kernel: Move to v5.10.50-openpower1
This moves the openpower platform to the v5.10 kernel. All of the secure
boot patches are now upstream, allowing them to be dropped.
The only outstanding patch is the long-lived USB kexec patch.
Signed-off-by: Joel Stanley <joel@jms.id.au>
diff --git a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
index 617d9ba..9380398 100644
--- a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian King <brking@linux.vnet.ibm.com>
Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 01/17] xhci: Reset controller on xhci shutdown
+Subject: [PATCH 1/2] xhci: Reset controller on xhci shutdown
Fixes kexec boot. Without a hard reset, some USB chips will fail to
initialize in a kexec booted kernel.
@@ -14,7 +14,7 @@
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index a3813c75a3de..92d0334f8b73 100644
+index a8d97e23f601..308ab396bd88 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -793,6 +793,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
diff --git a/openpower/linux/0017-Release-OpenPower-kernel.patch b/openpower/linux/0002-Release-OpenPower-kernel.patch
similarity index 73%
rename from openpower/linux/0017-Release-OpenPower-kernel.patch
rename to openpower/linux/0002-Release-OpenPower-kernel.patch
index adee575..9199a2d 100644
--- a/openpower/linux/0017-Release-OpenPower-kernel.patch
+++ b/openpower/linux/0002-Release-OpenPower-kernel.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Joel Stanley <joel@jms.id.au>
Date: Thu, 15 Jul 2021 17:21:55 +0930
-Subject: [PATCH 17/17] Release OpenPower kernel
+Subject: [PATCH 2/2] Release OpenPower kernel
Signed-off-by: Joel Stanley <joel@jms.id.au>
---
@@ -9,15 +9,15 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
-index 58ea876fa183..acd516ba62d8 100644
+index 695f8e739a91..f2280292b96e 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
VERSION = 5
- PATCHLEVEL = 4
- SUBLEVEL = 132
+ PATCHLEVEL = 10
+ SUBLEVEL = 50
-EXTRAVERSION =
+EXTRAVERSION = -openpower1
- NAME = Kleptomaniac Octopus
+ NAME = Dare mighty things
# *DOCUMENTATION*
diff --git a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
deleted file mode 100644
index 86c59c0..0000000
--- a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Tue, 5 Nov 2019 17:00:22 -0600
-Subject: [PATCH 02/17] powerpc: Detect the secure boot mode of the system
-
-This patch defines a function to detect the secure boot state of a
-PowerNV system.
-
-The PPC_SECURE_BOOT config represents the base enablement of secure
-boot for powerpc.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Fold in change from Nayna to add "ibm,secureboot" to ids]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/46b003b9-3225-6bf7-9101-ed6580bb748c@linux.ibm.com
-(cherry picked from commit 1a8916ee3ac29054322cdac687d36e1b5894d272)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/Kconfig | 10 ++++++++
- arch/powerpc/include/asm/secure_boot.h | 23 +++++++++++++++++
- arch/powerpc/kernel/Makefile | 2 ++
- arch/powerpc/kernel/secure_boot.c | 35 ++++++++++++++++++++++++++
- 4 files changed, 70 insertions(+)
- create mode 100644 arch/powerpc/include/asm/secure_boot.h
- create mode 100644 arch/powerpc/kernel/secure_boot.c
-
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 757175ccf53c..f57f563f4e45 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -936,6 +936,16 @@ config PPC_MEM_KEYS
-
- If unsure, say y.
-
-+config PPC_SECURE_BOOT
-+ prompt "Enable secure boot support"
-+ bool
-+ depends on PPC_POWERNV
-+ help
-+ Systems with firmware secure boot enabled need to define security
-+ policies to extend secure boot to the OS. This config allows a user
-+ to enable OS secure boot on systems that have firmware support for
-+ it. If in doubt say N.
-+
- endmenu
-
- config ISA_DMA_API
-diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
-new file mode 100644
-index 000000000000..07d0fe0ca81f
---- /dev/null
-+++ b/arch/powerpc/include/asm/secure_boot.h
-@@ -0,0 +1,23 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+/*
-+ * Secure boot definitions
-+ *
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+#ifndef _ASM_POWER_SECURE_BOOT_H
-+#define _ASM_POWER_SECURE_BOOT_H
-+
-+#ifdef CONFIG_PPC_SECURE_BOOT
-+
-+bool is_ppc_secureboot_enabled(void);
-+
-+#else
-+
-+static inline bool is_ppc_secureboot_enabled(void)
-+{
-+ return false;
-+}
-+
-+#endif
-+#endif
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index afbd47b0a75c..36605a7b6ef2 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,6 +158,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y += ucall.o
- endif
-
-+obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o
-+
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
- KCOV_INSTRUMENT_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
-new file mode 100644
-index 000000000000..583c2c4edaf0
---- /dev/null
-+++ b/arch/powerpc/kernel/secure_boot.c
-@@ -0,0 +1,35 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+#include <linux/types.h>
-+#include <linux/of.h>
-+#include <asm/secure_boot.h>
-+
-+static struct device_node *get_ppc_fw_sb_node(void)
-+{
-+ static const struct of_device_id ids[] = {
-+ { .compatible = "ibm,secureboot", },
-+ { .compatible = "ibm,secureboot-v1", },
-+ { .compatible = "ibm,secureboot-v2", },
-+ {},
-+ };
-+
-+ return of_find_matching_node(NULL, ids);
-+}
-+
-+bool is_ppc_secureboot_enabled(void)
-+{
-+ struct device_node *node;
-+ bool enabled = false;
-+
-+ node = get_ppc_fw_sb_node();
-+ enabled = of_property_read_bool(node, "os-secureboot-enforcing");
-+
-+ of_node_put(node);
-+
-+ pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
-+
-+ return enabled;
-+}
diff --git a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
deleted file mode 100644
index 1064b6e..0000000
--- a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:27 -0400
-Subject: [PATCH 03/17] powerpc/ima: Add support to initialize ima policy rules
-
-PowerNV systems use a Linux-based bootloader, which rely on the IMA
-subsystem to enforce different secure boot modes. Since the
-verification policy may differ based on the secure boot mode of the
-system, the policies must be defined at runtime.
-
-This patch implements arch-specific support to define IMA policy rules
-based on the runtime secure boot mode of the system.
-
-This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
-config is enabled.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/Kconfig | 1 +
- arch/powerpc/kernel/Makefile | 2 +-
- arch/powerpc/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++
- include/linux/ima.h | 3 ++-
- 4 files changed, 47 insertions(+), 2 deletions(-)
- create mode 100644 arch/powerpc/kernel/ima_arch.c
-
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index f57f563f4e45..95d3069fc115 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -940,6 +940,7 @@ config PPC_SECURE_BOOT
- prompt "Enable secure boot support"
- bool
- depends on PPC_POWERNV
-+ depends on IMA_ARCH_POLICY
- help
- Systems with firmware secure boot enabled need to define security
- policies to extend secure boot to the OS. This config allows a user
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index 36605a7b6ef2..a23db0cd8473 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y += ucall.o
- endif
-
--obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o
-+obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o
-
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-new file mode 100644
-index 000000000000..d88913dc0da7
---- /dev/null
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -0,0 +1,43 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ */
-+
-+#include <linux/ima.h>
-+#include <asm/secure_boot.h>
-+
-+bool arch_ima_get_secureboot(void)
-+{
-+ return is_ppc_secureboot_enabled();
-+}
-+
-+/*
-+ * The "secure_rules" are enabled only on "secureboot" enabled systems.
-+ * These rules verify the file signatures against known good values.
-+ * The "appraise_type=imasig|modsig" option allows the known good signature
-+ * to be stored as an xattr or as an appended signature.
-+ *
-+ * To avoid duplicate signature verification as much as possible, the IMA
-+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
-+ * is not enabled.
-+ */
-+static const char *const secure_rules[] = {
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+#ifndef CONFIG_MODULE_SIG_FORCE
-+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+#endif
-+ NULL
-+};
-+
-+/*
-+ * Returns the relevant IMA arch-specific policies based on the system secure
-+ * boot state.
-+ */
-+const char *const *arch_get_ima_policy(void)
-+{
-+ if (is_ppc_secureboot_enabled())
-+ return secure_rules;
-+
-+ return NULL;
-+}
-diff --git a/include/linux/ima.h b/include/linux/ima.h
-index 1c37f17f7203..6d904754d858 100644
---- a/include/linux/ima.h
-+++ b/include/linux/ima.h
-@@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size);
- extern void ima_add_kexec_buffer(struct kimage *image);
- #endif
-
--#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390)
-+#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \
-+ || defined(CONFIG_PPC_SECURE_BOOT)
- extern bool arch_ima_get_secureboot(void);
- extern const char * const *arch_get_ima_policy(void);
- #else
diff --git a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
deleted file mode 100644
index c6de7a9..0000000
--- a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Tue, 5 Nov 2019 17:02:07 -0600
-Subject: [PATCH 04/17] powerpc: Detect the trusted boot state of the system
-
-While secure boot permits only properly verified signed kernels to be
-booted, trusted boot calculates the file hash of the kernel image and
-stores the measurement prior to boot, that can be subsequently
-compared against good known values via attestation services.
-
-This patch reads the trusted boot state of a PowerNV system. The state
-is used to conditionally enable additional measurement rules in the
-IMA arch-specific policies.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com
-(cherry picked from commit 2702809a4a1ab414d75c00936cda70ea77c8234e)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/include/asm/secure_boot.h | 6 ++++++
- arch/powerpc/kernel/secure_boot.c | 15 +++++++++++++++
- 2 files changed, 21 insertions(+)
-
-diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
-index 07d0fe0ca81f..a2ff556916c6 100644
---- a/arch/powerpc/include/asm/secure_boot.h
-+++ b/arch/powerpc/include/asm/secure_boot.h
-@@ -11,6 +11,7 @@
- #ifdef CONFIG_PPC_SECURE_BOOT
-
- bool is_ppc_secureboot_enabled(void);
-+bool is_ppc_trustedboot_enabled(void);
-
- #else
-
-@@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
- return false;
- }
-
-+static inline bool is_ppc_trustedboot_enabled(void)
-+{
-+ return false;
-+}
-+
- #endif
- #endif
-diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
-index 583c2c4edaf0..4b982324d368 100644
---- a/arch/powerpc/kernel/secure_boot.c
-+++ b/arch/powerpc/kernel/secure_boot.c
-@@ -33,3 +33,18 @@ bool is_ppc_secureboot_enabled(void)
-
- return enabled;
- }
-+
-+bool is_ppc_trustedboot_enabled(void)
-+{
-+ struct device_node *node;
-+ bool enabled = false;
-+
-+ node = get_ppc_fw_sb_node();
-+ enabled = of_property_read_bool(node, "trusted-enabled");
-+
-+ of_node_put(node);
-+
-+ pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
-+
-+ return enabled;
-+}
diff --git a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
deleted file mode 100644
index c63c7ff..0000000
--- a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:29 -0400
-Subject: [PATCH 05/17] powerpc/ima: Define trusted boot policy
-
-This patch defines an arch-specific trusted boot only policy and a
-combined secure and trusted boot policy.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-5-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 1917855f4e0658c313e280671ad87774dbfb7b24)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 33 ++++++++++++++++++++++++++++++++-
- 1 file changed, 32 insertions(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index d88913dc0da7..0ef5956c9753 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -30,6 +30,32 @@ static const char *const secure_rules[] = {
- NULL
- };
-
-+/*
-+ * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
-+ * These rules add the kexec kernel image and kernel modules file hashes to
-+ * the IMA measurement list.
-+ */
-+static const char *const trusted_rules[] = {
-+ "measure func=KEXEC_KERNEL_CHECK",
-+ "measure func=MODULE_CHECK",
-+ NULL
-+};
-+
-+/*
-+ * The "secure_and_trusted_rules" contains rules for both the secure boot and
-+ * trusted boot. The "template=ima-modsig" option includes the appended
-+ * signature, when available, in the IMA measurement list.
-+ */
-+static const char *const secure_and_trusted_rules[] = {
-+ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
-+ "measure func=MODULE_CHECK template=ima-modsig",
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+#ifndef CONFIG_MODULE_SIG_FORCE
-+ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+#endif
-+ NULL
-+};
-+
- /*
- * Returns the relevant IMA arch-specific policies based on the system secure
- * boot state.
-@@ -37,7 +63,12 @@ static const char *const secure_rules[] = {
- const char *const *arch_get_ima_policy(void)
- {
- if (is_ppc_secureboot_enabled())
-- return secure_rules;
-+ if (is_ppc_trustedboot_enabled())
-+ return secure_and_trusted_rules;
-+ else
-+ return secure_rules;
-+ else if (is_ppc_trustedboot_enabled())
-+ return trusted_rules;
-
- return NULL;
- }
diff --git a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
deleted file mode 100644
index 43fcbbb..0000000
--- a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:30 -0400
-Subject: [PATCH 06/17] ima: Make process_buffer_measurement() generic
-
-process_buffer_measurement() is limited to measuring the kexec boot
-command line. This patch makes process_buffer_measurement() more
-generic, allowing it to measure other types of buffer data (e.g.
-blacklisted binary hashes or key hashes).
-
-process_buffer_measurement() may be called directly from an IMA hook
-or as an auxiliary measurement record. In both cases the buffer
-measurement is based on policy. This patch modifies the function to
-conditionally retrieve the policy defined PCR and template for the IMA
-hook case.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-[zohar@linux.ibm.com: added comment in process_buffer_measurement()]
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-6-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit e14555e3d0e9edfad0a6840c0152f71aba97e793)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/ima/ima.h | 3 ++
- security/integrity/ima/ima_main.c | 58 +++++++++++++++++++++----------
- 2 files changed, 43 insertions(+), 18 deletions(-)
-
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index 5fae6cfe8d91..b235467b219c 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -219,6 +219,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
- struct evm_ima_xattr_data *xattr_value,
- int xattr_len, const struct modsig *modsig, int pcr,
- struct ima_template_desc *template_desc);
-+void process_buffer_measurement(const void *buf, int size,
-+ const char *eventname, enum ima_hooks func,
-+ int pcr);
- void ima_audit_measurement(struct integrity_iint_cache *iint,
- const unsigned char *filename);
- int ima_alloc_init_template(struct ima_event_data *event_data,
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index a768f37a0a4d..bc730e553053 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -626,14 +626,14 @@ int ima_load_data(enum kernel_load_data_id id)
- * @buf: pointer to the buffer that needs to be added to the log.
- * @size: size of buffer(in bytes).
- * @eventname: event name to be used for the buffer entry.
-- * @cred: a pointer to a credentials structure for user validation.
-- * @secid: the secid of the task to be validated.
-+ * @func: IMA hook
-+ * @pcr: pcr to extend the measurement
- *
- * Based on policy, the buffer is measured into the ima log.
- */
--static void process_buffer_measurement(const void *buf, int size,
-- const char *eventname,
-- const struct cred *cred, u32 secid)
-+void process_buffer_measurement(const void *buf, int size,
-+ const char *eventname, enum ima_hooks func,
-+ int pcr)
- {
- int ret = 0;
- struct ima_template_entry *entry = NULL;
-@@ -642,19 +642,45 @@ static void process_buffer_measurement(const void *buf, int size,
- .filename = eventname,
- .buf = buf,
- .buf_len = size};
-- struct ima_template_desc *template_desc = NULL;
-+ struct ima_template_desc *template = NULL;
- struct {
- struct ima_digest_data hdr;
- char digest[IMA_MAX_DIGEST_SIZE];
- } hash = {};
- int violation = 0;
-- int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
- int action = 0;
-+ u32 secid;
-
-- action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
-- &template_desc);
-- if (!(action & IMA_MEASURE))
-- return;
-+ /*
-+ * Both LSM hooks and auxilary based buffer measurements are
-+ * based on policy. To avoid code duplication, differentiate
-+ * between the LSM hooks and auxilary buffer measurements,
-+ * retrieving the policy rule information only for the LSM hook
-+ * buffer measurements.
-+ */
-+ if (func) {
-+ security_task_getsecid(current, &secid);
-+ action = ima_get_action(NULL, current_cred(), secid, 0, func,
-+ &pcr, &template);
-+ if (!(action & IMA_MEASURE))
-+ return;
-+ }
-+
-+ if (!pcr)
-+ pcr = CONFIG_IMA_MEASURE_PCR_IDX;
-+
-+ if (!template) {
-+ template = lookup_template_desc("ima-buf");
-+ ret = template_desc_init_fields(template->fmt,
-+ &(template->fields),
-+ &(template->num_fields));
-+ if (ret < 0) {
-+ pr_err("template %s init failed, result: %d\n",
-+ (strlen(template->name) ?
-+ template->name : template->fmt), ret);
-+ return;
-+ }
-+ }
-
- iint.ima_hash = &hash.hdr;
- iint.ima_hash->algo = ima_hash_algo;
-@@ -664,7 +690,7 @@ static void process_buffer_measurement(const void *buf, int size,
- if (ret < 0)
- goto out;
-
-- ret = ima_alloc_init_template(&event_data, &entry, template_desc);
-+ ret = ima_alloc_init_template(&event_data, &entry, template);
- if (ret < 0)
- goto out;
-
-@@ -686,13 +712,9 @@ static void process_buffer_measurement(const void *buf, int size,
- */
- void ima_kexec_cmdline(const void *buf, int size)
- {
-- u32 secid;
--
-- if (buf && size != 0) {
-- security_task_getsecid(current, &secid);
-+ if (buf && size != 0)
- process_buffer_measurement(buf, size, "kexec-cmdline",
-- current_cred(), secid);
-- }
-+ KEXEC_CMDLINE, 0);
- }
-
- static int __init init_ima(void)
diff --git a/openpower/linux/0007-ima-Check-against-blacklisted-hashes-for-files-with-.patch b/openpower/linux/0007-ima-Check-against-blacklisted-hashes-for-files-with-.patch
deleted file mode 100644
index 7a5f24c..0000000
--- a/openpower/linux/0007-ima-Check-against-blacklisted-hashes-for-files-with-.patch
+++ /dev/null
@@ -1,261 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:32 -0400
-Subject: [PATCH 07/17] ima: Check against blacklisted hashes for files with
- modsig
-
-Asymmetric private keys are used to sign multiple files. The kernel
-currently supports checking against blacklisted keys. However, if the
-public key is blacklisted, any file signed by the blacklisted key will
-automatically fail signature verification. Blacklisting the public key
-is not fine enough granularity, as we might want to only blacklist a
-particular file.
-
-This patch adds support for checking against the blacklisted hash of
-the file, without the appended signature, based on the IMA policy. It
-defines a new policy option "appraise_flag=check_blacklist".
-
-In addition to the blacklisted binary hashes stored in the firmware
-"dbx" variable, the Linux kernel may be configured to load blacklisted
-binary hashes onto the .blacklist keyring as well. The following
-example shows how to blacklist a specific kernel module hash.
-
- $ sha256sum kernel/kheaders.ko
- 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
- kernel/kheaders.ko
-
- $ grep BLACKLIST .config
- CONFIG_SYSTEM_BLACKLIST_KEYRING=y
- CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
-
- $ cat certs/blacklist-hash-list
- "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
-
-Update the IMA custom measurement and appraisal policy
-rules (/etc/ima-policy):
-
- measure func=MODULE_CHECK template=ima-modsig
- appraise func=MODULE_CHECK appraise_flag=check_blacklist
- appraise_type=imasig|modsig
-
-After building, installing, and rebooting the kernel:
-
- 545660333 ---lswrv 0 0 \_ blacklist:
- bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-
- measure func=MODULE_CHECK template=ima-modsig
- appraise func=MODULE_CHECK appraise_flag=check_blacklist
- appraise_type=imasig|modsig
-
- modprobe: ERROR: could not insert 'kheaders': Permission denied
-
- 10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
- sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
- 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
-
- 10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
- sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
- 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko sha256:77fa889b3
- 5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
- 3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
- 016503040201300b06092a864886f70d01070131820264....
-
- 10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
- sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
- b blacklisted-hash
- 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-[zohar@linux.ibm.com: updated patch description]
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit 273df864cf7466fb170b8dcc1abd672cd08ad8d3)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Documentation/ABI/testing/ima_policy | 4 ++++
- security/integrity/ima/ima.h | 8 +++++++
- security/integrity/ima/ima_appraise.c | 33 +++++++++++++++++++++++++++
- security/integrity/ima/ima_main.c | 12 ++++++----
- security/integrity/ima/ima_policy.c | 12 ++++++++--
- security/integrity/integrity.h | 1 +
- 6 files changed, 64 insertions(+), 6 deletions(-)
-
-diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
-index 29ebe9afdac4..29aaedf33246 100644
---- a/Documentation/ABI/testing/ima_policy
-+++ b/Documentation/ABI/testing/ima_policy
-@@ -25,6 +25,7 @@ Description:
- lsm: [[subj_user=] [subj_role=] [subj_type=]
- [obj_user=] [obj_role=] [obj_type=]]
- option: [[appraise_type=]] [template=] [permit_directio]
-+ [appraise_flag=]
- base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
- [FIRMWARE_CHECK]
- [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
-@@ -38,6 +39,9 @@ Description:
- fowner:= decimal value
- lsm: are LSM specific
- option: appraise_type:= [imasig] [imasig|modsig]
-+ appraise_flag:= [check_blacklist]
-+ Currently, blacklist check is only for files signed with appended
-+ signature.
- template:= name of a defined IMA template type
- (eg, ima-ng). Only valid when action is "measure".
- pcr:= decimal value
-diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index b235467b219c..e5597a02f74f 100644
---- a/security/integrity/ima/ima.h
-+++ b/security/integrity/ima/ima.h
-@@ -258,6 +258,8 @@ int ima_policy_show(struct seq_file *m, void *v);
- #define IMA_APPRAISE_KEXEC 0x40
-
- #ifdef CONFIG_IMA_APPRAISE
-+int ima_check_blacklist(struct integrity_iint_cache *iint,
-+ const struct modsig *modsig, int pcr);
- int ima_appraise_measurement(enum ima_hooks func,
- struct integrity_iint_cache *iint,
- struct file *file, const unsigned char *filename,
-@@ -273,6 +275,12 @@ int ima_read_xattr(struct dentry *dentry,
- struct evm_ima_xattr_data **xattr_value);
-
- #else
-+static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
-+ const struct modsig *modsig, int pcr)
-+{
-+ return 0;
-+}
-+
- static inline int ima_appraise_measurement(enum ima_hooks func,
- struct integrity_iint_cache *iint,
- struct file *file,
-diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 23b04c6521b2..176249e4a7ac 100644
---- a/security/integrity/ima/ima_appraise.c
-+++ b/security/integrity/ima/ima_appraise.c
-@@ -12,6 +12,7 @@
- #include <linux/magic.h>
- #include <linux/ima.h>
- #include <linux/evm.h>
-+#include <keys/system_keyring.h>
-
- #include "ima.h"
-
-@@ -309,6 +310,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
- return rc;
- }
-
-+/*
-+ * ima_check_blacklist - determine if the binary is blacklisted.
-+ *
-+ * Add the hash of the blacklisted binary to the measurement list, based
-+ * on policy.
-+ *
-+ * Returns -EPERM if the hash is blacklisted.
-+ */
-+int ima_check_blacklist(struct integrity_iint_cache *iint,
-+ const struct modsig *modsig, int pcr)
-+{
-+ enum hash_algo hash_algo;
-+ const u8 *digest = NULL;
-+ u32 digestsize = 0;
-+ int rc = 0;
-+
-+ if (!(iint->flags & IMA_CHECK_BLACKLIST))
-+ return 0;
-+
-+ if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
-+ ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
-+
-+ rc = is_binary_blacklisted(digest, digestsize);
-+ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
-+ process_buffer_measurement(digest, digestsize,
-+ "blacklisted-hash", NONE,
-+ pcr);
-+ }
-+
-+ return rc;
-+}
-+
- /*
- * ima_appraise_measurement - appraise file measurement
- *
-diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
-index bc730e553053..a16c148ed90d 100644
---- a/security/integrity/ima/ima_main.c
-+++ b/security/integrity/ima/ima_main.c
-@@ -335,10 +335,14 @@ static int process_measurement(struct file *file, const struct cred *cred,
- xattr_value, xattr_len, modsig, pcr,
- template_desc);
- if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
-- inode_lock(inode);
-- rc = ima_appraise_measurement(func, iint, file, pathname,
-- xattr_value, xattr_len, modsig);
-- inode_unlock(inode);
-+ rc = ima_check_blacklist(iint, modsig, pcr);
-+ if (rc != -EPERM) {
-+ inode_lock(inode);
-+ rc = ima_appraise_measurement(func, iint, file,
-+ pathname, xattr_value,
-+ xattr_len, modsig);
-+ inode_unlock(inode);
-+ }
- if (!rc)
- rc = mmap_violation_check(func, file, &pathbuf,
- &pathname, filename);
-diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index e725d4187271..42f0970b3054 100644
---- a/security/integrity/ima/ima_policy.c
-+++ b/security/integrity/ima/ima_policy.c
-@@ -769,8 +769,8 @@ enum {
- Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
- Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
- Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
-- Opt_appraise_type, Opt_permit_directio,
-- Opt_pcr, Opt_template, Opt_err
-+ Opt_appraise_type, Opt_appraise_flag,
-+ Opt_permit_directio, Opt_pcr, Opt_template, Opt_err
- };
-
- static const match_table_t policy_tokens = {
-@@ -802,6 +802,7 @@ static const match_table_t policy_tokens = {
- {Opt_euid_lt, "euid<%s"},
- {Opt_fowner_lt, "fowner<%s"},
- {Opt_appraise_type, "appraise_type=%s"},
-+ {Opt_appraise_flag, "appraise_flag=%s"},
- {Opt_permit_directio, "permit_directio"},
- {Opt_pcr, "pcr=%s"},
- {Opt_template, "template=%s"},
-@@ -1182,6 +1183,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
- else
- result = -EINVAL;
- break;
-+ case Opt_appraise_flag:
-+ ima_log_string(ab, "appraise_flag", args[0].from);
-+ if (strstr(args[0].from, "blacklist"))
-+ entry->flags |= IMA_CHECK_BLACKLIST;
-+ break;
- case Opt_permit_directio:
- entry->flags |= IMA_PERMIT_DIRECTIO;
- break;
-@@ -1510,6 +1516,8 @@ int ima_policy_show(struct seq_file *m, void *v)
- else
- seq_puts(m, "appraise_type=imasig ");
- }
-+ if (entry->flags & IMA_CHECK_BLACKLIST)
-+ seq_puts(m, "appraise_flag=check_blacklist ");
- if (entry->flags & IMA_PERMIT_DIRECTIO)
- seq_puts(m, "permit_directio ");
- rcu_read_unlock();
-diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
-index d9323d31a3a8..73fc286834d7 100644
---- a/security/integrity/integrity.h
-+++ b/security/integrity/integrity.h
-@@ -32,6 +32,7 @@
- #define EVM_IMMUTABLE_DIGSIG 0x08000000
- #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
- #define IMA_MODSIG_ALLOWED 0x20000000
-+#define IMA_CHECK_BLACKLIST 0x40000000
-
- #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
- IMA_HASH | IMA_APPRAISE_SUBMASK)
diff --git a/openpower/linux/0008-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch b/openpower/linux/0008-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
deleted file mode 100644
index 3610e6e..0000000
--- a/openpower/linux/0008-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:33 -0400
-Subject: [PATCH 08/17] powerpc/ima: Update ima arch policy to check for
- blacklist
-
-This patch updates the arch-specific policies for PowerNV system to
-make sure that the binary hash is not blacklisted.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-9-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit dc87f18615db9dc74a75cfb4a57ed33b07a3903a)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index 0ef5956c9753..b9de0fb45bb9 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void)
- * is not enabled.
- */
- static const char *const secure_rules[] = {
-- "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #ifndef CONFIG_MODULE_SIG_FORCE
-- "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
- };
-@@ -49,9 +49,9 @@ static const char *const trusted_rules[] = {
- static const char *const secure_and_trusted_rules[] = {
- "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
- "measure func=MODULE_CHECK template=ima-modsig",
-- "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
-+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #ifndef CONFIG_MODULE_SIG_FORCE
-- "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
-+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
- };
diff --git a/openpower/linux/0009-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch b/openpower/linux/0009-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
deleted file mode 100644
index 014d09f..0000000
--- a/openpower/linux/0009-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
+++ /dev/null
@@ -1,329 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:33 -0600
-Subject: [PATCH 09/17] powerpc/powernv: Add OPAL API interface to access
- secure variable
-
-The X.509 certificates trusted by the platform and required to secure
-boot the OS kernel are wrapped in secure variables, which are
-controlled by OPAL.
-
-This patch adds firmware/kernel interface to read and write OPAL
-secure variables based on the unique key.
-
-This support can be enabled using CONFIG_OPAL_SECVAR.
-
-Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Make secvar_ops __ro_after_init, only build opal-secvar.c if PPC_SECURE_BOOT=y]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-2-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit 9155e2341aa8b5df057dc1c77633b33d1a4f17d2)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/include/asm/opal-api.h | 5 +-
- arch/powerpc/include/asm/opal.h | 7 +
- arch/powerpc/include/asm/secvar.h | 35 +++++
- arch/powerpc/kernel/Makefile | 2 +-
- arch/powerpc/kernel/secvar-ops.c | 17 +++
- arch/powerpc/platforms/powernv/Makefile | 1 +
- arch/powerpc/platforms/powernv/opal-call.c | 3 +
- arch/powerpc/platforms/powernv/opal-secvar.c | 140 +++++++++++++++++++
- arch/powerpc/platforms/powernv/opal.c | 3 +
- 9 files changed, 211 insertions(+), 2 deletions(-)
- create mode 100644 arch/powerpc/include/asm/secvar.h
- create mode 100644 arch/powerpc/kernel/secvar-ops.c
- create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
-
-diff --git a/arch/powerpc/include/asm/opal-api.h b/arch/powerpc/include/asm/opal-api.h
-index 378e3997845a..c1f25a760eb1 100644
---- a/arch/powerpc/include/asm/opal-api.h
-+++ b/arch/powerpc/include/asm/opal-api.h
-@@ -211,7 +211,10 @@
- #define OPAL_MPIPL_UPDATE 173
- #define OPAL_MPIPL_REGISTER_TAG 174
- #define OPAL_MPIPL_QUERY_TAG 175
--#define OPAL_LAST 175
-+#define OPAL_SECVAR_GET 176
-+#define OPAL_SECVAR_GET_NEXT 177
-+#define OPAL_SECVAR_ENQUEUE_UPDATE 178
-+#define OPAL_LAST 178
-
- #define QUIESCE_HOLD 1 /* Spin all calls at entry */
- #define QUIESCE_REJECT 2 /* Fail all calls with OPAL_BUSY */
-diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h
-index a0cf8fba4d12..9986ac34b8e2 100644
---- a/arch/powerpc/include/asm/opal.h
-+++ b/arch/powerpc/include/asm/opal.h
-@@ -298,6 +298,13 @@ int opal_sensor_group_clear(u32 group_hndl, int token);
- int opal_sensor_group_enable(u32 group_hndl, int token, bool enable);
- int opal_nx_coproc_init(uint32_t chip_id, uint32_t ct);
-
-+int opal_secvar_get(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t *data_size);
-+int opal_secvar_get_next(const char *key, uint64_t *key_len,
-+ uint64_t key_buf_size);
-+int opal_secvar_enqueue_update(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t data_size);
-+
- s64 opal_mpipl_update(enum opal_mpipl_ops op, u64 src, u64 dest, u64 size);
- s64 opal_mpipl_register_tag(enum opal_mpipl_tags tag, u64 addr);
- s64 opal_mpipl_query_tag(enum opal_mpipl_tags tag, u64 *addr);
-diff --git a/arch/powerpc/include/asm/secvar.h b/arch/powerpc/include/asm/secvar.h
-new file mode 100644
-index 000000000000..4cc35b58b986
---- /dev/null
-+++ b/arch/powerpc/include/asm/secvar.h
-@@ -0,0 +1,35 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * PowerPC secure variable operations.
-+ */
-+#ifndef SECVAR_OPS_H
-+#define SECVAR_OPS_H
-+
-+#include <linux/types.h>
-+#include <linux/errno.h>
-+
-+extern const struct secvar_operations *secvar_ops;
-+
-+struct secvar_operations {
-+ int (*get)(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t *data_size);
-+ int (*get_next)(const char *key, uint64_t *key_len,
-+ uint64_t keybufsize);
-+ int (*set)(const char *key, uint64_t key_len, u8 *data,
-+ uint64_t data_size);
-+};
-+
-+#ifdef CONFIG_PPC_SECURE_BOOT
-+
-+extern void set_secvar_ops(const struct secvar_operations *ops);
-+
-+#else
-+
-+static inline void set_secvar_ops(const struct secvar_operations *ops) { }
-+
-+#endif
-+
-+#endif
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index a23db0cd8473..e60d3ce046de 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
- obj-y += ucall.o
- endif
-
--obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o
-+obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o secvar-ops.o
-
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secvar-ops.c b/arch/powerpc/kernel/secvar-ops.c
-new file mode 100644
-index 000000000000..6a29777d6a2d
---- /dev/null
-+++ b/arch/powerpc/kernel/secvar-ops.c
-@@ -0,0 +1,17 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * This file initializes secvar operations for PowerPC Secureboot
-+ */
-+
-+#include <linux/cache.h>
-+#include <asm/secvar.h>
-+
-+const struct secvar_operations *secvar_ops __ro_after_init;
-+
-+void set_secvar_ops(const struct secvar_operations *ops)
-+{
-+ secvar_ops = ops;
-+}
-diff --git a/arch/powerpc/platforms/powernv/Makefile b/arch/powerpc/platforms/powernv/Makefile
-index a3ac9646119d..c0f8120045c3 100644
---- a/arch/powerpc/platforms/powernv/Makefile
-+++ b/arch/powerpc/platforms/powernv/Makefile
-@@ -20,3 +20,4 @@ obj-$(CONFIG_PPC_MEMTRACE) += memtrace.o
- obj-$(CONFIG_PPC_VAS) += vas.o vas-window.o vas-debug.o
- obj-$(CONFIG_OCXL_BASE) += ocxl.o
- obj-$(CONFIG_SCOM_DEBUGFS) += opal-xscom.o
-+obj-$(CONFIG_PPC_SECURE_BOOT) += opal-secvar.o
-diff --git a/arch/powerpc/platforms/powernv/opal-call.c b/arch/powerpc/platforms/powernv/opal-call.c
-index a2aa5e433ac8..5cd0f52d258f 100644
---- a/arch/powerpc/platforms/powernv/opal-call.c
-+++ b/arch/powerpc/platforms/powernv/opal-call.c
-@@ -290,3 +290,6 @@ OPAL_CALL(opal_nx_coproc_init, OPAL_NX_COPROC_INIT);
- OPAL_CALL(opal_mpipl_update, OPAL_MPIPL_UPDATE);
- OPAL_CALL(opal_mpipl_register_tag, OPAL_MPIPL_REGISTER_TAG);
- OPAL_CALL(opal_mpipl_query_tag, OPAL_MPIPL_QUERY_TAG);
-+OPAL_CALL(opal_secvar_get, OPAL_SECVAR_GET);
-+OPAL_CALL(opal_secvar_get_next, OPAL_SECVAR_GET_NEXT);
-+OPAL_CALL(opal_secvar_enqueue_update, OPAL_SECVAR_ENQUEUE_UPDATE);
-diff --git a/arch/powerpc/platforms/powernv/opal-secvar.c b/arch/powerpc/platforms/powernv/opal-secvar.c
-new file mode 100644
-index 000000000000..14133e120bdd
---- /dev/null
-+++ b/arch/powerpc/platforms/powernv/opal-secvar.c
-@@ -0,0 +1,140 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * PowerNV code for secure variables
-+ *
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Claudio Carvalho
-+ * Nayna Jain
-+ *
-+ * APIs to access secure variables managed by OPAL.
-+ */
-+
-+#define pr_fmt(fmt) "secvar: "fmt
-+
-+#include <linux/types.h>
-+#include <linux/platform_device.h>
-+#include <linux/of_platform.h>
-+#include <asm/opal.h>
-+#include <asm/secvar.h>
-+#include <asm/secure_boot.h>
-+
-+static int opal_status_to_err(int rc)
-+{
-+ int err;
-+
-+ switch (rc) {
-+ case OPAL_SUCCESS:
-+ err = 0;
-+ break;
-+ case OPAL_UNSUPPORTED:
-+ err = -ENXIO;
-+ break;
-+ case OPAL_PARAMETER:
-+ err = -EINVAL;
-+ break;
-+ case OPAL_RESOURCE:
-+ err = -ENOSPC;
-+ break;
-+ case OPAL_HARDWARE:
-+ err = -EIO;
-+ break;
-+ case OPAL_NO_MEM:
-+ err = -ENOMEM;
-+ break;
-+ case OPAL_EMPTY:
-+ err = -ENOENT;
-+ break;
-+ case OPAL_PARTIAL:
-+ err = -EFBIG;
-+ break;
-+ default:
-+ err = -EINVAL;
-+ }
-+
-+ return err;
-+}
-+
-+static int opal_get_variable(const char *key, uint64_t ksize,
-+ u8 *data, uint64_t *dsize)
-+{
-+ int rc;
-+
-+ if (!key || !dsize)
-+ return -EINVAL;
-+
-+ *dsize = cpu_to_be64(*dsize);
-+
-+ rc = opal_secvar_get(key, ksize, data, dsize);
-+
-+ *dsize = be64_to_cpu(*dsize);
-+
-+ return opal_status_to_err(rc);
-+}
-+
-+static int opal_get_next_variable(const char *key, uint64_t *keylen,
-+ uint64_t keybufsize)
-+{
-+ int rc;
-+
-+ if (!key || !keylen)
-+ return -EINVAL;
-+
-+ *keylen = cpu_to_be64(*keylen);
-+
-+ rc = opal_secvar_get_next(key, keylen, keybufsize);
-+
-+ *keylen = be64_to_cpu(*keylen);
-+
-+ return opal_status_to_err(rc);
-+}
-+
-+static int opal_set_variable(const char *key, uint64_t ksize, u8 *data,
-+ uint64_t dsize)
-+{
-+ int rc;
-+
-+ if (!key || !data)
-+ return -EINVAL;
-+
-+ rc = opal_secvar_enqueue_update(key, ksize, data, dsize);
-+
-+ return opal_status_to_err(rc);
-+}
-+
-+static const struct secvar_operations opal_secvar_ops = {
-+ .get = opal_get_variable,
-+ .get_next = opal_get_next_variable,
-+ .set = opal_set_variable,
-+};
-+
-+static int opal_secvar_probe(struct platform_device *pdev)
-+{
-+ if (!opal_check_token(OPAL_SECVAR_GET)
-+ || !opal_check_token(OPAL_SECVAR_GET_NEXT)
-+ || !opal_check_token(OPAL_SECVAR_ENQUEUE_UPDATE)) {
-+ pr_err("OPAL doesn't support secure variables\n");
-+ return -ENODEV;
-+ }
-+
-+ set_secvar_ops(&opal_secvar_ops);
-+
-+ return 0;
-+}
-+
-+static const struct of_device_id opal_secvar_match[] = {
-+ { .compatible = "ibm,secvar-backend",},
-+ {},
-+};
-+
-+static struct platform_driver opal_secvar_driver = {
-+ .driver = {
-+ .name = "secvar",
-+ .of_match_table = opal_secvar_match,
-+ },
-+};
-+
-+static int __init opal_secvar_init(void)
-+{
-+ return platform_driver_probe(&opal_secvar_driver, opal_secvar_probe);
-+}
-+device_initcall(opal_secvar_init);
-diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
-index 38e90270280b..8355bcd00f93 100644
---- a/arch/powerpc/platforms/powernv/opal.c
-+++ b/arch/powerpc/platforms/powernv/opal.c
-@@ -1002,6 +1002,9 @@ static int __init opal_init(void)
- /* Initialise OPAL Power control interface */
- opal_power_control_init();
-
-+ /* Initialize OPAL secure variables */
-+ opal_pdev_init("ibm,secvar-backend");
-+
- return 0;
- }
- machine_subsys_initcall(powernv, opal_init);
diff --git a/openpower/linux/0010-powerpc-expose-secure-variables-to-userspace-via-sys.patch b/openpower/linux/0010-powerpc-expose-secure-variables-to-userspace-via-sys.patch
deleted file mode 100644
index ea98464..0000000
--- a/openpower/linux/0010-powerpc-expose-secure-variables-to-userspace-via-sys.patch
+++ /dev/null
@@ -1,369 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:34 -0600
-Subject: [PATCH 10/17] powerpc: expose secure variables to userspace via sysfs
-
-PowerNV secure variables, which store the keys used for OS kernel
-verification, are managed by the firmware. These secure variables need to
-be accessed by the userspace for addition/deletion of the certificates.
-
-This patch adds the sysfs interface to expose secure variables for PowerNV
-secureboot. The users shall use this interface for manipulating
-the keys stored in the secure variables.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-3-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- Documentation/ABI/testing/sysfs-secvar | 46 +++++
- arch/powerpc/Kconfig | 11 ++
- arch/powerpc/kernel/Makefile | 1 +
- arch/powerpc/kernel/secvar-sysfs.c | 248 +++++++++++++++++++++++++
- 4 files changed, 306 insertions(+)
- create mode 100644 Documentation/ABI/testing/sysfs-secvar
- create mode 100644 arch/powerpc/kernel/secvar-sysfs.c
-
-diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar
-new file mode 100644
-index 000000000000..feebb8c57294
---- /dev/null
-+++ b/Documentation/ABI/testing/sysfs-secvar
-@@ -0,0 +1,46 @@
-+What: /sys/firmware/secvar
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: This directory is created if the POWER firmware supports OS
-+ secureboot, thereby secure variables. It exposes interface
-+ for reading/writing the secure variables
-+
-+What: /sys/firmware/secvar/vars
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: This directory lists all the secure variables that are supported
-+ by the firmware.
-+
-+What: /sys/firmware/secvar/format
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: A string indicating which backend is in use by the firmware.
-+ This determines the format of the variable and the accepted
-+ format of variable updates.
-+
-+What: /sys/firmware/secvar/vars/<variable name>
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: Each secure variable is represented as a directory named as
-+ <variable_name>. The variable name is unique and is in ASCII
-+ representation. The data and size can be determined by reading
-+ their respective attribute files.
-+
-+What: /sys/firmware/secvar/vars/<variable_name>/size
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: An integer representation of the size of the content of the
-+ variable. In other words, it represents the size of the data.
-+
-+What: /sys/firmware/secvar/vars/<variable_name>/data
-+Date: August 2019
-+Contact: Nayna Jain h<nayna@linux.ibm.com>
-+Description: A read-only file containing the value of the variable. The size
-+ of the file represents the maximum size of the variable data.
-+
-+What: /sys/firmware/secvar/vars/<variable_name>/update
-+Date: August 2019
-+Contact: Nayna Jain <nayna@linux.ibm.com>
-+Description: A write-only file that is used to submit the new value for the
-+ variable. The size of the file represents the maximum size of
-+ the variable data that can be written.
-diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 95d3069fc115..20212908dd67 100644
---- a/arch/powerpc/Kconfig
-+++ b/arch/powerpc/Kconfig
-@@ -947,6 +947,17 @@ config PPC_SECURE_BOOT
- to enable OS secure boot on systems that have firmware support for
- it. If in doubt say N.
-
-+config PPC_SECVAR_SYSFS
-+ bool "Enable sysfs interface for POWER secure variables"
-+ default y
-+ depends on PPC_SECURE_BOOT
-+ depends on SYSFS
-+ help
-+ POWER secure variables are managed and controlled by firmware.
-+ These variables are exposed to userspace via sysfs to enable
-+ read/write operations on these variables. Say Y if you have
-+ secure boot enabled and want to expose variables to userspace.
-+
- endmenu
-
- config ISA_DMA_API
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index e60d3ce046de..01eafcb86a37 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -159,6 +159,7 @@ obj-y += ucall.o
- endif
-
- obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o secvar-ops.o
-+obj-$(CONFIG_PPC_SECVAR_SYSFS) += secvar-sysfs.o
-
- # Disable GCOV, KCOV & sanitizers in odd or sensitive code
- GCOV_PROFILE_prom_init.o := n
-diff --git a/arch/powerpc/kernel/secvar-sysfs.c b/arch/powerpc/kernel/secvar-sysfs.c
-new file mode 100644
-index 000000000000..a0a78aba2083
---- /dev/null
-+++ b/arch/powerpc/kernel/secvar-sysfs.c
-@@ -0,0 +1,248 @@
-+// SPDX-License-Identifier: GPL-2.0+
-+/*
-+ * Copyright (C) 2019 IBM Corporation <nayna@linux.ibm.com>
-+ *
-+ * This code exposes secure variables to user via sysfs
-+ */
-+
-+#define pr_fmt(fmt) "secvar-sysfs: "fmt
-+
-+#include <linux/slab.h>
-+#include <linux/compat.h>
-+#include <linux/string.h>
-+#include <linux/of.h>
-+#include <asm/secvar.h>
-+
-+#define NAME_MAX_SIZE 1024
-+
-+static struct kobject *secvar_kobj;
-+static struct kset *secvar_kset;
-+
-+static ssize_t format_show(struct kobject *kobj, struct kobj_attribute *attr,
-+ char *buf)
-+{
-+ ssize_t rc = 0;
-+ struct device_node *node;
-+ const char *format;
-+
-+ node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
-+ if (!of_device_is_available(node))
-+ return -ENODEV;
-+
-+ rc = of_property_read_string(node, "format", &format);
-+ if (rc)
-+ return rc;
-+
-+ rc = sprintf(buf, "%s\n", format);
-+
-+ of_node_put(node);
-+
-+ return rc;
-+}
-+
-+
-+static ssize_t size_show(struct kobject *kobj, struct kobj_attribute *attr,
-+ char *buf)
-+{
-+ uint64_t dsize;
-+ int rc;
-+
-+ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
-+ if (rc) {
-+ pr_err("Error retrieving %s variable size %d\n", kobj->name,
-+ rc);
-+ return rc;
-+ }
-+
-+ return sprintf(buf, "%llu\n", dsize);
-+}
-+
-+static ssize_t data_read(struct file *filep, struct kobject *kobj,
-+ struct bin_attribute *attr, char *buf, loff_t off,
-+ size_t count)
-+{
-+ uint64_t dsize;
-+ char *data;
-+ int rc;
-+
-+ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
-+ if (rc) {
-+ pr_err("Error getting %s variable size %d\n", kobj->name, rc);
-+ return rc;
-+ }
-+ pr_debug("dsize is %llu\n", dsize);
-+
-+ data = kzalloc(dsize, GFP_KERNEL);
-+ if (!data)
-+ return -ENOMEM;
-+
-+ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, data, &dsize);
-+ if (rc) {
-+ pr_err("Error getting %s variable %d\n", kobj->name, rc);
-+ goto data_fail;
-+ }
-+
-+ rc = memory_read_from_buffer(buf, count, &off, data, dsize);
-+
-+data_fail:
-+ kfree(data);
-+ return rc;
-+}
-+
-+static ssize_t update_write(struct file *filep, struct kobject *kobj,
-+ struct bin_attribute *attr, char *buf, loff_t off,
-+ size_t count)
-+{
-+ int rc;
-+
-+ pr_debug("count is %ld\n", count);
-+ rc = secvar_ops->set(kobj->name, strlen(kobj->name) + 1, buf, count);
-+ if (rc) {
-+ pr_err("Error setting the %s variable %d\n", kobj->name, rc);
-+ return rc;
-+ }
-+
-+ return count;
-+}
-+
-+static struct kobj_attribute format_attr = __ATTR_RO(format);
-+
-+static struct kobj_attribute size_attr = __ATTR_RO(size);
-+
-+static struct bin_attribute data_attr = __BIN_ATTR_RO(data, 0);
-+
-+static struct bin_attribute update_attr = __BIN_ATTR_WO(update, 0);
-+
-+static struct bin_attribute *secvar_bin_attrs[] = {
-+ &data_attr,
-+ &update_attr,
-+ NULL,
-+};
-+
-+static struct attribute *secvar_attrs[] = {
-+ &size_attr.attr,
-+ NULL,
-+};
-+
-+static const struct attribute_group secvar_attr_group = {
-+ .attrs = secvar_attrs,
-+ .bin_attrs = secvar_bin_attrs,
-+};
-+__ATTRIBUTE_GROUPS(secvar_attr);
-+
-+static struct kobj_type secvar_ktype = {
-+ .sysfs_ops = &kobj_sysfs_ops,
-+ .default_groups = secvar_attr_groups,
-+};
-+
-+static int update_kobj_size(void)
-+{
-+
-+ struct device_node *node;
-+ u64 varsize;
-+ int rc = 0;
-+
-+ node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
-+ if (!of_device_is_available(node)) {
-+ rc = -ENODEV;
-+ goto out;
-+ }
-+
-+ rc = of_property_read_u64(node, "max-var-size", &varsize);
-+ if (rc)
-+ goto out;
-+
-+ data_attr.size = varsize;
-+ update_attr.size = varsize;
-+
-+out:
-+ of_node_put(node);
-+
-+ return rc;
-+}
-+
-+static int secvar_sysfs_load(void)
-+{
-+ char *name;
-+ uint64_t namesize = 0;
-+ struct kobject *kobj;
-+ int rc;
-+
-+ name = kzalloc(NAME_MAX_SIZE, GFP_KERNEL);
-+ if (!name)
-+ return -ENOMEM;
-+
-+ do {
-+ rc = secvar_ops->get_next(name, &namesize, NAME_MAX_SIZE);
-+ if (rc) {
-+ if (rc != -ENOENT)
-+ pr_err("error getting secvar from firmware %d\n",
-+ rc);
-+ break;
-+ }
-+
-+ kobj = kzalloc(sizeof(*kobj), GFP_KERNEL);
-+ if (!kobj) {
-+ rc = -ENOMEM;
-+ break;
-+ }
-+
-+ kobject_init(kobj, &secvar_ktype);
-+
-+ rc = kobject_add(kobj, &secvar_kset->kobj, "%s", name);
-+ if (rc) {
-+ pr_warn("kobject_add error %d for attribute: %s\n", rc,
-+ name);
-+ kobject_put(kobj);
-+ kobj = NULL;
-+ }
-+
-+ if (kobj)
-+ kobject_uevent(kobj, KOBJ_ADD);
-+
-+ } while (!rc);
-+
-+ kfree(name);
-+ return rc;
-+}
-+
-+static int secvar_sysfs_init(void)
-+{
-+ int rc;
-+
-+ if (!secvar_ops) {
-+ pr_warn("secvar: failed to retrieve secvar operations.\n");
-+ return -ENODEV;
-+ }
-+
-+ secvar_kobj = kobject_create_and_add("secvar", firmware_kobj);
-+ if (!secvar_kobj) {
-+ pr_err("secvar: Failed to create firmware kobj\n");
-+ return -ENOMEM;
-+ }
-+
-+ rc = sysfs_create_file(secvar_kobj, &format_attr.attr);
-+ if (rc) {
-+ kobject_put(secvar_kobj);
-+ return -ENOMEM;
-+ }
-+
-+ secvar_kset = kset_create_and_add("vars", NULL, secvar_kobj);
-+ if (!secvar_kset) {
-+ pr_err("secvar: sysfs kobject registration failed.\n");
-+ kobject_put(secvar_kobj);
-+ return -ENOMEM;
-+ }
-+
-+ rc = update_kobj_size();
-+ if (rc) {
-+ pr_err("Cannot read the size of the attribute\n");
-+ return rc;
-+ }
-+
-+ secvar_sysfs_load();
-+
-+ return 0;
-+}
-+
-+late_initcall(secvar_sysfs_init);
diff --git a/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch b/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
deleted file mode 100644
index dcde22e..0000000
--- a/openpower/linux/0011-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Sun, 10 Nov 2019 21:10:36 -0600
-Subject: [PATCH 11/17] powerpc: Load firmware trusted keys/hashes into kernel
- keyring
-
-The keys used to verify the Host OS kernel are managed by firmware as
-secure variables. This patch loads the verification keys into the
-.platform keyring and revocation hashes into .blacklist keyring. This
-enables verification and loading of the kernels signed by the boot
-time keys which are trusted by firmware.
-
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Eric Richter <erichte@linux.ibm.com>
-[mpe: Search by compatible in load_powerpc_certs(), not using format]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit 8220e22d11a05049aab9693839ab82e5e177ccde)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- security/integrity/Kconfig | 9 ++
- security/integrity/Makefile | 4 +-
- .../integrity/platform_certs/load_powerpc.c | 96 +++++++++++++++++++
- 3 files changed, 108 insertions(+), 1 deletion(-)
- create mode 100644 security/integrity/platform_certs/load_powerpc.c
-
-diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
-index 0bae6adb63a9..71f0177e8716 100644
---- a/security/integrity/Kconfig
-+++ b/security/integrity/Kconfig
-@@ -72,6 +72,15 @@ config LOAD_IPL_KEYS
- depends on S390
- def_bool y
-
-+config LOAD_PPC_KEYS
-+ bool "Enable loading of platform and blacklisted keys for POWER"
-+ depends on INTEGRITY_PLATFORM_KEYRING
-+ depends on PPC_SECURE_BOOT
-+ default y
-+ help
-+ Enable loading of keys to the .platform keyring and blacklisted
-+ hashes to the .blacklist keyring for powerpc based platforms.
-+
- config INTEGRITY_AUDIT
- bool "Enables integrity auditing support "
- depends on AUDIT
-diff --git a/security/integrity/Makefile b/security/integrity/Makefile
-index 351c9662994b..7ee39d66cf16 100644
---- a/security/integrity/Makefile
-+++ b/security/integrity/Makefile
-@@ -14,6 +14,8 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
- platform_certs/load_uefi.o \
- platform_certs/keyring_handler.o
- integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
--
-+integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
-+ platform_certs/load_powerpc.o \
-+ platform_certs/keyring_handler.o
- obj-$(CONFIG_IMA) += ima/
- obj-$(CONFIG_EVM) += evm/
-diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
-new file mode 100644
-index 000000000000..a2900cb85357
---- /dev/null
-+++ b/security/integrity/platform_certs/load_powerpc.c
-@@ -0,0 +1,96 @@
-+// SPDX-License-Identifier: GPL-2.0
-+/*
-+ * Copyright (C) 2019 IBM Corporation
-+ * Author: Nayna Jain
-+ *
-+ * - loads keys and hashes stored and controlled by the firmware.
-+ */
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/cred.h>
-+#include <linux/err.h>
-+#include <linux/slab.h>
-+#include <linux/of.h>
-+#include <asm/secure_boot.h>
-+#include <asm/secvar.h>
-+#include "keyring_handler.h"
-+
-+/*
-+ * Get a certificate list blob from the named secure variable.
-+ */
-+static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size)
-+{
-+ int rc;
-+ void *db;
-+
-+ rc = secvar_ops->get(key, keylen, NULL, size);
-+ if (rc) {
-+ pr_err("Couldn't get size: %d\n", rc);
-+ return NULL;
-+ }
-+
-+ db = kmalloc(*size, GFP_KERNEL);
-+ if (!db)
-+ return NULL;
-+
-+ rc = secvar_ops->get(key, keylen, db, size);
-+ if (rc) {
-+ kfree(db);
-+ pr_err("Error reading %s var: %d\n", key, rc);
-+ return NULL;
-+ }
-+
-+ return db;
-+}
-+
-+/*
-+ * Load the certs contained in the keys databases into the platform trusted
-+ * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist
-+ * keyring.
-+ */
-+static int __init load_powerpc_certs(void)
-+{
-+ void *db = NULL, *dbx = NULL;
-+ uint64_t dbsize = 0, dbxsize = 0;
-+ int rc = 0;
-+ struct device_node *node;
-+
-+ if (!secvar_ops)
-+ return -ENODEV;
-+
-+ /* The following only applies for the edk2-compat backend. */
-+ node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
-+ if (!node)
-+ return -ENODEV;
-+
-+ /*
-+ * Get db, and dbx. They might not exist, so it isn't an error if we
-+ * can't get them.
-+ */
-+ db = get_cert_list("db", 3, &dbsize);
-+ if (!db) {
-+ pr_err("Couldn't get db list from firmware\n");
-+ } else {
-+ rc = parse_efi_signature_list("powerpc:db", db, dbsize,
-+ get_handler_for_db);
-+ if (rc)
-+ pr_err("Couldn't parse db signatures: %d\n", rc);
-+ kfree(db);
-+ }
-+
-+ dbx = get_cert_list("dbx", 4, &dbxsize);
-+ if (!dbx) {
-+ pr_info("Couldn't get dbx list from firmware\n");
-+ } else {
-+ rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
-+ get_handler_for_dbx);
-+ if (rc)
-+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
-+ kfree(dbx);
-+ }
-+
-+ of_node_put(node);
-+
-+ return rc;
-+}
-+late_initcall(load_powerpc_certs);
diff --git a/openpower/linux/0012-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch b/openpower/linux/0012-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
deleted file mode 100644
index 744447a..0000000
--- a/openpower/linux/0012-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: "Christopher M. Riedl" <cmr@informatik.wtf>
-Date: Sat, 7 Sep 2019 01:11:23 -0500
-Subject: [PATCH 12/17] powerpc/xmon: Allow listing and clearing breakpoints in
- read-only mode
-
-Read-only mode should not prevent listing and clearing any active
-breakpoints.
-
-Tested-by: Daniel Axtens <dja@axtens.net>
-Reviewed-by: Daniel Axtens <dja@axtens.net>
-Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/20190907061124.1947-2-cmr@informatik.wtf
-(cherry picked from commit 96664dee5cf1815777286227b09884b4f019727f)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/xmon/xmon.c | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
-index 6d130c89fbd8..ab6371aedfcb 100644
---- a/arch/powerpc/xmon/xmon.c
-+++ b/arch/powerpc/xmon/xmon.c
-@@ -1096,10 +1096,6 @@ cmds(struct pt_regs *excp)
- set_lpp_cmd();
- break;
- case 'b':
-- if (xmon_is_ro) {
-- printf(xmon_ro_msg);
-- break;
-- }
- bpt_cmds();
- break;
- case 'C':
-@@ -1368,11 +1364,16 @@ bpt_cmds(void)
- struct bpt *bp;
-
- cmd = inchar();
-+
- switch (cmd) {
- #ifndef CONFIG_PPC_8xx
- static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
- int mode;
- case 'd': /* bd - hardware data breakpoint */
-+ if (xmon_is_ro) {
-+ printf(xmon_ro_msg);
-+ break;
-+ }
- if (!ppc_breakpoint_available()) {
- printf("Hardware data breakpoint not supported on this cpu\n");
- break;
-@@ -1400,6 +1401,10 @@ bpt_cmds(void)
- break;
-
- case 'i': /* bi - hardware instr breakpoint */
-+ if (xmon_is_ro) {
-+ printf(xmon_ro_msg);
-+ break;
-+ }
- if (!cpu_has_feature(CPU_FTR_ARCH_207S)) {
- printf("Hardware instruction breakpoint "
- "not supported on this cpu\n");
-@@ -1458,7 +1463,8 @@ bpt_cmds(void)
- break;
- }
- termch = cmd;
-- if (!scanhex(&a)) {
-+
-+ if (xmon_is_ro || !scanhex(&a)) {
- /* print all breakpoints */
- printf(" type address\n");
- if (dabr.enabled) {
diff --git a/openpower/linux/0013-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch b/openpower/linux/0013-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
deleted file mode 100644
index 14dde39..0000000
--- a/openpower/linux/0013-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Mimi Zohar <zohar@linux.ibm.com>
-Date: Wed, 30 Oct 2019 23:31:34 -0400
-Subject: [PATCH 13/17] powerpc/ima: Indicate kernel modules appended
- signatures are enforced
-
-The arch specific kernel module policy rule requires kernel modules to
-be signed, either as an IMA signature, stored as an xattr, or as an
-appended signature. As a result, kernel modules appended signatures
-could be enforced without "sig_enforce" being set or reflected in
-/sys/module/module/parameters/sig_enforce. This patch sets
-"sig_enforce".
-
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
-(cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index b9de0fb45bb9..e34116255ced 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
- */
- const char *const *arch_get_ima_policy(void)
- {
-- if (is_ppc_secureboot_enabled())
-+ if (is_ppc_secureboot_enabled()) {
-+ if (IS_ENABLED(CONFIG_MODULE_SIG))
-+ set_module_sig_enforced();
-+
- if (is_ppc_trustedboot_enabled())
- return secure_and_trusted_rules;
- else
- return secure_rules;
-- else if (is_ppc_trustedboot_enabled())
-+ } else if (is_ppc_trustedboot_enabled()) {
- return trusted_rules;
-+ }
-
- return NULL;
- }
diff --git a/openpower/linux/0014-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch b/openpower/linux/0014-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
deleted file mode 100644
index fc8ccc6..0000000
--- a/openpower/linux/0014-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Nayna Jain <nayna@linux.ibm.com>
-Date: Fri, 1 May 2020 10:16:52 -0400
-Subject: [PATCH 14/17] powerpc/ima: Fix secure boot rules in ima arch policy
-
-To prevent verifying the kernel module appended signature
-twice (finit_module), once by the module_sig_check() and again by IMA,
-powerpc secure boot rules define an IMA architecture specific policy
-rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
-unfortunately, does not take into account the ability of enabling
-"sig_enforce" on the boot command line (module.sig_enforce=1).
-
-Including the IMA module appraise rule results in failing the
-finit_module syscall, unless the module signing public key is loaded
-onto the IMA keyring.
-
-This patch fixes secure boot policy rules to be based on
-CONFIG_MODULE_SIG instead.
-
-Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
-Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
-(cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4)
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/kernel/ima_arch.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
-index e34116255ced..957abd592075 100644
---- a/arch/powerpc/kernel/ima_arch.c
-+++ b/arch/powerpc/kernel/ima_arch.c
-@@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
- * to be stored as an xattr or as an appended signature.
- *
- * To avoid duplicate signature verification as much as possible, the IMA
-- * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
-+ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
- * is not enabled.
- */
- static const char *const secure_rules[] = {
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
--#ifndef CONFIG_MODULE_SIG_FORCE
-+#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
-@@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
- "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
- "measure func=MODULE_CHECK template=ima-modsig",
- "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
--#ifndef CONFIG_MODULE_SIG_FORCE
-+#ifndef CONFIG_MODULE_SIG
- "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
- #endif
- NULL
diff --git a/openpower/linux/0015-powerpc-configs-Update-to-upstream-and-enable-secure.patch b/openpower/linux/0015-powerpc-configs-Update-to-upstream-and-enable-secure.patch
deleted file mode 100644
index c6d622f..0000000
--- a/openpower/linux/0015-powerpc-configs-Update-to-upstream-and-enable-secure.patch
+++ /dev/null
@@ -1,222 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 23 Jun 2020 16:22:10 +0930
-Subject: [PATCH 15/17] powerpc/configs: Update to upstream and enable
- secureboot
-
-Pulls in the following updates from upstream:
-
- scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
- powerpc/configs/skiroot: Enable some more hardening options
- powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
- powerpc/configs/skiroot: Enable security features
- powerpc/configs/skiroot: Update for symbol movement only
- powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
- powerpc/configs/skiroot: Drop HID_LOGITECH
- powerpc/configs: Drop NET_VENDOR_HP which moved to staging
- powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
- powerpc/configs: Drop CONFIG_QLGE which moved to staging
- powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_*
- powerpc/configs: add FADump awareness to skiroot_defconfig
-
-In addition, it enables IMA and secureboot options.
-
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/configs/skiroot_defconfig | 83 ++++++++++++++++----------
- 1 file changed, 53 insertions(+), 30 deletions(-)
-
-diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
-index 2e25b264f70f..44309e12d84a 100644
---- a/arch/powerpc/configs/skiroot_defconfig
-+++ b/arch/powerpc/configs/skiroot_defconfig
-@@ -1,13 +1,9 @@
--CONFIG_PPC64=y
--CONFIG_ALTIVEC=y
--CONFIG_VSX=y
--CONFIG_NR_CPUS=2048
--CONFIG_CPU_LITTLE_ENDIAN=y
- CONFIG_KERNEL_XZ=y
- # CONFIG_SWAP is not set
- CONFIG_SYSVIPC=y
- CONFIG_POSIX_MQUEUE=y
- # CONFIG_CROSS_MEMORY_ATTACH is not set
-+CONFIG_AUDIT=y
- CONFIG_NO_HZ=y
- CONFIG_HIGH_RES_TIMERS=y
- # CONFIG_CPU_ISOLATION is not set
-@@ -28,17 +24,15 @@ CONFIG_EXPERT=y
- # CONFIG_AIO is not set
- CONFIG_PERF_EVENTS=y
- # CONFIG_COMPAT_BRK is not set
-+# CONFIG_SLAB_MERGE_DEFAULT is not set
-+CONFIG_SLAB_FREELIST_RANDOM=y
- CONFIG_SLAB_FREELIST_HARDENED=y
--CONFIG_JUMP_LABEL=y
--CONFIG_STRICT_KERNEL_RWX=y
--CONFIG_MODULES=y
--CONFIG_MODULE_UNLOAD=y
--CONFIG_MODULE_SIG=y
--CONFIG_MODULE_SIG_FORCE=y
--CONFIG_MODULE_SIG_SHA512=y
--CONFIG_PARTITION_ADVANCED=y
--# CONFIG_MQ_IOSCHED_DEADLINE is not set
--# CONFIG_MQ_IOSCHED_KYBER is not set
-+CONFIG_PPC64=y
-+CONFIG_ALTIVEC=y
-+CONFIG_VSX=y
-+CONFIG_NR_CPUS=2048
-+CONFIG_CPU_LITTLE_ENDIAN=y
-+CONFIG_PANIC_TIMEOUT=30
- # CONFIG_PPC_VAS is not set
- # CONFIG_PPC_PSERIES is not set
- # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set
-@@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
- CONFIG_CPU_IDLE=y
- CONFIG_HZ_100=y
- CONFIG_KEXEC=y
-+CONFIG_KEXEC_FILE=y
-+CONFIG_PRESERVE_FA_DUMP=y
- CONFIG_IRQ_ALL_CPUS=y
- CONFIG_NUMA=y
--# CONFIG_COMPACTION is not set
--# CONFIG_MIGRATION is not set
- CONFIG_PPC_64K_PAGES=y
- CONFIG_SCHED_SMT=y
- CONFIG_CMDLINE_BOOL=y
- CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
- # CONFIG_SECCOMP is not set
- # CONFIG_PPC_MEM_KEYS is not set
-+CONFIG_PPC_SECURE_BOOT=y
-+CONFIG_JUMP_LABEL=y
-+CONFIG_MODULES=y
-+CONFIG_MODULE_UNLOAD=y
-+CONFIG_MODULE_SIG_FORCE=y
-+CONFIG_MODULE_SIG_SHA512=y
-+CONFIG_PARTITION_ADVANCED=y
-+# CONFIG_MQ_IOSCHED_DEADLINE is not set
-+# CONFIG_MQ_IOSCHED_KYBER is not set
-+# CONFIG_COMPACTION is not set
-+# CONFIG_MIGRATION is not set
- CONFIG_NET=y
- CONFIG_PACKET=y
- CONFIG_UNIX=y
-@@ -63,9 +68,6 @@ CONFIG_INET=y
- CONFIG_IP_MULTICAST=y
- CONFIG_NET_IPIP=y
- CONFIG_SYN_COOKIES=y
--# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
--# CONFIG_INET_XFRM_MODE_TUNNEL is not set
--# CONFIG_INET_XFRM_MODE_BEET is not set
- CONFIG_DNS_RESOLVER=y
- # CONFIG_WIRELESS is not set
- CONFIG_DEVTMPFS=y
-@@ -139,7 +141,6 @@ CONFIG_TIGON3=m
- CONFIG_BNX2X=m
- # CONFIG_NET_VENDOR_BROCADE is not set
- # CONFIG_NET_VENDOR_CADENCE is not set
--# CONFIG_NET_CADENCE is not set
- # CONFIG_NET_VENDOR_CAVIUM is not set
- CONFIG_CHELSIO_T1=m
- # CONFIG_NET_VENDOR_CISCO is not set
-@@ -148,7 +149,6 @@ CONFIG_CHELSIO_T1=m
- # CONFIG_NET_VENDOR_DLINK is not set
- CONFIG_BE2NET=m
- # CONFIG_NET_VENDOR_EZCHIP is not set
--# CONFIG_NET_VENDOR_HP is not set
- # CONFIG_NET_VENDOR_HUAWEI is not set
- CONFIG_E1000=m
- CONFIG_E1000E=m
-@@ -156,7 +156,6 @@ CONFIG_IGB=m
- CONFIG_IXGB=m
- CONFIG_IXGBE=m
- CONFIG_I40E=m
--CONFIG_S2IO=m
- # CONFIG_NET_VENDOR_MARVELL is not set
- CONFIG_MLX4_EN=m
- # CONFIG_MLX4_CORE_GEN2 is not set
-@@ -167,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
- # CONFIG_NET_VENDOR_MICROSEMI is not set
- CONFIG_MYRI10GE=m
- # CONFIG_NET_VENDOR_NATSEMI is not set
-+CONFIG_S2IO=m
- # CONFIG_NET_VENDOR_NETRONOME is not set
- # CONFIG_NET_VENDOR_NI is not set
- # CONFIG_NET_VENDOR_NVIDIA is not set
- # CONFIG_NET_VENDOR_OKI is not set
- # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
--CONFIG_QLGE=m
- CONFIG_NETXEN_NIC=m
- CONFIG_QED=m
- CONFIG_QEDE=m
-@@ -210,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
- CONFIG_IPMI_POWERNV=y
- CONFIG_IPMI_WATCHDOG=y
- CONFIG_HW_RANDOM=y
--CONFIG_TCG_TPM=y
- CONFIG_TCG_TIS_I2C_NUVOTON=y
- # CONFIG_DEVPORT is not set
- CONFIG_I2C=y
-@@ -239,7 +237,6 @@ CONFIG_HID_CYPRESS=y
- CONFIG_HID_EZKEY=y
- CONFIG_HID_ITE=y
- CONFIG_HID_KENSINGTON=y
--CONFIG_HID_LOGITECH=y
- CONFIG_HID_MICROSOFT=y
- CONFIG_HID_MONTEREY=y
- CONFIG_USB_HIDDEV=y
-@@ -276,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
- CONFIG_NLS_ASCII=y
- CONFIG_NLS_ISO8859_1=y
- CONFIG_NLS_UTF8=y
-+CONFIG_ENCRYPTED_KEYS=y
-+CONFIG_SECURITY=y
-+CONFIG_HARDENED_USERCOPY=y
-+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
-+CONFIG_HARDENED_USERCOPY_PAGESPAN=y
-+CONFIG_FORTIFY_SOURCE=y
-+CONFIG_SECURITY_LOCKDOWN_LSM=y
-+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
-+CONFIG_INTEGRITY_SIGNATURE=y
-+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
-+CONFIG_IMA=y
-+CONFIG_IMA_KEXEC=y
-+CONFIG_IMA_SIG_TEMPLATE=y
-+CONFIG_IMA_DEFAULT_HASH_SHA256=y
-+CONFIG_IMA_READ_POLICY=y
-+CONFIG_IMA_APPRAISE=y
-+CONFIG_IMA_ARCH_POLICY=y
-+CONFIG_IMA_APPRAISE_MODSIG=y
-+CONFIG_LSM="yama,loadpin,safesetid,integrity"
-+# CONFIG_CRYPTO_HW is not set
-+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
- CONFIG_CRC16=y
- CONFIG_CRC_ITU_T=y
- CONFIG_LIBCRC32C=y
-@@ -286,17 +306,20 @@ CONFIG_LIBCRC32C=y
- # CONFIG_XZ_DEC_SPARC is not set
- CONFIG_PRINTK_TIME=y
- CONFIG_MAGIC_SYSRQ=y
-+CONFIG_SLUB_DEBUG_ON=y
- CONFIG_DEBUG_STACKOVERFLOW=y
- CONFIG_SOFTLOCKUP_DETECTOR=y
- CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
- CONFIG_HARDLOCKUP_DETECTOR=y
- CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
- CONFIG_WQ_WATCHDOG=y
-+CONFIG_PANIC_ON_OOPS=y
- # CONFIG_SCHED_DEBUG is not set
-+CONFIG_SCHED_STACK_END_CHECK=y
-+CONFIG_DEBUG_SG=y
-+CONFIG_DEBUG_NOTIFIERS=y
-+CONFIG_DEBUG_CREDENTIALS=y
- # CONFIG_FTRACE is not set
- # CONFIG_RUNTIME_TESTING_MENU is not set
-+CONFIG_BUG_ON_DATA_CORRUPTION=y
- CONFIG_XMON=y
--CONFIG_XMON_DEFAULT=y
--CONFIG_ENCRYPTED_KEYS=y
--# CONFIG_CRYPTO_ECHAINIV is not set
--# CONFIG_CRYPTO_HW is not set
diff --git a/openpower/linux/0016-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch b/openpower/linux/0016-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
deleted file mode 100644
index cea9ebb..0000000
--- a/openpower/linux/0016-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 29 Sep 2020 16:07:53 +0930
-Subject: [PATCH 16/17] linux: configure CONFIG_I2C_OPAL as in-built.
-
-Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
-module rather than builtin, even if CONFIG_I2C=y is defined. This
-results in a delay in the TPM initialization, causing IMA to go into
-TPM bypass mode. As a result, the IMA measurements are added to the
-measurement list, but do not extend the TPM. Because of this, it is
-impossible to verify or attest to the system's integrity, either from
-skiroot or the target Host OS.
-
-Mimi Zohar <zohar@linux.ibm.com> explains more:
-
- The concept of trusted boot requires the measurement to be added to the
- measurement list and extend the TPM, prior to allowing access to the
- file. By allowing access to a file before its measurement is included
- in the measurement list and extended into the TPM PCR, a malicious file
- could potentially prevent its own measurement from being added. As the
- PCRs are tamper proof, measuring and extending the TPM prior to giving
- access to the file, guarantees that all file measurements are included
- in the measurement list, including the malicious file.
-
- IMA needs to be enabled before any files are accessed in order to
- verify a file's integrity and extend the TPM with the file
- measurement. Queueing file measurements breaks the measure and extend,
- before usage, trusted boot paradigm.
-
- The ima-evm-utils package includes a test for walking the IMA
- measurement list, calculating the expected TPM PCRs, and comparing the
- calculated PCR values with the physical TPM. Testing is important to
- ensure the TPM is initialized prior to IMA. Failure to validate the
- IMA measurement list may indicate IMA went into TPM bypass mode, like
- in this case.
-
-Reported-by: Mimi Zohar <zohar@linux.ibm.com>
-Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
-Signed-off-by: Joel Stanley <joel@jms.id.au>
----
- arch/powerpc/configs/skiroot_defconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
-index 44309e12d84a..a555adb23591 100644
---- a/arch/powerpc/configs/skiroot_defconfig
-+++ b/arch/powerpc/configs/skiroot_defconfig
-@@ -216,7 +216,7 @@ CONFIG_I2C=y
- CONFIG_I2C_CHARDEV=y
- # CONFIG_I2C_HELPER_AUTO is not set
- CONFIG_I2C_ALGOBIT=y
--CONFIG_I2C_OPAL=m
-+CONFIG_I2C_OPAL=y
- CONFIG_PPS=y
- CONFIG_SENSORS_IBMPOWERNV=m
- CONFIG_DRM=m