = {};
- int violation = 0;
-- int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
- int action = 0;
-+ u32 secid;
-
-- action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
-- &template_desc);
-- if (!(action & IMA_MEASURE))
-- return;
-+ /*
-+ * Both LSM hooks and auxilary based buffer measurements are
-+ * based on policy. To avoid code duplication, differentiate
-+ * between the LSM hooks and auxilary buffer measurements,
-+ * retrieving the policy rule information only for the LSM hook
-+ * buffer measurements.
-+ */
-+ if (func) {
-+ security_task_getsecid(current, &secid);
-+ action = ima_get_action(NULL, current_cred(), secid, 0, func,
-+ &pcr, &template);
-+ if (!(action & IMA_MEASURE))
-+ return;
-+ }
-+
-+ if (!pcr)
-+ pcr = CONFIG_IMA_MEASURE_PCR_IDX;
-+
-+ if (!template) {
-+ template = lookup_template_desc("ima-buf");
-+ ret = template_desc_init_fields(template->fmt,
-+ &(template->fields),
-+ &(template->num_fields));
-+ if (ret < 0) {
-+ pr_err("template %s init failed, result: %d\n",
-+ (strlen(template->name) ?
-+ template->name : template->fmt), ret);
-+ return;
-+ }
-+ }
-
- iint.ima_hash = &hash.hdr;
- iint.ima_hash->algo = ima_hash_algo;
-@@ -664,7 +690,7 @@ static void process_buffer_measurement(const void *buf, int size,
- if (ret < 0)
- goto out;
-
-- ret = ima_alloc_init_template(&event_data, &entry, template_desc);
-+ ret = ima_alloc_init_template(&event_data, &entry, template);
- if (ret < 0)
- goto out;
-
-@@ -686,13 +712,9 @@ static void process_buffer_measurement(const void *buf, int size,
- */
- void ima_kexec_cmdline(const void *buf, int size)
- {
-- u32 secid;
--
-- if (buf && size != 0) {
-- security_task_getsecid(current, &secid);
-+ if (buf && size != 0)
- process_buffer_measurement(buf, size, "kexec-cmdline",
-- current_cred(), secid);
-- }
-+ KEXEC_CMDLINE, 0);
- }
-
- static int __init init_ima(void)
diff --git a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch b/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
deleted file mode 100644
index e33fc06..0000000
--- a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:31 -0400
-Subject: [PATCH 07/19] certs: Add wrapper function to check blacklisted binary
- hash
-
-The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
-misleading when called for checking against blacklisted hash of a
-binary.
-
-This patch adds a wrapper function is_binary_blacklisted() to return
--EPERM error if binary is blacklisted.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-7-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 2434f7d2d488c3301ae81f1031e1c66c6f076fb7)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- certs/blacklist.c | 9 +++++++++
- include/keys/system_keyring.h | 6 ++++++
- 2 files changed, 15 insertions(+)
-
-diff --git a/certs/blacklist.c b/certs/blacklist.c
-index ec00bf337eb6..6514f9ebc943 100644
---- a/certs/blacklist.c
-+++ b/certs/blacklist.c
-@@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
- }
- EXPORT_SYMBOL_GPL(is_hash_blacklisted);
-
-+int is_binary_blacklisted(const u8 *hash, size_t hash_len)
-+{
-+ if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
-+ return -EPERM;
-+
-+ return 0;
-+}
-+EXPORT_SYMBOL_GPL(is_binary_blacklisted);
-+
- /*
- * Initialise the blacklist
- */
-diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index c1a96fdf598b..fb8b07daa9d1 100644
---- a/include/keys/system_keyring.h
-+++ b/include/keys/system_keyring.h
-@@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
- extern int mark_hash_blacklisted(const char *hash);
- extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
- const char *type);
-+extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
- #else
- static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
- const char *type)
- {
- return 0;
- }
-+
-+static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
-+{
-+ return 0;
-+}
- #endif
-
- #ifdef CONFIG_IMA_BLACKLIST_KEYRING
diff --git a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch b/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
deleted file mode 100644
index 7d18cc7..0000000
--- a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
+++ /dev/null
@@ -1,261 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:32 -0400
-Subject: [PATCH 08/19] ima: Check against blacklisted hashes for files with
- modsig
-
-Asymmetric private keys are used to sign multiple files. The kernel
-currently supports checking against blacklisted keys. However, if the
-public key is blacklisted, any file signed by the blacklisted key will
-automatically fail signature verification. Blacklisting the public key
-is not fine enough granularity, as we might want to only blacklist a
-particular file.
-
-This patch adds support for checking against the blacklisted hash of
-the file, without the appended signature, based on the IMA policy. It
-defines a new policy option "appraise_flag=check_blacklist".
-
-In addition to the blacklisted binary hashes stored in the firmware
-"dbx" variable, the Linux kernel may be configured to load blacklisted
-binary hashes onto the .blacklist keyring as well. The following
-example shows how to blacklist a specific kernel module hash.
-
- $ sha256sum kernel/kheaders.ko
- 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
- kernel/kheaders.ko
-
- $ grep BLACKLIST .config
- CONFIG_SYSTEM_BLACKLIST_KEYRING=y
- CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
-
- $ cat certs/blacklist-hash-list
- "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
-
-Update the IMA custom measurement and appraisal policy
-rules (/etc/ima-policy):
-
- measure func=MODULE_CHECK template=ima-modsig
- appraise func=MODULE_CHECK appraise_flag=check_blacklist
- appraise_type=imasig|modsig
-
-After building, installing, and rebooting the kernel:
-
- 545660333 ---lswrv 0 0 \_ blacklist:
- bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-
- measure func=MODULE_CHECK template=ima-modsig
- appraise func=MODULE_CHECK appraise_flag=check_blacklist
- appraise_type=imasig|modsig
-
- modprobe: ERROR: could not insert 'kheaders': Permission denied
-
- 10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
- sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
- 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
-
- 10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
- sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
- 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko sha256:77fa889b3
- 5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
- 3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
- 016503040201300b06092a864886f70d01070131820264....
-
- 10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
- sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
- b blacklisted-hash
- 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-[zohar@linux.ibm.com: updated patch description]
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 273df864cf7466fb170b8dcc1abd672cd08ad8d3)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Documentation/ABI/testing/ima_policy | 4 ++++
- security/integrity/ima/ima.h | 8 +++++++
- security/integrity/ima/ima_appraise.c | 33 +++++++++++++++++++++++++++
- security/integrity/ima/ima_main.c | 12 ++++++----
- security/integrity/ima/ima_policy.c | 12 ++++++++--
- security/integrity/integrity.h | 1 +
- 6 files changed, 64 insertions(+), 6 deletions(-)
-
-diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
-index 29ebe9afdac4..29aaedf33246 100644
---- a/Documentation/ABI/testing/ima_policy
-+++ b/Documentation/ABI/testing/ima_policy
-@@ -25,6 +25,7 @@ Description:
- lsm: [[subj_user=] [subj_role=] [subj_type=]
- [obj_user=] [obj_role=] [obj_type=]]
- option: [[appraise_type=]] [template=] [permit_directio]
-+ [appraise_flag=]
- base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
- [FIRMWARE_CHECK]
- [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
-@@ -38,6 +39,9 @@ Description:
- fowner:= decimal value
- lsm: are LSM specific
- option: appraise_type:= [imasig] [imasig|modsig]
-+ appraise_flag:= [check_blacklist]
-+ Currently, blacklist check is only for files signed with appended
-+ signature.
- template:= name of a defined IMA template type
- (eg, ima-ng). Only valid when action is "measure".
- pcr:= decimal value
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index 04800f7f2351..7d855f2c80fa 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -258,6 +258,8 @@ int ima_policy_show(struct seq_file *m, void *v);
- #define IMA_APPRAISE_KEXEC 0x40
-
- #ifdef CONFIG_IMA_APPRAISE
-+int ima_check_blacklist(struct integrity_iint_cache *iint,
-+ const struct modsig *modsig, int pcr);
- int ima_appraise_measurement(enum ima_hooks func,
- struct integrity_iint_cache *iint,
- struct file *file, const unsigned char *filename,
-@@ -273,6 +275,12 @@ int ima_read_xattr(struct dentry *dentry,
- struct evm_ima_xattr_data **xattr_value);
-
- #else
-+static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
-+ const struct modsig *modsig, int pcr)
-+{
-+ return 0;
-+}
-+
- static inline int ima_appraise_measurement(enum ima_hooks func,
- struct integrity_iint_cache *iint,
- struct file *file,
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 23b04c6521b2..176249e4a7ac 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -12,6 +12,7 @@
- #include <linux/magic.h>
- #include <linux/ima.h>
- #include <linux/evm.h>
-+#include <keys/system_keyring.h>
-
- #include "ima.h"
-
-@@ -309,6 +310,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
- return rc;
- }
-
-+/*
-+ * ima_check_blacklist - determine if the binary is blacklisted.
-+ *
-+ * Add the hash of the blacklisted binary to the measurement list, based
-+ * on policy.
-+ *
-+ * Returns -EPERM if the hash is blacklisted.
-+ */
-+int ima_check_blacklist(struct integrity_iint_cache *iint,
-+ const struct modsig *modsig, int pcr)
-+{
-+ enum hash_algo hash_algo;
-+ const u8 *digest = NULL;
-+ u32 digestsize = 0;
-+ int rc = 0;
-+
-+ if (!(iint->flags & IMA_CHECK_BLACKLIST))
-+ return 0;
-+
-+ if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
-+ ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
-+
-+ rc = is_binary_blacklisted(digest, digestsize);
-+ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
-+ process_buffer_measurement(digest, digestsize,
-+ "blacklisted-hash", NONE,
-+ pcr);
-+ }
-+
-+ return rc;
-+}
-+
- /*
- * ima_appraise_measurement - appraise file measurement
- *
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index bc730e553053..a16c148ed90d 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -335,10 +335,14 @@ static int process_measurement(struct file *file, const struct cred *cred,
- xattr_value, xattr_len, modsig, pcr,
- template_desc);
- if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
-- inode_lock(inode);
-- rc = ima_appraise_measurement(func, iint, file, pathname,
-- xattr_value, xattr_len, modsig);
-- inode_unlock(inode);
-+ rc = ima_check_blacklist(iint, modsig, pcr);
-+ if (rc != -EPERM) {
-+ inode_lock(inode);
-+ rc = ima_appraise_measurement(func, iint, file,
-+ pathname, xattr_value,
-+ xattr_len, modsig);
-+ inode_unlock(inode);
-+ }
- if (!rc)
- rc = mmap_violation_check(func, file, &pathbuf,
- &pathname, filename);
-diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index e725d4187271..42f0970b3054 100644
---- a/security/integrity/ima/ima_policy.c
-+++ b/security/integrity/ima/ima_policy.c
-@@ -769,8 +769,8 @@ enum {
- Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
- Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
- Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
-- Opt_appraise_type, Opt_permit_directio,
-- Opt_pcr, Opt_template, Opt_err
-+ Opt_appraise_type, Opt_appraise_flag,
-+ Opt_permit_directio, Opt_pcr, Opt_template, Opt_err
- };
-
- static const match_table_t policy_tokens = {
-@@ -802,6 +802,7 @@ static const match_table_t policy_tokens = {
- {Opt_euid_lt, "euid<%s"},
- {Opt_fowner_lt, "fowner<%s"},
- {Opt_appraise_type, "appraise_type=%s"},
-+ {Opt_appraise_flag, "appraise_flag=%s"},
- {Opt_permit_directio, "permit_directio"},
- {Opt_pcr, "pcr=%s"},
- {Opt_template, "template=%s"},
-@@ -1182,6 +1183,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
- else
- result = -EINVAL;
- break;
-+ case Opt_appraise_flag:
-+ ima_log_string(ab, "appraise_flag", args[0].from);
-+ if (strstr(args[0].from, "blacklist"))
-+ entry->flags |= IMA_CHECK_BLACKLIST;
-+ break;
- case Opt_permit_directio:
- entry->flags |= IMA_PERMIT_DIRECTIO;
- break;
-@@ -1510,6 +1516,8 @@ int ima_policy_show(struct seq_file *m, void *v)
- else
- seq_puts(m, "appraise_type=imasig ");
- }
-+ if (entry->flags & IMA_CHECK_BLACKLIST)
-+ seq_puts(m, "appraise_flag=check_blacklist ");
- if (entry->flags & IMA_PERMIT_DIRECTIO)
- seq_puts(m, "permit_directio ");
- rcu_read_unlock();
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index d9323d31a3a8..73fc286834d7 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -32,6 +32,7 @@
- #define EVM_IMMUTABLE_DIGSIG 0x08000000
- #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
- #define IMA_MODSIG_ALLOWED 0x20000000
-+#define IMA_CHECK_BLACKLIST 0x40000000
-
- #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
- IMA_HASH | IMA_APPRAISE_SUBMASK)
diff --git a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch b/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
deleted file mode 100644
index 921a675..0000000
--- a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:33 -0400
-Subject: [PATCH 09/19] powerpc/ima: Update ima arch policy to check for
- blacklist
-
-This patch updates the arch-specific policies for PowerNV system to
-make sure that the binary hash is not blacklisted.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-9-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit dc87f18615db9dc74a75cfb4a57ed33b07a3903a)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index 0ef5956c9753..b9de0fb45bb9 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void)
- * is not enabled.
- */
- static const char *const secure_rules[] = {
-- "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #ifndef CONFIG_MODULE_SIG_FORCE
-- "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
- };
-@@ -49,9 +49,9 @@ static const char *const trusted_rules[] = {
- static const char *const secure_and_trusted_rules[] = {
- "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
- "measure func=MODULE_CHECK template=ima-modsig",
-- "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #ifndef CONFIG_MODULE_SIG_FORCE
-- "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
- };
diff --git a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch b/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
deleted file mode 100644
index 8875930..0000000
--- a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
+++ /dev/null
@@ -1,329 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:33 -0600
-Subject: [PATCH 10/19] powerpc/powernv: Add OPAL API interface to access
- secure variable
-
-The X.509 certificates trusted by the platform and required to secure
-boot the OS kernel are wrapped in secure variables, which are
-controlled by OPAL.
-
-This patch adds firmware/kernel interface to read and write OPAL
-secure variables based on the unique key.
-
-This support can be enabled using CONFIG_OPAL_SECVAR.
-
-Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Make secvar_ops __ro_after_init, only build opal-secvar.c if PPC_SECURE_BOOT=y]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-2-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit 9155e2341aa8b5df057dc1c77633b33d1a4f17d2)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/include/asm/opal-api.h | 5 +-
- arch/powerpc/include/asm/opal.h | 7 +
- arch/powerpc/include/asm/secvar.h | 35 +++++
- arch/powerpc/kernel/Makefile | 2 +-
- arch/powerpc/kernel/secvar-ops.c | 17 +++
- arch/powerpc/platforms/powernv/Makefile | 1 +
- arch/powerpc/platforms/powernv/opal-call.c | 3 +
- arch/powerpc/platforms/powernv/opal-secvar.c | 140 +++++++++++++++++++
- arch/powerpc/platforms/powernv/opal.c | 3 +
- 9 files changed, 211 insertions(+), 2 deletions(-)
- create mode 100644 arch/powerpc/include/asm/secvar.h
- create mode 100644 arch/powerpc/kernel/secvar-ops.c
- create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
-
-diff --git a/arch/powerpc/include/asm/opal-api.h b/arch/powerpc/include/asm/opal-api.h
-index 378e3997845a..c1f25a760eb1 100644
---- a/arch/powerpc/include/asm/opal-api.h
-+++ b/arch/powerpc/include/asm/opal-api.h
-@@ -211,7 +211,10 @@
- #define OPAL_MPIPL_UPDATE 173
- #define OPAL_MPIPL_REGISTER_TAG 174
- #define OPAL_MPIPL_QUERY_TAG 175
--#define OPAL_LAST 175
-+#define OPAL_SECVAR_GET 176
-+#define OPAL_SECVAR_GET_NEXT 177
-+#define OPAL_SECVAR_ENQUEUE_UPDATE 178
-+#define OPAL_LAST 178
-
- #define QUIESCE_HOLD 1 /* Spin all calls at entry */
- #define QUIESCE_REJECT 2 /* Fail all calls with OPAL_BUSY */
-diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h
-index a0cf8fba4d12..9986ac34b8e2 100644
---- a/arch/powerpc/include/asm/opal.h
-+++ b/arch/powerpc/include/asm/opal.h
-@@ -298,6 +298,13 @@ int opal_sensor_group_clear(u32 group_hndl, int token);
- int opal_sensor_group_enable(u32 group_hndl, int token, bool enable);
- int opal_nx_coproc_init(uint32_t chip_id, uint32_t ct);
-
-+int opal_secvar_get(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t *data_size);
-+int opal_secvar_get_next(const char *key, uint64_t *key_len,
-+ uint64_t key_buf_size);
-+int opal_secvar_enqueue_update(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t data_size);
-+
- s64 opal_mpipl_update(enum opal_mpipl_ops op, u64 src, u64 dest, u64 size);
- s64 opal_mpipl_register_tag(enum opal_mpipl_tags tag, u64 addr);
- s64 opal_mpipl_query_tag(enum opal_mpipl_tags tag, u64 *addr);
-diff --git a/arch/powerpc/include/asm/secvar.h b/arch/powerpc/include/asm/secvar.h
-new file mode 100644
-index 000000000000..4cc35b58b986
---- /dev/null
-+++ b/arch/powerpc/include/asm/secvar.h
-@@ -0,0 +1,35 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * PowerPC secure variable operations.
-+ */
-+#ifndef SECVAR_OPS_H
-+#define SECVAR_OPS_H
-+
-+#include <linux/types.h>
-+#include <linux/errno.h>
-+
-+extern const struct secvar_operations *secvar_ops;
-+
-+struct secvar_operations {
-+ int (*get)(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t *data_size);
-+ int (*get_next)(const char *key, uint64_t *key_len,
-+ uint64_t keybufsize);
-+ int (*set)(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t data_size);
-+};
-+
-+#ifdef CONFIG_PPC_SECURE_BOOT
-+
-+extern void set_secvar_ops(const struct secvar_operations *ops);
-+
-+#else
-+
-+static inline void set_secvar_ops(const struct secvar_operations *ops) { }
-+
-+#endif
-+
-+#endif
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index b82f7f5e5121..93b0336090f2 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y += ucall.o
- endif
-
--obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o
-+obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o secvar-ops.o
-
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secvar-ops.c b/arch/powerpc/kernel/secvar-ops.c
-new file mode 100644
-index 000000000000..6a29777d6a2d
---- /dev/null
-+++ b/arch/powerpc/kernel/secvar-ops.c
-@@ -0,0 +1,17 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * This file initializes secvar operations for PowerPC Secureboot
-+ */
-+
-+#include <linux/cache.h>
-+#include <asm/secvar.h>
-+
-+const struct secvar_operations *secvar_ops __ro_after_init;
-+
-+void set_secvar_ops(const struct secvar_operations *ops)
-+{
-+ secvar_ops = ops;
-+}
-diff --git a/arch/powerpc/platforms/powernv/Makefile b/arch/powerpc/platforms/powernv/Makefile
-index a3ac9646119d..c0f8120045c3 100644
---- a/arch/powerpc/platforms/powernv/Makefile
-+++ b/arch/powerpc/platforms/powernv/Makefile
-@@ -20,3 +20,4 @@ obj-$(CONFIG_PPC_MEMTRACE) += memtrace.o
- obj-$(CONFIG_PPC_VAS) += vas.o vas-window.o vas-debug.o
- obj-$(CONFIG_OCXL_BASE) += ocxl.o
- obj-$(CONFIG_SCOM_DEBUGFS) += opal-xscom.o
-+obj-$(CONFIG_PPC_SECURE_BOOT) += opal-secvar.o
-diff --git a/arch/powerpc/platforms/powernv/opal-call.c b/arch/powerpc/platforms/powernv/opal-call.c
-index a2aa5e433ac8..5cd0f52d258f 100644
---- a/arch/powerpc/platforms/powernv/opal-call.c
-+++ b/arch/powerpc/platforms/powernv/opal-call.c
-@@ -290,3 +290,6 @@ OPAL_CALL(opal_nx_coproc_init, OPAL_NX_COPROC_INIT);
- OPAL_CALL(opal_mpipl_update, OPAL_MPIPL_UPDATE);
- OPAL_CALL(opal_mpipl_register_tag, OPAL_MPIPL_REGISTER_TAG);
- OPAL_CALL(opal_mpipl_query_tag, OPAL_MPIPL_QUERY_TAG);
-+OPAL_CALL(opal_secvar_get, OPAL_SECVAR_GET);
-+OPAL_CALL(opal_secvar_get_next, OPAL_SECVAR_GET_NEXT);
-+OPAL_CALL(opal_secvar_enqueue_update, OPAL_SECVAR_ENQUEUE_UPDATE);
-diff --git a/arch/powerpc/platforms/powernv/opal-secvar.c b/arch/powerpc/platforms/powernv/opal-secvar.c
-new file mode 100644
-index 000000000000..14133e120bdd
---- /dev/null
-+++ b/arch/powerpc/platforms/powernv/opal-secvar.c
-@@ -0,0 +1,140 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * PowerNV code for secure variables
-+ *
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Claudio Carvalho
-+ * Nayna Jain
-+ *
-+ * APIs to access secure variables managed by OPAL.
-+ */
-+
-+#define pr_fmt(fmt) "secvar: "fmt
-+
-+#include <linux/types.h>
-+#include <linux/platform_device.h>
-+#include <linux/of_platform.h>
-+#include <asm/opal.h>
-+#include <asm/secvar.h>
-+#include <asm/secure_boot.h>
-+
-+static int opal_status_to_err(int rc)
-+{
-+ int err;
-+
-+ switch (rc) {
-+ case OPAL_SUCCESS:
-+ err = 0;
-+ break;
-+ case OPAL_UNSUPPORTED:
-+ err = -ENXIO;
-+ break;
-+ case OPAL_PARAMETER:
-+ err = -EINVAL;
-+ break;
-+ case OPAL_RESOURCE:
-+ err = -ENOSPC;
-+ break;
-+ case OPAL_HARDWARE:
-+ err = -EIO;
-+ break;
-+ case OPAL_NO_MEM:
-+ err = -ENOMEM;
-+ break;
-+ case OPAL_EMPTY:
-+ err = -ENOENT;
-+ break;
-+ case OPAL_PARTIAL:
-+ err = -EFBIG;
-+ break;
-+ default:
-+ err = -EINVAL;
-+ }
-+
-+ return err;
-+}
-+
-+static int opal_get_variable(const char *key, uint64_t ksize,
-+ u8 *data, uint64_t *dsize)
-+{
-+ int rc;
-+
-+ if (!key || !dsize)
-+ return -EINVAL;
-+
-+ *dsize = cpu_to_be64(*dsize);
-+
-+ rc = opal_secvar_get(key, ksize, data, dsize);
-+
-+ *dsize = be64_to_cpu(*dsize);
-+
-+ return opal_status_to_err(rc);
-+}
-+
-+static int opal_get_next_variable(const char *key, uint64_t *keylen,
-+ uint64_t keybufsize)
-+{
-+ int rc;
-+
-+ if (!key || !keylen)
-+ return -EINVAL;
-+
-+ *keylen = cpu_to_be64(*keylen);
-+
-+ rc = opal_secvar_get_next(key, keylen, keybufsize);
-+
-+ *keylen = be64_to_cpu(*keylen);
-+
-+ return opal_status_to_err(rc);
-+}
-+
-+static int opal_set_variable(const char *key, uint64_t ksize, u8 *data,
-+ uint64_t dsize)
-+{
-+ int rc;
-+
-+ if (!key || !data)
-+ return -EINVAL;
-+
-+ rc = opal_secvar_enqueue_update(key, ksize, data, dsize);
-+
-+ return opal_status_to_err(rc);
-+}
-+
-+static const struct secvar_operations opal_secvar_ops = {
-+ .get = opal_get_variable,
-+ .get_next = opal_get_next_variable,
-+ .set = opal_set_variable,
-+};
-+
-+static int opal_secvar_probe(struct platform_device *pdev)
-+{
-+ if (!opal_check_token(OPAL_SECVAR_GET)
-+ || !opal_check_token(OPAL_SECVAR_GET_NEXT)
-+ || !opal_check_token(OPAL_SECVAR_ENQUEUE_UPDATE)) {
-+ pr_err("OPAL doesn't support secure variables\n");
-+ return -ENODEV;
-+ }
-+
-+ set_secvar_ops(&opal_secvar_ops);
-+
-+ return 0;
-+}
-+
-+static const struct of_device_id opal_secvar_match[] = {
-+ { .compatible = "ibm,secvar-backend",},
-+ {},
-+};
-+
-+static struct platform_driver opal_secvar_driver = {
-+ .driver = {
-+ .name = "secvar",
-+ .of_match_table = opal_secvar_match,
-+ },
-+};
-+
-+static int __init opal_secvar_init(void)
-+{
-+ return platform_driver_probe(&opal_secvar_driver, opal_secvar_probe);
-+}
-+device_initcall(opal_secvar_init);
-diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
-index 38e90270280b..8355bcd00f93 100644
---- a/arch/powerpc/platforms/powernv/opal.c
-+++ b/arch/powerpc/platforms/powernv/opal.c
-@@ -1002,6 +1002,9 @@ static int __init opal_init(void)
- /* Initialise OPAL Power control interface */
- opal_power_control_init();
-
-+ /* Initialize OPAL secure variables */
-+ opal_pdev_init("ibm,secvar-backend");
-+
- return 0;
- }
- machine_subsys_initcall(powernv, opal_init);
diff --git a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch b/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
deleted file mode 100644
index 518b9c3..0000000
--- a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
+++ /dev/null
@@ -1,369 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:34 -0600
-Subject: [PATCH 11/19] powerpc: expose secure variables to userspace via sysfs
-
-PowerNV secure variables, which store the keys used for OS kernel
-verification, are managed by the firmware. These secure variables need to
-be accessed by the userspace for addition/deletion of the certificates.
-
-This patch adds the sysfs interface to expose secure variables for PowerNV
-secureboot. The users shall use this interface for manipulating
-the keys stored in the secure variables.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-3-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Documentation/ABI/testing/sysfs-secvar | 46 +++++
- arch/powerpc/Kconfig | 11 ++
- arch/powerpc/kernel/Makefile | 1 +
- arch/powerpc/kernel/secvar-sysfs.c | 248 +++++++++++++++++++++++++
- 4 files changed, 306 insertions(+)
- create mode 100644 Documentation/ABI/testing/sysfs-secvar
- create mode 100644 arch/powerpc/kernel/secvar-sysfs.c
-
-diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar
-new file mode 100644
-index 000000000000..feebb8c57294
---- /dev/null
-+++ b/Documentation/ABI/testing/sysfs-secvar
-@@ -0,0 +1,46 @@
-+What: /sys/firmware/secvar
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: This directory is created if the POWER firmware supports OS
-+ secureboot, thereby secure variables. It exposes interface
-+ for reading/writing the secure variables
-+
-+What: /sys/firmware/secvar/vars
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: This directory lists all the secure variables that are supported
-+ by the firmware.
-+
-+What: /sys/firmware/secvar/format
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: A string indicating which backend is in use by the firmware.
-+ This determines the format of the variable and the accepted
-+ format of variable updates.
-+
-+What: /sys/firmware/secvar/vars/<variable name>
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: Each secure variable is represented as a directory named as
-+ <variable_name>. The variable name is unique and is in ASCII
-+ representation. The data and size can be determined by reading
-+ their respective attribute files.
-+
-+What: /sys/firmware/secvar/vars/<variable_name>/size
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: An integer representation of the size of the content of the
-+ variable. In other words, it represents the size of the data.
-+
-+What: /sys/firmware/secvar/vars/<variable_name>/data
-+Date: August 2019
-+Contact: Nayna Jain h<nayna@linux.ibm.com>
-+Description: A read-only file containing the value of the variable. The size
-+ of the file represents the maximum size of the variable data.
-+
-+What: /sys/firmware/secvar/vars/<variable_name>/update
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: A write-only file that is used to submit the new value for the
-+ variable. The size of the file represents the maximum size of
-+ the variable data that can be written.
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 32ce6c0b43f1..cc6cdf821604 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -946,6 +946,17 @@ config PPC_SECURE_BOOT
- to enable OS secure boot on systems that have firmware support for
- it. If in doubt say N.
-
-+config PPC_SECVAR_SYSFS
-+ bool "Enable sysfs interface for POWER secure variables"
-+ default y
-+ depends on PPC_SECURE_BOOT
-+ depends on SYSFS
-+ help
-+ POWER secure variables are managed and controlled by firmware.
-+ These variables are exposed to userspace via sysfs to enable
-+ read/write operations on these variables. Say Y if you have
-+ secure boot enabled and want to expose variables to userspace.
-+
- endmenu
-
- config ISA_DMA_API
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index 93b0336090f2..b97c018a2f53 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -159,6 +159,7 @@ obj-y += ucall.o
- endif
-
- obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o secvar-ops.o
-+obj-$(CONFIG_PPC_SECVAR_SYSFS) += secvar-sysfs.o
-
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secvar-sysfs.c b/arch/powerpc/kernel/secvar-sysfs.c
-new file mode 100644
-index 000000000000..a0a78aba2083
---- /dev/null
-+++ b/arch/powerpc/kernel/secvar-sysfs.c
-@@ -0,0 +1,248 @@
-+// SPDX-License-Identifier: GPL-2.0+
-+/*
-+ * Copyright (C) 2019 IBM Corporation <nayna@linux.ibm.com>
-+ *
-+ * This code exposes secure variables to user via sysfs
-+ */
-+
-+#define pr_fmt(fmt) "secvar-sysfs: "fmt
-+
-+#include <linux/slab.h>
-+#include <linux/compat.h>
-+#include <linux/string.h>
-+#include <linux/of.h>
-+#include <asm/secvar.h>
-+
-+#define NAME_MAX_SIZE 1024
-+
-+static struct kobject *secvar_kobj;
-+static struct kset *secvar_kset;
-+
-+static ssize_t format_show(struct kobject *kobj, struct kobj_attribute *attr,
-+ char *buf)
-+{
-+ ssize_t rc = 0;
-+ struct device_node *node;
-+ const char *format;
-+
-+ node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
-+ if (!of_device_is_available(node))
-+ return -ENODEV;
-+
-+ rc = of_property_read_string(node, "format", &format);
-+ if (rc)
-+ return rc;
-+
-+ rc = sprintf(buf, "%s\n", format);
-+
-+ of_node_put(node);
-+
-+ return rc;
-+}
-+
-+
-+static ssize_t size_show(struct kobject *kobj, struct kobj_attribute *attr,
-+ char *buf)
-+{
-+ uint64_t dsize;
-+ int rc;
-+
-+ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
-+ if (rc) {
-+ pr_err("Error retrieving %s variable size %d\n", kobj->name,
-+ rc);
-+ return rc;
-+ }
-+
-+ return sprintf(buf, "%llu\n", dsize);
-+}
-+
-+static ssize_t data_read(struct file *filep, struct kobject *kobj,
-+ struct bin_attribute *attr, char *buf, loff_t off,
-+ size_t count)
-+{
-+ uint64_t dsize;
-+ char *data;
-+ int rc;
-+
-+ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
-+ if (rc) {
-+ pr_err("Error getting %s variable size %d\n", kobj->name, rc);
-+ return rc;
-+ }
-+ pr_debug("dsize is %llu\n", dsize);
-+
-+ data = kzalloc(dsize, GFP_KERNEL);
-+ if (!data)
-+ return -ENOMEM;
-+
-+ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, data, &dsize);
-+ if (rc) {
-+ pr_err("Error getting %s variable %d\n", kobj->name, rc);
-+ goto data_fail;
-+ }
-+
-+ rc = memory_read_from_buffer(buf, count, &off, data, dsize);
-+
-+data_fail:
-+ kfree(data);
-+ return rc;
-+}
-+
-+static ssize_t update_write(struct file *filep, struct kobject *kobj,
-+ struct bin_attribute *attr, char *buf, loff_t off,
-+ size_t count)
-+{
-+ int rc;
-+
-+ pr_debug("count is %ld\n", count);
-+ rc = secvar_ops->set(kobj->name, strlen(kobj->name) + 1, buf, count);
-+ if (rc) {
-+ pr_err("Error setting the %s variable %d\n", kobj->name, rc);
-+ return rc;
-+ }
-+
-+ return count;
-+}
-+
-+static struct kobj_attribute format_attr = __ATTR_RO(format);
-+
-+static struct kobj_attribute size_attr = __ATTR_RO(size);
-+
-+static struct bin_attribute data_attr = __BIN_ATTR_RO(data, 0);
-+
-+static struct bin_attribute update_attr = __BIN_ATTR_WO(update, 0);
-+
-+static struct bin_attribute *secvar_bin_attrs[] = {
-+ &data_attr,
-+ &update_attr,
-+ NULL,
-+};
-+
-+static struct attribute *secvar_attrs[] = {
-+ &size_attr.attr,
-+ NULL,
-+};
-+
-+static const struct attribute_group secvar_attr_group = {
-+ .attrs = secvar_attrs,
-+ .bin_attrs = secvar_bin_attrs,
-+};
-+__ATTRIBUTE_GROUPS(secvar_attr);
-+
-+static struct kobj_type secvar_ktype = {
-+ .sysfs_ops = &kobj_sysfs_ops,
-+ .default_groups = secvar_attr_groups,
-+};
-+
-+static int update_kobj_size(void)
-+{
-+
-+ struct device_node *node;
-+ u64 varsize;
-+ int rc = 0;
-+
-+ node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
-+ if (!of_device_is_available(node)) {
-+ rc = -ENODEV;
-+ goto out;
-+ }
-+
-+ rc = of_property_read_u64(node, "max-var-size", &varsize);
-+ if (rc)
-+ goto out;
-+
-+ data_attr.size = varsize;
-+ update_attr.size = varsize;
-+
-+out:
-+ of_node_put(node);
-+
-+ return rc;
-+}
-+
-+static int secvar_sysfs_load(void)
-+{
-+ char *name;
-+ uint64_t namesize = 0;
-+ struct kobject *kobj;
-+ int rc;
-+
-+ name = kzalloc(NAME_MAX_SIZE, GFP_KERNEL);
-+ if (!name)
-+ return -ENOMEM;
-+
-+ do {
-+ rc = secvar_ops->get_next(name, &namesize, NAME_MAX_SIZE);
-+ if (rc) {
-+ if (rc != -ENOENT)
-+ pr_err("error getting secvar from firmware %d\n",
-+ rc);
-+ break;
-+ }
-+
-+ kobj = kzalloc(sizeof(*kobj), GFP_KERNEL);
-+ if (!kobj) {
-+ rc = -ENOMEM;
-+ break;
-+ }
-+
-+ kobject_init(kobj, &secvar_ktype);
-+
-+ rc = kobject_add(kobj, &secvar_kset->kobj, "%s", name);
-+ if (rc) {
-+ pr_warn("kobject_add error %d for attribute: %s\n", rc,
-+ name);
-+ kobject_put(kobj);
-+ kobj = NULL;
-+ }
-+
-+ if (kobj)
-+ kobject_uevent(kobj, KOBJ_ADD);
-+
-+ } while (!rc);
-+
-+ kfree(name);
-+ return rc;
-+}
-+
-+static int secvar_sysfs_init(void)
-+{
-+ int rc;
-+
-+ if (!secvar_ops) {
-+ pr_warn("secvar: failed to retrieve secvar operations.\n");
-+ return -ENODEV;
-+ }
-+
-+ secvar_kobj = kobject_create_and_add("secvar", firmware_kobj);
-+ if (!secvar_kobj) {
-+ pr_err("secvar: Failed to create firmware kobj\n");
-+ return -ENOMEM;
-+ }
-+
-+ rc = sysfs_create_file(secvar_kobj, &format_attr.attr);
-+ if (rc) {
-+ kobject_put(secvar_kobj);
-+ return -ENOMEM;
-+ }
-+
-+ secvar_kset = kset_create_and_add("vars", NULL, secvar_kobj);
-+ if (!secvar_kset) {
-+ pr_err("secvar: sysfs kobject registration failed.\n");
-+ kobject_put(secvar_kobj);
-+ return -ENOMEM;
-+ }
-+
-+ rc = update_kobj_size();
-+ if (rc) {
-+ pr_err("Cannot read the size of the attribute\n");
-+ return rc;
-+ }
-+
-+ secvar_sysfs_load();
-+
-+ return 0;
-+}
-+
-+late_initcall(secvar_sysfs_init);
diff --git a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch b/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
deleted file mode 100644
index e0b01c9..0000000
--- a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
+++ /dev/null
@@ -1,251 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:35 -0600
-Subject: [PATCH 12/19] x86/efi: move common keyring handler functions to new
- file
-
-The handlers to add the keys to the .platform keyring and blacklisted
-hashes to the .blacklist keyring is common for both the uefi and powerpc
-mechanisms of loading the keys/hashes from the firmware.
-
-This patch moves the common code from load_uefi.c to keyring_handler.c
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Acked-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-4-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit ad723674d6758478829ee766e3f1a2a24d56236f)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/Makefile | 3 +-
- .../platform_certs/keyring_handler.c | 80 +++++++++++++++++++
- .../platform_certs/keyring_handler.h | 32 ++++++++
- security/integrity/platform_certs/load_uefi.c | 67 +---------------
- 4 files changed, 115 insertions(+), 67 deletions(-)
- create mode 100644 security/integrity/platform_certs/keyring_handler.c
- create mode 100644 security/integrity/platform_certs/keyring_handler.h
-
-diff --git a/security/integrity/Makefile b/security/integrity/Makefile
-index 35e6ca773734..351c9662994b 100644
---- a/security/integrity/Makefile
-+++ b/security/integrity/Makefile
-@@ -11,7 +11,8 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
- integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
- integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o
- integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
-- platform_certs/load_uefi.o
-+ platform_certs/load_uefi.o \
-+ platform_certs/keyring_handler.o
- integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
-
- obj-$(CONFIG_IMA) += ima/
-diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
-new file mode 100644
-index 000000000000..c5ba695c10e3
---- /dev/null
-+++ b/security/integrity/platform_certs/keyring_handler.c
-@@ -0,0 +1,80 @@
-+// SPDX-License-Identifier: GPL-2.0
-+
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/cred.h>
-+#include <linux/err.h>
-+#include <linux/efi.h>
-+#include <linux/slab.h>
-+#include <keys/asymmetric-type.h>
-+#include <keys/system_keyring.h>
-+#include "../integrity.h"
-+
-+static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
-+static efi_guid_t efi_cert_x509_sha256_guid __initdata =
-+ EFI_CERT_X509_SHA256_GUID;
-+static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
-+
-+/*
-+ * Blacklist a hash.
-+ */
-+static __init void uefi_blacklist_hash(const char *source, const void *data,
-+ size_t len, const char *type,
-+ size_t type_len)
-+{
-+ char *hash, *p;
-+
-+ hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
-+ if (!hash)
-+ return;
-+ p = memcpy(hash, type, type_len);
-+ p += type_len;
-+ bin2hex(p, data, len);
-+ p += len * 2;
-+ *p = 0;
-+
-+ mark_hash_blacklisted(hash);
-+ kfree(hash);
-+}
-+
-+/*
-+ * Blacklist an X509 TBS hash.
-+ */
-+static __init void uefi_blacklist_x509_tbs(const char *source,
-+ const void *data, size_t len)
-+{
-+ uefi_blacklist_hash(source, data, len, "tbs:", 4);
-+}
-+
-+/*
-+ * Blacklist the hash of an executable.
-+ */
-+static __init void uefi_blacklist_binary(const char *source,
-+ const void *data, size_t len)
-+{
-+ uefi_blacklist_hash(source, data, len, "bin:", 4);
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI db and MokListRT tables.
-+ */
-+__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
-+{
-+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
-+ return add_to_platform_keyring;
-+ return 0;
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI dbx and MokListXRT tables.
-+ */
-+__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
-+{
-+ if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
-+ return uefi_blacklist_x509_tbs;
-+ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
-+ return uefi_blacklist_binary;
-+ return 0;
-+}
-diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
-new file mode 100644
-index 000000000000..2462bfa08fe3
---- /dev/null
-+++ b/security/integrity/platform_certs/keyring_handler.h
-@@ -0,0 +1,32 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+
-+#ifndef PLATFORM_CERTS_INTERNAL_H
-+#define PLATFORM_CERTS_INTERNAL_H
-+
-+#include <linux/efi.h>
-+
-+void blacklist_hash(const char *source, const void *data,
-+ size_t len, const char *type,
-+ size_t type_len);
-+
-+/*
-+ * Blacklist an X509 TBS hash.
-+ */
-+void blacklist_x509_tbs(const char *source, const void *data, size_t len);
-+
-+/*
-+ * Blacklist the hash of an executable.
-+ */
-+void blacklist_binary(const char *source, const void *data, size_t len);
-+
-+/*
-+ * Return the handler for particular signature list types found in the db.
-+ */
-+efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
-+
-+/*
-+ * Return the handler for particular signature list types found in the dbx.
-+ */
-+efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
-+
-+#endif
-diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
-index 020fc7a11ef0..aa874d84e413 100644
---- a/security/integrity/platform_certs/load_uefi.c
-+++ b/security/integrity/platform_certs/load_uefi.c
-@@ -9,6 +9,7 @@
- #include <keys/asymmetric-type.h>
- #include <keys/system_keyring.h>
- #include "../integrity.h"
-+#include "keyring_handler.h"
-
- static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
- static efi_guid_t efi_cert_x509_sha256_guid __initdata =
-@@ -69,72 +70,6 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
- return db;
- }
-
--/*
-- * Blacklist a hash.
-- */
--static __init void uefi_blacklist_hash(const char *source, const void *data,
-- size_t len, const char *type,
-- size_t type_len)
--{
-- char *hash, *p;
--
-- hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
-- if (!hash)
-- return;
-- p = memcpy(hash, type, type_len);
-- p += type_len;
-- bin2hex(p, data, len);
-- p += len * 2;
-- *p = 0;
--
-- mark_hash_blacklisted(hash);
-- kfree(hash);
--}
--
--/*
-- * Blacklist an X509 TBS hash.
-- */
--static __init void uefi_blacklist_x509_tbs(const char *source,
-- const void *data, size_t len)
--{
-- uefi_blacklist_hash(source, data, len, "tbs:", 4);
--}
--
--/*
-- * Blacklist the hash of an executable.
-- */
--static __init void uefi_blacklist_binary(const char *source,
-- const void *data, size_t len)
--{
-- uefi_blacklist_hash(source, data, len, "bin:", 4);
--}
--
--/*
-- * Return the appropriate handler for particular signature list types found in
-- * the UEFI db and MokListRT tables.
-- */
--static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *
-- sig_type)
--{
-- if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
-- return add_to_platform_keyring;
-- return 0;
--}
--
--/*
-- * Return the appropriate handler for particular signature list types found in
-- * the UEFI dbx and MokListXRT tables.
-- */
--static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *
-- sig_type)
--{
-- if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
-- return uefi_blacklist_x509_tbs;
-- if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
-- return uefi_blacklist_binary;
-- return 0;
--}
--
- /*
- * Load the certs contained in the UEFI databases into the platform trusted
- * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
diff --git a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch b/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
deleted file mode 100644
index 83a0346..0000000
--- a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:36 -0600
-Subject: [PATCH 13/19] powerpc: Load firmware trusted keys/hashes into kernel
- keyring
-
-The keys used to verify the Host OS kernel are managed by firmware as
-secure variables. This patch loads the verification keys into the
-.platform keyring and revocation hashes into .blacklist keyring. This
-enables verification and loading of the kernels signed by the boot
-time keys which are trusted by firmware.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Search by compatible in load_powerpc_certs(), not using format]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit 8220e22d11a05049aab9693839ab82e5e177ccde)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/Kconfig | 9 ++
- security/integrity/Makefile | 4 +-
- .../integrity/platform_certs/load_powerpc.c | 96 +++++++++++++++++++
- 3 files changed, 108 insertions(+), 1 deletion(-)
- create mode 100644 security/integrity/platform_certs/load_powerpc.c
-
-diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
-index 0bae6adb63a9..71f0177e8716 100644
---- a/security/integrity/Kconfig
-+++ b/security/integrity/Kconfig
-@@ -72,6 +72,15 @@ config LOAD_IPL_KEYS
- depends on S390
- def_bool y
-
-+config LOAD_PPC_KEYS
-+ bool "Enable loading of platform and blacklisted keys for POWER"
-+ depends on INTEGRITY_PLATFORM_KEYRING
-+ depends on PPC_SECURE_BOOT
-+ default y
-+ help
-+ Enable loading of keys to the .platform keyring and blacklisted
-+ hashes to the .blacklist keyring for powerpc based platforms.
-+
- config INTEGRITY_AUDIT
- bool "Enables integrity auditing support "
- depends on AUDIT
-diff --git a/security/integrity/Makefile b/security/integrity/Makefile
-index 351c9662994b..7ee39d66cf16 100644
---- a/security/integrity/Makefile
-+++ b/security/integrity/Makefile
-@@ -14,6 +14,8 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
- platform_certs/load_uefi.o \
- platform_certs/keyring_handler.o
- integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
--
-+integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
-+ platform_certs/load_powerpc.o \
-+ platform_certs/keyring_handler.o
- obj-$(CONFIG_IMA) += ima/
- obj-$(CONFIG_EVM) += evm/
-diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
-new file mode 100644
-index 000000000000..a2900cb85357
---- /dev/null
-+++ b/security/integrity/platform_certs/load_powerpc.c
-@@ -0,0 +1,96 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * - loads keys and hashes stored and controlled by the firmware.
-+ */
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/cred.h>
-+#include <linux/err.h>
-+#include <linux/slab.h>
-+#include <linux/of.h>
-+#include <asm/secure_boot.h>
-+#include <asm/secvar.h>
-+#include "keyring_handler.h"
-+
-+/*
-+ * Get a certificate list blob from the named secure variable.
-+ */
-+static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size)
-+{
-+ int rc;
-+ void *db;
-+
-+ rc = secvar_ops->get(key, keylen, NULL, size);
-+ if (rc) {
-+ pr_err("Couldn't get size: %d\n", rc);
-+ return NULL;
-+ }
-+
-+ db = kmalloc(*size, GFP_KERNEL);
-+ if (!db)
-+ return NULL;
-+
-+ rc = secvar_ops->get(key, keylen, db, size);
-+ if (rc) {
-+ kfree(db);
-+ pr_err("Error reading %s var: %d\n", key, rc);
-+ return NULL;
-+ }
-+
-+ return db;
-+}
-+
-+/*
-+ * Load the certs contained in the keys databases into the platform trusted
-+ * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist
-+ * keyring.
-+ */
-+static int __init load_powerpc_certs(void)
-+{
-+ void *db = NULL, *dbx = NULL;
-+ uint64_t dbsize = 0, dbxsize = 0;
-+ int rc = 0;
-+ struct device_node *node;
-+
-+ if (!secvar_ops)
-+ return -ENODEV;
-+
-+ /* The following only applies for the edk2-compat backend. */
-+ node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
-+ if (!node)
-+ return -ENODEV;
-+
-+ /*
-+ * Get db, and dbx. They might not exist, so it isn't an error if we
-+ * can't get them.
-+ */
-+ db = get_cert_list("db", 3, &dbsize);
-+ if (!db) {
-+ pr_err("Couldn't get db list from firmware\n");
-+ } else {
-+ rc = parse_efi_signature_list("powerpc:db", db, dbsize,
-+ get_handler_for_db);
-+ if (rc)
-+ pr_err("Couldn't parse db signatures: %d\n", rc);
-+ kfree(db);
-+ }
-+
-+ dbx = get_cert_list("dbx", 4, &dbxsize);
-+ if (!dbx) {
-+ pr_info("Couldn't get dbx list from firmware\n");
-+ } else {
-+ rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
-+ get_handler_for_dbx);
-+ if (rc)
-+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
-+ kfree(dbx);
-+ }
-+
-+ of_node_put(node);
-+
-+ return rc;
-+}
-+late_initcall(load_powerpc_certs);
diff --git a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch b/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
deleted file mode 100644
index 5559a8a..0000000
--- a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Christopher M. Riedl" <cmr@informatik.wtf>
-Date: Sat, 7 Sep 2019 01:11:23 -0500
-Subject: [PATCH 14/19] powerpc/xmon: Allow listing and clearing breakpoints in
- read-only mode
-
-Read-only mode should not prevent listing and clearing any active
-breakpoints.
-
-Tested-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/20190907061124.1947-2-cmr@informatik.wtf
-(cherry picked from commit 96664dee5cf1815777286227b09884b4f019727f)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/xmon/xmon.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
-index 6d130c89fbd8..ab6371aedfcb 100644
---- a/arch/powerpc/xmon/xmon.c
-+++ b/arch/powerpc/xmon/xmon.c
-@@ -1096,10 +1096,6 @@ cmds(struct pt_regs *excp)
- set_lpp_cmd();
- break;
- case 'b':
-- if (xmon_is_ro) {
-- printf(xmon_ro_msg);
-- break;
-- }
- bpt_cmds();
- break;
- case 'C':
-@@ -1368,11 +1364,16 @@ bpt_cmds(void)
- struct bpt *bp;
-
- cmd = inchar();
-+
- switch (cmd) {
- #ifndef CONFIG_PPC_8xx
- static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
- int mode;
- case 'd': /* bd - hardware data breakpoint */
-+ if (xmon_is_ro) {
-+ printf(xmon_ro_msg);
-+ break;
-+ }
- if (!ppc_breakpoint_available()) {
- printf("Hardware data breakpoint not supported on this cpu\n");
- break;
-@@ -1400,6 +1401,10 @@ bpt_cmds(void)
- break;
-
- case 'i': /* bi - hardware instr breakpoint */
-+ if (xmon_is_ro) {
-+ printf(xmon_ro_msg);
-+ break;
-+ }
- if (!cpu_has_feature(CPU_FTR_ARCH_207S)) {
- printf("Hardware instruction breakpoint "
- "not supported on this cpu\n");
-@@ -1458,7 +1463,8 @@ bpt_cmds(void)
- break;
- }
- termch = cmd;
-- if (!scanhex(&a)) {
-+
-+ if (xmon_is_ro || !scanhex(&a)) {
- /* print all breakpoints */
- printf(" type address\n");
- if (dabr.enabled) {
diff --git a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
deleted file mode 100644
index 69f5314..0000000
--- a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:34 -0400
-Subject: [PATCH 15/19] powerpc/ima: Indicate kernel modules appended
- signatures are enforced
-
-The arch specific kernel module policy rule requires kernel modules to
-be signed, either as an IMA signature, stored as an xattr, or as an
-appended signature. As a result, kernel modules appended signatures
-could be enforced without "sig_enforce" being set or reflected in
-/sys/module/module/parameters/sig_enforce. This patch sets
-"sig_enforce".
-
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index b9de0fb45bb9..e34116255ced 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
- */
- const char *const *arch_get_ima_policy(void)
- {
-- if (is_ppc_secureboot_enabled())
-+ if (is_ppc_secureboot_enabled()) {
-+ if (IS_ENABLED(CONFIG_MODULE_SIG))
-+ set_module_sig_enforced();
-+
- if (is_ppc_trustedboot_enabled())
- return secure_and_trusted_rules;
- else
- return secure_rules;
-- else if (is_ppc_trustedboot_enabled())
-+ } else if (is_ppc_trustedboot_enabled()) {
- return trusted_rules;
-+ }
-
- return NULL;
- }
diff --git a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
deleted file mode 100644
index 1ba2c2f..0000000
--- a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Fri, 1 May 2020 10:16:52 -0400
-Subject: [PATCH 16/19] powerpc/ima: Fix secure boot rules in ima arch policy
-
-To prevent verifying the kernel module appended signature
-twice (finit_module), once by the module_sig_check() and again by IMA,
-powerpc secure boot rules define an IMA architecture specific policy
-rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
-unfortunately, does not take into account the ability of enabling
-"sig_enforce" on the boot command line (module.sig_enforce=1).
-
-Including the IMA module appraise rule results in failing the
-finit_module syscall, unless the module signing public key is loaded
-onto the IMA keyring.
-
-This patch fixes secure boot policy rules to be based on
-CONFIG_MODULE_SIG instead.
-
-Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index e34116255ced..957abd592075 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
- * to be stored as an xattr or as an appended signature.
- *
- * To avoid duplicate signature verification as much as possible, the IMA
-- * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
-+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
- * is not enabled.
- */
- static const char *const secure_rules[] = {
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
--#ifndef CONFIG_MODULE_SIG_FORCE
-+#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
-@@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
- "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
- "measure func=MODULE_CHECK template=ima-modsig",
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
--#ifndef CONFIG_MODULE_SIG_FORCE
-+#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
diff --git a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
deleted file mode 100644
index 3fbe01a..0000000
--- a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
+++ /dev/null
@@ -1,222 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 23 Jun 2020 16:22:10 +0930
-Subject: [PATCH 17/19] powerpc/configs: Update to upstream and enable
- secureboot
-
-Pulls in the following updates from upstream:
-
- scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
- powerpc/configs/skiroot: Enable some more hardening options
- powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
- powerpc/configs/skiroot: Enable security features
- powerpc/configs/skiroot: Update for symbol movement only
- powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
- powerpc/configs/skiroot: Drop HID_LOGITECH
- powerpc/configs: Drop NET_VENDOR_HP which moved to staging
- powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
- powerpc/configs: Drop CONFIG_QLGE which moved to staging
- powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_*
- powerpc/configs: add FADump awareness to skiroot_defconfig
-
-In addition, it enables IMA and secureboot options.
-
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/configs/skiroot_defconfig | 83 ++++++++++++++++----------
- 1 file changed, 53 insertions(+), 30 deletions(-)
-
-diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
-index 2e25b264f70f..44309e12d84a 100644
---- a/arch/powerpc/configs/skiroot_defconfig
-+++ b/arch/powerpc/configs/skiroot_defconfig
-@@ -1,13 +1,9 @@
--CONFIG_PPC64=y
--CONFIG_ALTIVEC=y
--CONFIG_VSX=y
--CONFIG_NR_CPUS=2048
--CONFIG_CPU_LITTLE_ENDIAN=y
- CONFIG_KERNEL_XZ=y
- # CONFIG_SWAP is not set
- CONFIG_SYSVIPC=y
- CONFIG_POSIX_MQUEUE=y
- # CONFIG_CROSS_MEMORY_ATTACH is not set
-+CONFIG_AUDIT=y
- CONFIG_NO_HZ=y
- CONFIG_HIGH_RES_TIMERS=y
- # CONFIG_CPU_ISOLATION is not set
-@@ -28,17 +24,15 @@ CONFIG_EXPERT=y
- # CONFIG_AIO is not set
- CONFIG_PERF_EVENTS=y
- # CONFIG_COMPAT_BRK is not set
-+# CONFIG_SLAB_MERGE_DEFAULT is not set
-+CONFIG_SLAB_FREELIST_RANDOM=y
- CONFIG_SLAB_FREELIST_HARDENED=y
--CONFIG_JUMP_LABEL=y
--CONFIG_STRICT_KERNEL_RWX=y
--CONFIG_MODULES=y
--CONFIG_MODULE_UNLOAD=y
--CONFIG_MODULE_SIG=y
--CONFIG_MODULE_SIG_FORCE=y
--CONFIG_MODULE_SIG_SHA512=y
--CONFIG_PARTITION_ADVANCED=y
--# CONFIG_MQ_IOSCHED_DEADLINE is not set
--# CONFIG_MQ_IOSCHED_KYBER is not set
-+CONFIG_PPC64=y
-+CONFIG_ALTIVEC=y
-+CONFIG_VSX=y
-+CONFIG_NR_CPUS=2048
-+CONFIG_CPU_LITTLE_ENDIAN=y
-+CONFIG_PANIC_TIMEOUT=30
- # CONFIG_PPC_VAS is not set
- # CONFIG_PPC_PSERIES is not set
- # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set
-@@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
- CONFIG_CPU_IDLE=y
- CONFIG_HZ_100=y
- CONFIG_KEXEC=y
-+CONFIG_KEXEC_FILE=y
-+CONFIG_PRESERVE_FA_DUMP=y
- CONFIG_IRQ_ALL_CPUS=y
- CONFIG_NUMA=y
--# CONFIG_COMPACTION is not set
--# CONFIG_MIGRATION is not set
- CONFIG_PPC_64K_PAGES=y
- CONFIG_SCHED_SMT=y
- CONFIG_CMDLINE_BOOL=y
- CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
- # CONFIG_SECCOMP is not set
- # CONFIG_PPC_MEM_KEYS is not set
-+CONFIG_PPC_SECURE_BOOT=y
-+CONFIG_JUMP_LABEL=y
-+CONFIG_MODULES=y
-+CONFIG_MODULE_UNLOAD=y
-+CONFIG_MODULE_SIG_FORCE=y
-+CONFIG_MODULE_SIG_SHA512=y
-+CONFIG_PARTITION_ADVANCED=y
-+# CONFIG_MQ_IOSCHED_DEADLINE is not set
-+# CONFIG_MQ_IOSCHED_KYBER is not set
-+# CONFIG_COMPACTION is not set
-+# CONFIG_MIGRATION is not set
- CONFIG_NET=y
- CONFIG_PACKET=y
- CONFIG_UNIX=y
-@@ -63,9 +68,6 @@ CONFIG_INET=y
- CONFIG_IP_MULTICAST=y
- CONFIG_NET_IPIP=y
- CONFIG_SYN_COOKIES=y
--# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
--# CONFIG_INET_XFRM_MODE_TUNNEL is not set
--# CONFIG_INET_XFRM_MODE_BEET is not set
- CONFIG_DNS_RESOLVER=y
- # CONFIG_WIRELESS is not set
- CONFIG_DEVTMPFS=y
-@@ -139,7 +141,6 @@ CONFIG_TIGON3=m
- CONFIG_BNX2X=m
- # CONFIG_NET_VENDOR_BROCADE is not set
- # CONFIG_NET_VENDOR_CADENCE is not set
--# CONFIG_NET_CADENCE is not set
- # CONFIG_NET_VENDOR_CAVIUM is not set
- CONFIG_CHELSIO_T1=m
- # CONFIG_NET_VENDOR_CISCO is not set
-@@ -148,7 +149,6 @@ CONFIG_CHELSIO_T1=m
- # CONFIG_NET_VENDOR_DLINK is not set
- CONFIG_BE2NET=m
- # CONFIG_NET_VENDOR_EZCHIP is not set
--# CONFIG_NET_VENDOR_HP is not set
- # CONFIG_NET_VENDOR_HUAWEI is not set
- CONFIG_E1000=m
- CONFIG_E1000E=m
-@@ -156,7 +156,6 @@ CONFIG_IGB=m
- CONFIG_IXGB=m
- CONFIG_IXGBE=m
- CONFIG_I40E=m
--CONFIG_S2IO=m
- # CONFIG_NET_VENDOR_MARVELL is not set
- CONFIG_MLX4_EN=m
- # CONFIG_MLX4_CORE_GEN2 is not set
-@@ -167,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
- # CONFIG_NET_VENDOR_MICROSEMI is not set
- CONFIG_MYRI10GE=m
- # CONFIG_NET_VENDOR_NATSEMI is not set
-+CONFIG_S2IO=m
- # CONFIG_NET_VENDOR_NETRONOME is not set
- # CONFIG_NET_VENDOR_NI is not set
- # CONFIG_NET_VENDOR_NVIDIA is not set
- # CONFIG_NET_VENDOR_OKI is not set
- # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
--CONFIG_QLGE=m
- CONFIG_NETXEN_NIC=m
- CONFIG_QED=m
- CONFIG_QEDE=m
-@@ -210,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
- CONFIG_IPMI_POWERNV=y
- CONFIG_IPMI_WATCHDOG=y
- CONFIG_HW_RANDOM=y
--CONFIG_TCG_TPM=y
- CONFIG_TCG_TIS_I2C_NUVOTON=y
- # CONFIG_DEVPORT is not set
- CONFIG_I2C=y
-@@ -239,7 +237,6 @@ CONFIG_HID_CYPRESS=y
- CONFIG_HID_EZKEY=y
- CONFIG_HID_ITE=y
- CONFIG_HID_KENSINGTON=y
--CONFIG_HID_LOGITECH=y
- CONFIG_HID_MICROSOFT=y
- CONFIG_HID_MONTEREY=y
- CONFIG_USB_HIDDEV=y
-@@ -276,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ASCII=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_NLS_UTF8=y
-+CONFIG_ENCRYPTED_KEYS=y
-+CONFIG_SECURITY=y
-+CONFIG_HARDENED_USERCOPY=y
-+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
-+CONFIG_HARDENED_USERCOPY_PAGESPAN=y
-+CONFIG_FORTIFY_SOURCE=y
-+CONFIG_SECURITY_LOCKDOWN_LSM=y
-+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
-+CONFIG_INTEGRITY_SIGNATURE=y
-+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
-+CONFIG_IMA=y
-+CONFIG_IMA_KEXEC=y
-+CONFIG_IMA_SIG_TEMPLATE=y
-+CONFIG_IMA_DEFAULT_HASH_SHA256=y
-+CONFIG_IMA_READ_POLICY=y
-+CONFIG_IMA_APPRAISE=y
-+CONFIG_IMA_ARCH_POLICY=y
-+CONFIG_IMA_APPRAISE_MODSIG=y
-+CONFIG_LSM="yama,loadpin,safesetid,integrity"
-+# CONFIG_CRYPTO_HW is not set
-+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
- CONFIG_CRC16=y
- CONFIG_CRC_ITU_T=y
- CONFIG_LIBCRC32C=y
-@@ -286,17 +306,20 @@ CONFIG_LIBCRC32C=y
- # CONFIG_XZ_DEC_SPARC is not set
- CONFIG_PRINTK_TIME=y
- CONFIG_MAGIC_SYSRQ=y
-+CONFIG_SLUB_DEBUG_ON=y
- CONFIG_DEBUG_STACKOVERFLOW=y
- CONFIG_SOFTLOCKUP_DETECTOR=y
- CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
- CONFIG_HARDLOCKUP_DETECTOR=y
- CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
- CONFIG_WQ_WATCHDOG=y
-+CONFIG_PANIC_ON_OOPS=y
- # CONFIG_SCHED_DEBUG is not set
-+CONFIG_SCHED_STACK_END_CHECK=y
-+CONFIG_DEBUG_SG=y
-+CONFIG_DEBUG_NOTIFIERS=y
-+CONFIG_DEBUG_CREDENTIALS=y
- # CONFIG_FTRACE is not set
- # CONFIG_RUNTIME_TESTING_MENU is not set
-+CONFIG_BUG_ON_DATA_CORRUPTION=y
- CONFIG_XMON=y
--CONFIG_XMON_DEFAULT=y
--CONFIG_ENCRYPTED_KEYS=y
--# CONFIG_CRYPTO_ECHAINIV is not set
--# CONFIG_CRYPTO_HW is not set
diff --git a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch b/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
deleted file mode 100644
index b679564..0000000
--- a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 29 Sep 2020 16:07:53 +0930
-Subject: [PATCH 18/19] linux: configure CONFIG_I2C_OPAL as in-built.
-
-Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
-module rather than builtin, even if CONFIG_I2C=y is defined. This
-results in a delay in the TPM initialization, causing IMA to go into
-TPM bypass mode. As a result, the IMA measurements are added to the
-measurement list, but do not extend the TPM. Because of this, it is
-impossible to verify or attest to the system's integrity, either from
-skiroot or the target Host OS.
-
-Mimi Zohar <zohar@linux.ibm.com> explains more:
-
- The concept of trusted boot requires the measurement to be added to the
- measurement list and extend the TPM, prior to allowing access to the
- file. By allowing access to a file before its measurement is included
- in the measurement list and extended into the TPM PCR, a malicious file
- could potentially prevent its own measurement from being added. As the
- PCRs are tamper proof, measuring and extending the TPM prior to giving
- access to the file, guarantees that all file measurements are included
- in the measurement list, including the malicious file.
-
- IMA needs to be enabled before any files are accessed in order to
- verify a file's integrity and extend the TPM with the file
- measurement. Queueing file measurements breaks the measure and extend,
- before usage, trusted boot paradigm.
-
- The ima-evm-utils package includes a test for walking the IMA
- measurement list, calculating the expected TPM PCRs, and comparing the
- calculated PCR values with the physical TPM. Testing is important to
- ensure the TPM is initialized prior to IMA. Failure to validate the
- IMA measurement list may indicate IMA went into TPM bypass mode, like
- in this case.
-
-Reported-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/configs/skiroot_defconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
-index 44309e12d84a..a555adb23591 100644
---- a/arch/powerpc/configs/skiroot_defconfig
-+++ b/arch/powerpc/configs/skiroot_defconfig
-@@ -216,7 +216,7 @@ CONFIG_I2C=y
- CONFIG_I2C_CHARDEV=y
- # CONFIG_I2C_HELPER_AUTO is not set
- CONFIG_I2C_ALGOBIT=y
--CONFIG_I2C_OPAL=m
-+CONFIG_I2C_OPAL=y
- CONFIG_PPS=y
- CONFIG_SENSORS_IBMPOWERNV=m
- CONFIG_DRM=m
diff --git a/openpower/linux/0019-Release-OpenPower-kernel.patch b/openpower/linux/0019-Release-OpenPower-kernel.patch
deleted file mode 100644
index 46af0ec..0000000
--- a/openpower/linux/0019-Release-OpenPower-kernel.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 29 Sep 2020 15:39:53 +0930
-Subject: [PATCH 19/19] Release OpenPower kernel
-
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index acb2499d9b05..6f2e1028c57b 100644
---- a/Makefile
-+++ b/Makefile
-@@ -2,7 +2,7 @@
- VERSION = 5
- PATCHLEVEL = 4
- SUBLEVEL = 68
--EXTRAVERSION =
-+EXTRAVERSION = -openpower1
- NAME = Kleptomaniac Octopus
-
- # *DOCUMENTATION*