| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
| From: Joel Stanley <joel@jms.id.au> |
| Date: Tue, 23 Jun 2020 16:22:10 +0930 |
| Subject: [PATCH 17/19] powerpc/configs: Update to upstream and enable |
| secureboot |
| |
| Pulls in the following updates from upstream: |
| |
| scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled |
| powerpc/configs/skiroot: Enable some more hardening options |
| powerpc/configs/skiroot: Disable xmon default & enable reboot on panic |
| powerpc/configs/skiroot: Enable security features |
| powerpc/configs/skiroot: Update for symbol movement only |
| powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV |
| powerpc/configs/skiroot: Drop HID_LOGITECH |
| powerpc/configs: Drop NET_VENDOR_HP which moved to staging |
| powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE |
| powerpc/configs: Drop CONFIG_QLGE which moved to staging |
| powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_* |
| powerpc/configs: add FADump awareness to skiroot_defconfig |
| |
| In addition, it enables IMA and secureboot options. |
| |
| Signed-off-by: Joel Stanley <joel@jms.id.au> |
| --- |
| arch/powerpc/configs/skiroot_defconfig | 83 ++++++++++++++++---------- |
| 1 file changed, 53 insertions(+), 30 deletions(-) |
| |
| diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig |
| index 2e25b264f70f..44309e12d84a 100644 |
| --- a/arch/powerpc/configs/skiroot_defconfig |
| +++ b/arch/powerpc/configs/skiroot_defconfig |
| @@ -1,13 +1,9 @@ |
| -CONFIG_PPC64=y |
| -CONFIG_ALTIVEC=y |
| -CONFIG_VSX=y |
| -CONFIG_NR_CPUS=2048 |
| -CONFIG_CPU_LITTLE_ENDIAN=y |
| CONFIG_KERNEL_XZ=y |
| # CONFIG_SWAP is not set |
| CONFIG_SYSVIPC=y |
| CONFIG_POSIX_MQUEUE=y |
| # CONFIG_CROSS_MEMORY_ATTACH is not set |
| +CONFIG_AUDIT=y |
| CONFIG_NO_HZ=y |
| CONFIG_HIGH_RES_TIMERS=y |
| # CONFIG_CPU_ISOLATION is not set |
| @@ -28,17 +24,15 @@ CONFIG_EXPERT=y |
| # CONFIG_AIO is not set |
| CONFIG_PERF_EVENTS=y |
| # CONFIG_COMPAT_BRK is not set |
| +# CONFIG_SLAB_MERGE_DEFAULT is not set |
| +CONFIG_SLAB_FREELIST_RANDOM=y |
| CONFIG_SLAB_FREELIST_HARDENED=y |
| -CONFIG_JUMP_LABEL=y |
| -CONFIG_STRICT_KERNEL_RWX=y |
| -CONFIG_MODULES=y |
| -CONFIG_MODULE_UNLOAD=y |
| -CONFIG_MODULE_SIG=y |
| -CONFIG_MODULE_SIG_FORCE=y |
| -CONFIG_MODULE_SIG_SHA512=y |
| -CONFIG_PARTITION_ADVANCED=y |
| -# CONFIG_MQ_IOSCHED_DEADLINE is not set |
| -# CONFIG_MQ_IOSCHED_KYBER is not set |
| +CONFIG_PPC64=y |
| +CONFIG_ALTIVEC=y |
| +CONFIG_VSX=y |
| +CONFIG_NR_CPUS=2048 |
| +CONFIG_CPU_LITTLE_ENDIAN=y |
| +CONFIG_PANIC_TIMEOUT=30 |
| # CONFIG_PPC_VAS is not set |
| # CONFIG_PPC_PSERIES is not set |
| # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set |
| @@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y |
| CONFIG_CPU_IDLE=y |
| CONFIG_HZ_100=y |
| CONFIG_KEXEC=y |
| +CONFIG_KEXEC_FILE=y |
| +CONFIG_PRESERVE_FA_DUMP=y |
| CONFIG_IRQ_ALL_CPUS=y |
| CONFIG_NUMA=y |
| -# CONFIG_COMPACTION is not set |
| -# CONFIG_MIGRATION is not set |
| CONFIG_PPC_64K_PAGES=y |
| CONFIG_SCHED_SMT=y |
| CONFIG_CMDLINE_BOOL=y |
| CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet" |
| # CONFIG_SECCOMP is not set |
| # CONFIG_PPC_MEM_KEYS is not set |
| +CONFIG_PPC_SECURE_BOOT=y |
| +CONFIG_JUMP_LABEL=y |
| +CONFIG_MODULES=y |
| +CONFIG_MODULE_UNLOAD=y |
| +CONFIG_MODULE_SIG_FORCE=y |
| +CONFIG_MODULE_SIG_SHA512=y |
| +CONFIG_PARTITION_ADVANCED=y |
| +# CONFIG_MQ_IOSCHED_DEADLINE is not set |
| +# CONFIG_MQ_IOSCHED_KYBER is not set |
| +# CONFIG_COMPACTION is not set |
| +# CONFIG_MIGRATION is not set |
| CONFIG_NET=y |
| CONFIG_PACKET=y |
| CONFIG_UNIX=y |
| @@ -63,9 +68,6 @@ CONFIG_INET=y |
| CONFIG_IP_MULTICAST=y |
| CONFIG_NET_IPIP=y |
| CONFIG_SYN_COOKIES=y |
| -# CONFIG_INET_XFRM_MODE_TRANSPORT is not set |
| -# CONFIG_INET_XFRM_MODE_TUNNEL is not set |
| -# CONFIG_INET_XFRM_MODE_BEET is not set |
| CONFIG_DNS_RESOLVER=y |
| # CONFIG_WIRELESS is not set |
| CONFIG_DEVTMPFS=y |
| @@ -139,7 +141,6 @@ CONFIG_TIGON3=m |
| CONFIG_BNX2X=m |
| # CONFIG_NET_VENDOR_BROCADE is not set |
| # CONFIG_NET_VENDOR_CADENCE is not set |
| -# CONFIG_NET_CADENCE is not set |
| # CONFIG_NET_VENDOR_CAVIUM is not set |
| CONFIG_CHELSIO_T1=m |
| # CONFIG_NET_VENDOR_CISCO is not set |
| @@ -148,7 +149,6 @@ CONFIG_CHELSIO_T1=m |
| # CONFIG_NET_VENDOR_DLINK is not set |
| CONFIG_BE2NET=m |
| # CONFIG_NET_VENDOR_EZCHIP is not set |
| -# CONFIG_NET_VENDOR_HP is not set |
| # CONFIG_NET_VENDOR_HUAWEI is not set |
| CONFIG_E1000=m |
| CONFIG_E1000E=m |
| @@ -156,7 +156,6 @@ CONFIG_IGB=m |
| CONFIG_IXGB=m |
| CONFIG_IXGBE=m |
| CONFIG_I40E=m |
| -CONFIG_S2IO=m |
| # CONFIG_NET_VENDOR_MARVELL is not set |
| CONFIG_MLX4_EN=m |
| # CONFIG_MLX4_CORE_GEN2 is not set |
| @@ -167,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y |
| # CONFIG_NET_VENDOR_MICROSEMI is not set |
| CONFIG_MYRI10GE=m |
| # CONFIG_NET_VENDOR_NATSEMI is not set |
| +CONFIG_S2IO=m |
| # CONFIG_NET_VENDOR_NETRONOME is not set |
| # CONFIG_NET_VENDOR_NI is not set |
| # CONFIG_NET_VENDOR_NVIDIA is not set |
| # CONFIG_NET_VENDOR_OKI is not set |
| # CONFIG_NET_VENDOR_PACKET_ENGINES is not set |
| -CONFIG_QLGE=m |
| CONFIG_NETXEN_NIC=m |
| CONFIG_QED=m |
| CONFIG_QEDE=m |
| @@ -210,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y |
| CONFIG_IPMI_POWERNV=y |
| CONFIG_IPMI_WATCHDOG=y |
| CONFIG_HW_RANDOM=y |
| -CONFIG_TCG_TPM=y |
| CONFIG_TCG_TIS_I2C_NUVOTON=y |
| # CONFIG_DEVPORT is not set |
| CONFIG_I2C=y |
| @@ -239,7 +237,6 @@ CONFIG_HID_CYPRESS=y |
| CONFIG_HID_EZKEY=y |
| CONFIG_HID_ITE=y |
| CONFIG_HID_KENSINGTON=y |
| -CONFIG_HID_LOGITECH=y |
| CONFIG_HID_MICROSOFT=y |
| CONFIG_HID_MONTEREY=y |
| CONFIG_USB_HIDDEV=y |
| @@ -276,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y |
| CONFIG_NLS_ASCII=y |
| CONFIG_NLS_ISO8859_1=y |
| CONFIG_NLS_UTF8=y |
| +CONFIG_ENCRYPTED_KEYS=y |
| +CONFIG_SECURITY=y |
| +CONFIG_HARDENED_USERCOPY=y |
| +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set |
| +CONFIG_HARDENED_USERCOPY_PAGESPAN=y |
| +CONFIG_FORTIFY_SOURCE=y |
| +CONFIG_SECURITY_LOCKDOWN_LSM=y |
| +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y |
| +CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y |
| +CONFIG_INTEGRITY_SIGNATURE=y |
| +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y |
| +CONFIG_INTEGRITY_PLATFORM_KEYRING=y |
| +CONFIG_IMA=y |
| +CONFIG_IMA_KEXEC=y |
| +CONFIG_IMA_SIG_TEMPLATE=y |
| +CONFIG_IMA_DEFAULT_HASH_SHA256=y |
| +CONFIG_IMA_READ_POLICY=y |
| +CONFIG_IMA_APPRAISE=y |
| +CONFIG_IMA_ARCH_POLICY=y |
| +CONFIG_IMA_APPRAISE_MODSIG=y |
| +CONFIG_LSM="yama,loadpin,safesetid,integrity" |
| +# CONFIG_CRYPTO_HW is not set |
| +CONFIG_SYSTEM_BLACKLIST_KEYRING=y |
| CONFIG_CRC16=y |
| CONFIG_CRC_ITU_T=y |
| CONFIG_LIBCRC32C=y |
| @@ -286,17 +306,20 @@ CONFIG_LIBCRC32C=y |
| # CONFIG_XZ_DEC_SPARC is not set |
| CONFIG_PRINTK_TIME=y |
| CONFIG_MAGIC_SYSRQ=y |
| +CONFIG_SLUB_DEBUG_ON=y |
| CONFIG_DEBUG_STACKOVERFLOW=y |
| CONFIG_SOFTLOCKUP_DETECTOR=y |
| CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y |
| CONFIG_HARDLOCKUP_DETECTOR=y |
| CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y |
| CONFIG_WQ_WATCHDOG=y |
| +CONFIG_PANIC_ON_OOPS=y |
| # CONFIG_SCHED_DEBUG is not set |
| +CONFIG_SCHED_STACK_END_CHECK=y |
| +CONFIG_DEBUG_SG=y |
| +CONFIG_DEBUG_NOTIFIERS=y |
| +CONFIG_DEBUG_CREDENTIALS=y |
| # CONFIG_FTRACE is not set |
| # CONFIG_RUNTIME_TESTING_MENU is not set |
| +CONFIG_BUG_ON_DATA_CORRUPTION=y |
| CONFIG_XMON=y |
| -CONFIG_XMON_DEFAULT=y |
| -CONFIG_ENCRYPTED_KEYS=y |
| -# CONFIG_CRYPTO_ECHAINIV is not set |
| -# CONFIG_CRYPTO_HW is not set |