Merge pull request #3723 from op-jenkins/op-build-update_043_6-25-2020
op-build update 6-25-2020
diff --git a/openpower/configs/barreleye_defconfig b/openpower/configs/barreleye_defconfig
index 8e74664..d9adaf6 100644
--- a/openpower/configs/barreleye_defconfig
+++ b/openpower/configs/barreleye_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/blackbird_defconfig b/openpower/configs/blackbird_defconfig
index d2fb5cd..39657bd 100644
--- a/openpower/configs/blackbird_defconfig
+++ b/openpower/configs/blackbird_defconfig
@@ -18,7 +18,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/firenze_defconfig b/openpower/configs/firenze_defconfig
index 7223ce2..33e12db 100644
--- a/openpower/configs/firenze_defconfig
+++ b/openpower/configs/firenze_defconfig
@@ -15,7 +15,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/firestone_defconfig b/openpower/configs/firestone_defconfig
index dd4f1fd..2505040 100644
--- a/openpower/configs/firestone_defconfig
+++ b/openpower/configs/firestone_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/garrison_defconfig b/openpower/configs/garrison_defconfig
index a0b66d4..29e3591 100644
--- a/openpower/configs/garrison_defconfig
+++ b/openpower/configs/garrison_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/habanero_defconfig b/openpower/configs/habanero_defconfig
index e5c2694..305f7c7 100644
--- a/openpower/configs/habanero_defconfig
+++ b/openpower/configs/habanero_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
index d0cda0e..44309e1 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -3,6 +3,7 @@
CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
# CONFIG_CROSS_MEMORY_ATTACH is not set
+CONFIG_AUDIT=y
CONFIG_NO_HZ=y
CONFIG_HIGH_RES_TIMERS=y
# CONFIG_CPU_ISOLATION is not set
@@ -49,8 +50,8 @@
CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
# CONFIG_SECCOMP is not set
# CONFIG_PPC_MEM_KEYS is not set
+CONFIG_PPC_SECURE_BOOT=y
CONFIG_JUMP_LABEL=y
-CONFIG_STRICT_KERNEL_RWX=y
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_SIG_FORCE=y
@@ -84,7 +85,6 @@
# CONFIG_OCXL is not set
CONFIG_BLK_DEV_SD=m
CONFIG_BLK_DEV_SR=m
-CONFIG_BLK_DEV_SR_VENDOR=y
CONFIG_CHR_DEV_SG=m
CONFIG_SCSI_CONSTANTS=y
CONFIG_SCSI_SCAN_ASYNC=y
@@ -209,7 +209,6 @@
CONFIG_IPMI_POWERNV=y
CONFIG_IPMI_WATCHDOG=y
CONFIG_HW_RANDOM=y
-CONFIG_TCG_TPM=y
CONFIG_TCG_TIS_I2C_NUVOTON=y
# CONFIG_DEVPORT is not set
CONFIG_I2C=y
@@ -282,9 +281,21 @@
CONFIG_FORTIFY_SOURCE=y
CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
-# CONFIG_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_IMA=y
+CONFIG_IMA_KEXEC=y
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_LSM="yama,loadpin,safesetid,integrity"
# CONFIG_CRYPTO_HW is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_CRC16=y
CONFIG_CRC_ITU_T=y
CONFIG_LIBCRC32C=y
diff --git a/openpower/configs/mihawk_defconfig b/openpower/configs/mihawk_defconfig
index b405a13..d0963f3 100644
--- a/openpower/configs/mihawk_defconfig
+++ b/openpower/configs/mihawk_defconfig
@@ -18,7 +18,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/nicole_defconfig b/openpower/configs/nicole_defconfig
index b2d1f39..250f5e6 100644
--- a/openpower/configs/nicole_defconfig
+++ b/openpower/configs/nicole_defconfig
@@ -16,7 +16,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/opal_defconfig b/openpower/configs/opal_defconfig
index 804e47c..1319aa9 100644
--- a/openpower/configs/opal_defconfig
+++ b/openpower/configs/opal_defconfig
@@ -13,7 +13,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/p8dtu_defconfig b/openpower/configs/p8dtu_defconfig
index efe1fa0..50f8065 100644
--- a/openpower/configs/p8dtu_defconfig
+++ b/openpower/configs/p8dtu_defconfig
@@ -18,7 +18,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/p9dsu_defconfig b/openpower/configs/p9dsu_defconfig
index c213172..370c3f5 100644
--- a/openpower/configs/p9dsu_defconfig
+++ b/openpower/configs/p9dsu_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/palmetto_defconfig b/openpower/configs/palmetto_defconfig
index a7434ac..d458249 100644
--- a/openpower/configs/palmetto_defconfig
+++ b/openpower/configs/palmetto_defconfig
@@ -15,7 +15,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/pseries_defconfig b/openpower/configs/pseries_defconfig
index 5a3b39f..74794d9 100644
--- a/openpower/configs/pseries_defconfig
+++ b/openpower/configs/pseries_defconfig
@@ -16,7 +16,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/pseries_skiroot_defconfig"
diff --git a/openpower/configs/romulus_defconfig b/openpower/configs/romulus_defconfig
index fc4ddd2..7fca1b9 100644
--- a/openpower/configs/romulus_defconfig
+++ b/openpower/configs/romulus_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/swift_defconfig b/openpower/configs/swift_defconfig
index de3b9bb..415f487 100644
--- a/openpower/configs/swift_defconfig
+++ b/openpower/configs/swift_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/vesnin_defconfig b/openpower/configs/vesnin_defconfig
index 252634b..7293fab 100644
--- a/openpower/configs/vesnin_defconfig
+++ b/openpower/configs/vesnin_defconfig
@@ -16,7 +16,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/witherspoon_defconfig b/openpower/configs/witherspoon_defconfig
index 0587162..e31bdc2 100644
--- a/openpower/configs/witherspoon_defconfig
+++ b/openpower/configs/witherspoon_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/zaius_defconfig b/openpower/configs/zaius_defconfig
index 2e088af..ce22163 100644
--- a/openpower/configs/zaius_defconfig
+++ b/openpower/configs/zaius_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/zz_defconfig b/openpower/configs/zz_defconfig
index 9e52abd..53e399d 100644
--- a/openpower/configs/zz_defconfig
+++ b/openpower/configs/zz_defconfig
@@ -15,7 +15,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.33"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
index 5879598..dc4afac 100644
--- a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian King <brking@linux.vnet.ibm.com>
Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 1/2] xhci: Reset controller on xhci shutdown
+Subject: [PATCH 01/18] xhci: Reset controller on xhci shutdown
Fixes kexec boot. Without a hard reset, some USB chips will fail to
initialize in a kexec booted kernel.
@@ -14,7 +14,7 @@
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 2f49a7b3ce85..b7e17c62396e 100644
+index 81b54a3d2910..b0f66b42a16a 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -789,6 +789,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
diff --git a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
new file mode 100644
index 0000000..2cdc87a
--- /dev/null
+++ b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
@@ -0,0 +1,131 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Tue, 5 Nov 2019 17:00:22 -0600
+Subject: [PATCH 02/18] powerpc: Detect the secure boot mode of the system
+
+This patch defines a function to detect the secure boot state of a
+PowerNV system.
+
+The PPC_SECURE_BOOT config represents the base enablement of secure
+boot for powerpc.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Eric Richter <erichte@linux.ibm.com>
+[mpe: Fold in change from Nayna to add "ibm,secureboot" to ids]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/46b003b9-3225-6bf7-9101-ed6580bb748c@linux.ibm.com
+(cherry picked from commit 1a8916ee3ac29054322cdac687d36e1b5894d272)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/Kconfig | 10 ++++++++
+ arch/powerpc/include/asm/secure_boot.h | 23 +++++++++++++++++
+ arch/powerpc/kernel/Makefile | 2 ++
+ arch/powerpc/kernel/secure_boot.c | 35 ++++++++++++++++++++++++++
+ 4 files changed, 70 insertions(+)
+ create mode 100644 arch/powerpc/include/asm/secure_boot.h
+ create mode 100644 arch/powerpc/kernel/secure_boot.c
+
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index 44431dc06982..bdf584b85199 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -934,6 +934,16 @@ config PPC_MEM_KEYS
+
+ If unsure, say y.
+
++config PPC_SECURE_BOOT
++ prompt "Enable secure boot support"
++ bool
++ depends on PPC_POWERNV
++ help
++ Systems with firmware secure boot enabled need to define security
++ policies to extend secure boot to the OS. This config allows a user
++ to enable OS secure boot on systems that have firmware support for
++ it. If in doubt say N.
++
+ endmenu
+
+ config ISA_DMA_API
+diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
+new file mode 100644
+index 000000000000..07d0fe0ca81f
+--- /dev/null
++++ b/arch/powerpc/include/asm/secure_boot.h
+@@ -0,0 +1,23 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Secure boot definitions
++ *
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Nayna Jain
++ */
++#ifndef _ASM_POWER_SECURE_BOOT_H
++#define _ASM_POWER_SECURE_BOOT_H
++
++#ifdef CONFIG_PPC_SECURE_BOOT
++
++bool is_ppc_secureboot_enabled(void);
++
++#else
++
++static inline bool is_ppc_secureboot_enabled(void)
++{
++ return false;
++}
++
++#endif
++#endif
+diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
+index dc0780f930d5..40170ee52178 100644
+--- a/arch/powerpc/kernel/Makefile
++++ b/arch/powerpc/kernel/Makefile
+@@ -158,6 +158,8 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
+ obj-y += ucall.o
+ endif
+
++obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o
++
+ # Disable GCOV, KCOV & sanitizers in odd or sensitive code
+ GCOV_PROFILE_prom_init.o := n
+ KCOV_INSTRUMENT_prom_init.o := n
+diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
+new file mode 100644
+index 000000000000..583c2c4edaf0
+--- /dev/null
++++ b/arch/powerpc/kernel/secure_boot.c
+@@ -0,0 +1,35 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Nayna Jain
++ */
++#include <linux/types.h>
++#include <linux/of.h>
++#include <asm/secure_boot.h>
++
++static struct device_node *get_ppc_fw_sb_node(void)
++{
++ static const struct of_device_id ids[] = {
++ { .compatible = "ibm,secureboot", },
++ { .compatible = "ibm,secureboot-v1", },
++ { .compatible = "ibm,secureboot-v2", },
++ {},
++ };
++
++ return of_find_matching_node(NULL, ids);
++}
++
++bool is_ppc_secureboot_enabled(void)
++{
++ struct device_node *node;
++ bool enabled = false;
++
++ node = get_ppc_fw_sb_node();
++ enabled = of_property_read_bool(node, "os-secureboot-enforcing");
++
++ of_node_put(node);
++
++ pr_info("Secure boot mode %s\n", enabled ? "enabled" : "disabled");
++
++ return enabled;
++}
diff --git a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
new file mode 100644
index 0000000..859a596
--- /dev/null
+++ b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
@@ -0,0 +1,118 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:27 -0400
+Subject: [PATCH 03/18] powerpc/ima: Add support to initialize ima policy rules
+
+PowerNV systems use a Linux-based bootloader, which rely on the IMA
+subsystem to enforce different secure boot modes. Since the
+verification policy may differ based on the secure boot mode of the
+system, the policies must be defined at runtime.
+
+This patch implements arch-specific support to define IMA policy rules
+based on the runtime secure boot mode of the system.
+
+This patch provides arch-specific IMA policies if PPC_SECURE_BOOT
+config is enabled.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-3-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit 4238fad366a660cbc6499ca1ea4be42bd4d1ac5b)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/Kconfig | 1 +
+ arch/powerpc/kernel/Makefile | 2 +-
+ arch/powerpc/kernel/ima_arch.c | 43 ++++++++++++++++++++++++++++++++++
+ include/linux/ima.h | 3 ++-
+ 4 files changed, 47 insertions(+), 2 deletions(-)
+ create mode 100644 arch/powerpc/kernel/ima_arch.c
+
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index bdf584b85199..eea6c358b86c 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -938,6 +938,7 @@ config PPC_SECURE_BOOT
+ prompt "Enable secure boot support"
+ bool
+ depends on PPC_POWERNV
++ depends on IMA_ARCH_POLICY
+ help
+ Systems with firmware secure boot enabled need to define security
+ policies to extend secure boot to the OS. This config allows a user
+diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
+index 40170ee52178..b82f7f5e5121 100644
+--- a/arch/powerpc/kernel/Makefile
++++ b/arch/powerpc/kernel/Makefile
+@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
+ obj-y += ucall.o
+ endif
+
+-obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o
++obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o
+
+ # Disable GCOV, KCOV & sanitizers in odd or sensitive code
+ GCOV_PROFILE_prom_init.o := n
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+new file mode 100644
+index 000000000000..d88913dc0da7
+--- /dev/null
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -0,0 +1,43 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Nayna Jain
++ */
++
++#include <linux/ima.h>
++#include <asm/secure_boot.h>
++
++bool arch_ima_get_secureboot(void)
++{
++ return is_ppc_secureboot_enabled();
++}
++
++/*
++ * The "secure_rules" are enabled only on "secureboot" enabled systems.
++ * These rules verify the file signatures against known good values.
++ * The "appraise_type=imasig|modsig" option allows the known good signature
++ * to be stored as an xattr or as an appended signature.
++ *
++ * To avoid duplicate signature verification as much as possible, the IMA
++ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
++ * is not enabled.
++ */
++static const char *const secure_rules[] = {
++ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
++#ifndef CONFIG_MODULE_SIG_FORCE
++ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
++#endif
++ NULL
++};
++
++/*
++ * Returns the relevant IMA arch-specific policies based on the system secure
++ * boot state.
++ */
++const char *const *arch_get_ima_policy(void)
++{
++ if (is_ppc_secureboot_enabled())
++ return secure_rules;
++
++ return NULL;
++}
+diff --git a/include/linux/ima.h b/include/linux/ima.h
+index 1c37f17f7203..6d904754d858 100644
+--- a/include/linux/ima.h
++++ b/include/linux/ima.h
+@@ -29,7 +29,8 @@ extern void ima_kexec_cmdline(const void *buf, int size);
+ extern void ima_add_kexec_buffer(struct kimage *image);
+ #endif
+
+-#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390)
++#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \
++ || defined(CONFIG_PPC_SECURE_BOOT)
+ extern bool arch_ima_get_secureboot(void);
+ extern const char * const *arch_get_ima_policy(void);
+ #else
diff --git a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
new file mode 100644
index 0000000..844371d
--- /dev/null
+++ b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
@@ -0,0 +1,71 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Tue, 5 Nov 2019 17:02:07 -0600
+Subject: [PATCH 04/18] powerpc: Detect the trusted boot state of the system
+
+While secure boot permits only properly verified signed kernels to be
+booted, trusted boot calculates the file hash of the kernel image and
+stores the measurement prior to boot, that can be subsequently
+compared against good known values via attestation services.
+
+This patch reads the trusted boot state of a PowerNV system. The state
+is used to conditionally enable additional measurement rules in the
+IMA arch-specific policies.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Eric Richter <erichte@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/e9eeee6b-b9bf-1e41-2954-61dbd6fbfbcf@linux.ibm.com
+(cherry picked from commit 2702809a4a1ab414d75c00936cda70ea77c8234e)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/include/asm/secure_boot.h | 6 ++++++
+ arch/powerpc/kernel/secure_boot.c | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/arch/powerpc/include/asm/secure_boot.h b/arch/powerpc/include/asm/secure_boot.h
+index 07d0fe0ca81f..a2ff556916c6 100644
+--- a/arch/powerpc/include/asm/secure_boot.h
++++ b/arch/powerpc/include/asm/secure_boot.h
+@@ -11,6 +11,7 @@
+ #ifdef CONFIG_PPC_SECURE_BOOT
+
+ bool is_ppc_secureboot_enabled(void);
++bool is_ppc_trustedboot_enabled(void);
+
+ #else
+
+@@ -19,5 +20,10 @@ static inline bool is_ppc_secureboot_enabled(void)
+ return false;
+ }
+
++static inline bool is_ppc_trustedboot_enabled(void)
++{
++ return false;
++}
++
+ #endif
+ #endif
+diff --git a/arch/powerpc/kernel/secure_boot.c b/arch/powerpc/kernel/secure_boot.c
+index 583c2c4edaf0..4b982324d368 100644
+--- a/arch/powerpc/kernel/secure_boot.c
++++ b/arch/powerpc/kernel/secure_boot.c
+@@ -33,3 +33,18 @@ bool is_ppc_secureboot_enabled(void)
+
+ return enabled;
+ }
++
++bool is_ppc_trustedboot_enabled(void)
++{
++ struct device_node *node;
++ bool enabled = false;
++
++ node = get_ppc_fw_sb_node();
++ enabled = of_property_read_bool(node, "trusted-enabled");
++
++ of_node_put(node);
++
++ pr_info("Trusted boot mode %s\n", enabled ? "enabled" : "disabled");
++
++ return enabled;
++}
diff --git a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
new file mode 100644
index 0000000..76b1212
--- /dev/null
+++ b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:29 -0400
+Subject: [PATCH 05/18] powerpc/ima: Define trusted boot policy
+
+This patch defines an arch-specific trusted boot only policy and a
+combined secure and trusted boot policy.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-5-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit 1917855f4e0658c313e280671ad87774dbfb7b24)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/kernel/ima_arch.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+index d88913dc0da7..0ef5956c9753 100644
+--- a/arch/powerpc/kernel/ima_arch.c
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -30,6 +30,32 @@ static const char *const secure_rules[] = {
+ NULL
+ };
+
++/*
++ * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
++ * These rules add the kexec kernel image and kernel modules file hashes to
++ * the IMA measurement list.
++ */
++static const char *const trusted_rules[] = {
++ "measure func=KEXEC_KERNEL_CHECK",
++ "measure func=MODULE_CHECK",
++ NULL
++};
++
++/*
++ * The "secure_and_trusted_rules" contains rules for both the secure boot and
++ * trusted boot. The "template=ima-modsig" option includes the appended
++ * signature, when available, in the IMA measurement list.
++ */
++static const char *const secure_and_trusted_rules[] = {
++ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
++ "measure func=MODULE_CHECK template=ima-modsig",
++ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
++#ifndef CONFIG_MODULE_SIG_FORCE
++ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
++#endif
++ NULL
++};
++
+ /*
+ * Returns the relevant IMA arch-specific policies based on the system secure
+ * boot state.
+@@ -37,7 +63,12 @@ static const char *const secure_rules[] = {
+ const char *const *arch_get_ima_policy(void)
+ {
+ if (is_ppc_secureboot_enabled())
+- return secure_rules;
++ if (is_ppc_trustedboot_enabled())
++ return secure_and_trusted_rules;
++ else
++ return secure_rules;
++ else if (is_ppc_trustedboot_enabled())
++ return trusted_rules;
+
+ return NULL;
+ }
diff --git a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
new file mode 100644
index 0000000..3d9ccc4
--- /dev/null
+++ b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
@@ -0,0 +1,143 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:30 -0400
+Subject: [PATCH 06/18] ima: Make process_buffer_measurement() generic
+
+process_buffer_measurement() is limited to measuring the kexec boot
+command line. This patch makes process_buffer_measurement() more
+generic, allowing it to measure other types of buffer data (e.g.
+blacklisted binary hashes or key hashes).
+
+process_buffer_measurement() may be called directly from an IMA hook
+or as an auxiliary measurement record. In both cases the buffer
+measurement is based on policy. This patch modifies the function to
+conditionally retrieve the policy defined PCR and template for the IMA
+hook case.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+[zohar@linux.ibm.com: added comment in process_buffer_measurement()]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-6-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit e14555e3d0e9edfad0a6840c0152f71aba97e793)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ security/integrity/ima/ima.h | 3 ++
+ security/integrity/ima/ima_main.c | 58 +++++++++++++++++++++----------
+ 2 files changed, 43 insertions(+), 18 deletions(-)
+
+diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
+index be469fce19e1..ae124d3a4a4a 100644
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -219,6 +219,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
+ struct evm_ima_xattr_data *xattr_value,
+ int xattr_len, const struct modsig *modsig, int pcr,
+ struct ima_template_desc *template_desc);
++void process_buffer_measurement(const void *buf, int size,
++ const char *eventname, enum ima_hooks func,
++ int pcr);
+ void ima_audit_measurement(struct integrity_iint_cache *iint,
+ const unsigned char *filename);
+ int ima_alloc_init_template(struct ima_event_data *event_data,
+diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
+index a768f37a0a4d..bc730e553053 100644
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -626,14 +626,14 @@ int ima_load_data(enum kernel_load_data_id id)
+ * @buf: pointer to the buffer that needs to be added to the log.
+ * @size: size of buffer(in bytes).
+ * @eventname: event name to be used for the buffer entry.
+- * @cred: a pointer to a credentials structure for user validation.
+- * @secid: the secid of the task to be validated.
++ * @func: IMA hook
++ * @pcr: pcr to extend the measurement
+ *
+ * Based on policy, the buffer is measured into the ima log.
+ */
+-static void process_buffer_measurement(const void *buf, int size,
+- const char *eventname,
+- const struct cred *cred, u32 secid)
++void process_buffer_measurement(const void *buf, int size,
++ const char *eventname, enum ima_hooks func,
++ int pcr)
+ {
+ int ret = 0;
+ struct ima_template_entry *entry = NULL;
+@@ -642,19 +642,45 @@ static void process_buffer_measurement(const void *buf, int size,
+ .filename = eventname,
+ .buf = buf,
+ .buf_len = size};
+- struct ima_template_desc *template_desc = NULL;
++ struct ima_template_desc *template = NULL;
+ struct {
+ struct ima_digest_data hdr;
+ char digest[IMA_MAX_DIGEST_SIZE];
+ } hash = {};
+ int violation = 0;
+- int pcr = CONFIG_IMA_MEASURE_PCR_IDX;
+ int action = 0;
++ u32 secid;
+
+- action = ima_get_action(NULL, cred, secid, 0, KEXEC_CMDLINE, &pcr,
+- &template_desc);
+- if (!(action & IMA_MEASURE))
+- return;
++ /*
++ * Both LSM hooks and auxilary based buffer measurements are
++ * based on policy. To avoid code duplication, differentiate
++ * between the LSM hooks and auxilary buffer measurements,
++ * retrieving the policy rule information only for the LSM hook
++ * buffer measurements.
++ */
++ if (func) {
++ security_task_getsecid(current, &secid);
++ action = ima_get_action(NULL, current_cred(), secid, 0, func,
++ &pcr, &template);
++ if (!(action & IMA_MEASURE))
++ return;
++ }
++
++ if (!pcr)
++ pcr = CONFIG_IMA_MEASURE_PCR_IDX;
++
++ if (!template) {
++ template = lookup_template_desc("ima-buf");
++ ret = template_desc_init_fields(template->fmt,
++ &(template->fields),
++ &(template->num_fields));
++ if (ret < 0) {
++ pr_err("template %s init failed, result: %d\n",
++ (strlen(template->name) ?
++ template->name : template->fmt), ret);
++ return;
++ }
++ }
+
+ iint.ima_hash = &hash.hdr;
+ iint.ima_hash->algo = ima_hash_algo;
+@@ -664,7 +690,7 @@ static void process_buffer_measurement(const void *buf, int size,
+ if (ret < 0)
+ goto out;
+
+- ret = ima_alloc_init_template(&event_data, &entry, template_desc);
++ ret = ima_alloc_init_template(&event_data, &entry, template);
+ if (ret < 0)
+ goto out;
+
+@@ -686,13 +712,9 @@ static void process_buffer_measurement(const void *buf, int size,
+ */
+ void ima_kexec_cmdline(const void *buf, int size)
+ {
+- u32 secid;
+-
+- if (buf && size != 0) {
+- security_task_getsecid(current, &secid);
++ if (buf && size != 0)
+ process_buffer_measurement(buf, size, "kexec-cmdline",
+- current_cred(), secid);
+- }
++ KEXEC_CMDLINE, 0);
+ }
+
+ static int __init init_ima(void)
diff --git a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch b/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
new file mode 100644
index 0000000..c42014f
--- /dev/null
+++ b/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
@@ -0,0 +1,67 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:31 -0400
+Subject: [PATCH 07/18] certs: Add wrapper function to check blacklisted binary
+ hash
+
+The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
+misleading when called for checking against blacklisted hash of a
+binary.
+
+This patch adds a wrapper function is_binary_blacklisted() to return
+-EPERM error if binary is blacklisted.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-7-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit 2434f7d2d488c3301ae81f1031e1c66c6f076fb7)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ certs/blacklist.c | 9 +++++++++
+ include/keys/system_keyring.h | 6 ++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/certs/blacklist.c b/certs/blacklist.c
+index ec00bf337eb6..6514f9ebc943 100644
+--- a/certs/blacklist.c
++++ b/certs/blacklist.c
+@@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
+ }
+ EXPORT_SYMBOL_GPL(is_hash_blacklisted);
+
++int is_binary_blacklisted(const u8 *hash, size_t hash_len)
++{
++ if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
++ return -EPERM;
++
++ return 0;
++}
++EXPORT_SYMBOL_GPL(is_binary_blacklisted);
++
+ /*
+ * Initialise the blacklist
+ */
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index c1a96fdf598b..fb8b07daa9d1 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ extern int mark_hash_blacklisted(const char *hash);
+ extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
+ const char *type);
++extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
+ #else
+ static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
+ const char *type)
+ {
+ return 0;
+ }
++
++static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
++{
++ return 0;
++}
+ #endif
+
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
diff --git a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch b/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
new file mode 100644
index 0000000..1281b84
--- /dev/null
+++ b/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
@@ -0,0 +1,261 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:32 -0400
+Subject: [PATCH 08/18] ima: Check against blacklisted hashes for files with
+ modsig
+
+Asymmetric private keys are used to sign multiple files. The kernel
+currently supports checking against blacklisted keys. However, if the
+public key is blacklisted, any file signed by the blacklisted key will
+automatically fail signature verification. Blacklisting the public key
+is not fine enough granularity, as we might want to only blacklist a
+particular file.
+
+This patch adds support for checking against the blacklisted hash of
+the file, without the appended signature, based on the IMA policy. It
+defines a new policy option "appraise_flag=check_blacklist".
+
+In addition to the blacklisted binary hashes stored in the firmware
+"dbx" variable, the Linux kernel may be configured to load blacklisted
+binary hashes onto the .blacklist keyring as well. The following
+example shows how to blacklist a specific kernel module hash.
+
+ $ sha256sum kernel/kheaders.ko
+ 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
+ kernel/kheaders.ko
+
+ $ grep BLACKLIST .config
+ CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+ CONFIG_SYSTEM_BLACKLIST_HASH_LIST="blacklist-hash-list"
+
+ $ cat certs/blacklist-hash-list
+ "bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3"
+
+Update the IMA custom measurement and appraisal policy
+rules (/etc/ima-policy):
+
+ measure func=MODULE_CHECK template=ima-modsig
+ appraise func=MODULE_CHECK appraise_flag=check_blacklist
+ appraise_type=imasig|modsig
+
+After building, installing, and rebooting the kernel:
+
+ 545660333 ---lswrv 0 0 \_ blacklist:
+ bin:77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
+
+ measure func=MODULE_CHECK template=ima-modsig
+ appraise func=MODULE_CHECK appraise_flag=check_blacklist
+ appraise_type=imasig|modsig
+
+ modprobe: ERROR: could not insert 'kheaders': Permission denied
+
+ 10 0c9834db5a0182c1fb0cdc5d3adcf11a11fd83dd ima-sig
+ sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
+ 2 /usr/lib/modules/5.4.0-rc3+/kernel/kernel/kheaders.ko
+
+ 10 82aad2bcc3fa8ed94762356b5c14838f3bcfa6a0 ima-modsig
+ sha256:3bc6ed4f0b4d6e31bc1dbc9ef844605abc7afdc6d81a57d77a1ec9407997c40
+ 2 /usr/lib/modules/5.4.0rc3+/kernel/kernel/kheaders.ko sha256:77fa889b3
+ 5a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
+ 3082029a06092a864886f70d010702a082028b30820287020101310d300b0609608648
+ 016503040201300b06092a864886f70d01070131820264....
+
+ 10 25b72217cc1152b44b134ce2cd68f12dfb71acb3 ima-buf
+ sha256:8b58427fedcf8f4b20bc8dc007f2e232bf7285d7b93a66476321f9c2a3aa132
+ b blacklisted-hash
+ 77fa889b35a05338ec52e51591c1b89d4c8d1c99a21251d7c22b1a8642a6bad3
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+[zohar@linux.ibm.com: updated patch description]
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-8-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit 273df864cf7466fb170b8dcc1abd672cd08ad8d3)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ Documentation/ABI/testing/ima_policy | 4 ++++
+ security/integrity/ima/ima.h | 8 +++++++
+ security/integrity/ima/ima_appraise.c | 33 +++++++++++++++++++++++++++
+ security/integrity/ima/ima_main.c | 12 ++++++----
+ security/integrity/ima/ima_policy.c | 12 ++++++++--
+ security/integrity/integrity.h | 1 +
+ 6 files changed, 64 insertions(+), 6 deletions(-)
+
+diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
+index 29ebe9afdac4..29aaedf33246 100644
+--- a/Documentation/ABI/testing/ima_policy
++++ b/Documentation/ABI/testing/ima_policy
+@@ -25,6 +25,7 @@ Description:
+ lsm: [[subj_user=] [subj_role=] [subj_type=]
+ [obj_user=] [obj_role=] [obj_type=]]
+ option: [[appraise_type=]] [template=] [permit_directio]
++ [appraise_flag=]
+ base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
+ [FIRMWARE_CHECK]
+ [KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
+@@ -38,6 +39,9 @@ Description:
+ fowner:= decimal value
+ lsm: are LSM specific
+ option: appraise_type:= [imasig] [imasig|modsig]
++ appraise_flag:= [check_blacklist]
++ Currently, blacklist check is only for files signed with appended
++ signature.
+ template:= name of a defined IMA template type
+ (eg, ima-ng). Only valid when action is "measure".
+ pcr:= decimal value
+diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
+index ae124d3a4a4a..c508a65c3fdd 100644
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -258,6 +258,8 @@ int ima_policy_show(struct seq_file *m, void *v);
+ #define IMA_APPRAISE_KEXEC 0x40
+
+ #ifdef CONFIG_IMA_APPRAISE
++int ima_check_blacklist(struct integrity_iint_cache *iint,
++ const struct modsig *modsig, int pcr);
+ int ima_appraise_measurement(enum ima_hooks func,
+ struct integrity_iint_cache *iint,
+ struct file *file, const unsigned char *filename,
+@@ -273,6 +275,12 @@ int ima_read_xattr(struct dentry *dentry,
+ struct evm_ima_xattr_data **xattr_value);
+
+ #else
++static inline int ima_check_blacklist(struct integrity_iint_cache *iint,
++ const struct modsig *modsig, int pcr)
++{
++ return 0;
++}
++
+ static inline int ima_appraise_measurement(enum ima_hooks func,
+ struct integrity_iint_cache *iint,
+ struct file *file,
+diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
+index 136ae4e0ee92..300c8d2943c5 100644
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -12,6 +12,7 @@
+ #include <linux/magic.h>
+ #include <linux/ima.h>
+ #include <linux/evm.h>
++#include <keys/system_keyring.h>
+
+ #include "ima.h"
+
+@@ -303,6 +304,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
+ return rc;
+ }
+
++/*
++ * ima_check_blacklist - determine if the binary is blacklisted.
++ *
++ * Add the hash of the blacklisted binary to the measurement list, based
++ * on policy.
++ *
++ * Returns -EPERM if the hash is blacklisted.
++ */
++int ima_check_blacklist(struct integrity_iint_cache *iint,
++ const struct modsig *modsig, int pcr)
++{
++ enum hash_algo hash_algo;
++ const u8 *digest = NULL;
++ u32 digestsize = 0;
++ int rc = 0;
++
++ if (!(iint->flags & IMA_CHECK_BLACKLIST))
++ return 0;
++
++ if (iint->flags & IMA_MODSIG_ALLOWED && modsig) {
++ ima_get_modsig_digest(modsig, &hash_algo, &digest, &digestsize);
++
++ rc = is_binary_blacklisted(digest, digestsize);
++ if ((rc == -EPERM) && (iint->flags & IMA_MEASURE))
++ process_buffer_measurement(digest, digestsize,
++ "blacklisted-hash", NONE,
++ pcr);
++ }
++
++ return rc;
++}
++
+ /*
+ * ima_appraise_measurement - appraise file measurement
+ *
+diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
+index bc730e553053..a16c148ed90d 100644
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -335,10 +335,14 @@ static int process_measurement(struct file *file, const struct cred *cred,
+ xattr_value, xattr_len, modsig, pcr,
+ template_desc);
+ if (rc == 0 && (action & IMA_APPRAISE_SUBMASK)) {
+- inode_lock(inode);
+- rc = ima_appraise_measurement(func, iint, file, pathname,
+- xattr_value, xattr_len, modsig);
+- inode_unlock(inode);
++ rc = ima_check_blacklist(iint, modsig, pcr);
++ if (rc != -EPERM) {
++ inode_lock(inode);
++ rc = ima_appraise_measurement(func, iint, file,
++ pathname, xattr_value,
++ xattr_len, modsig);
++ inode_unlock(inode);
++ }
+ if (!rc)
+ rc = mmap_violation_check(func, file, &pathbuf,
+ &pathname, filename);
+diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
+index 558a7607bf93..24d8aa2cc8ed 100644
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -769,8 +769,8 @@ enum {
+ Opt_fsuuid, Opt_uid_eq, Opt_euid_eq, Opt_fowner_eq,
+ Opt_uid_gt, Opt_euid_gt, Opt_fowner_gt,
+ Opt_uid_lt, Opt_euid_lt, Opt_fowner_lt,
+- Opt_appraise_type, Opt_permit_directio,
+- Opt_pcr, Opt_template, Opt_err
++ Opt_appraise_type, Opt_appraise_flag,
++ Opt_permit_directio, Opt_pcr, Opt_template, Opt_err
+ };
+
+ static const match_table_t policy_tokens = {
+@@ -802,6 +802,7 @@ static const match_table_t policy_tokens = {
+ {Opt_euid_lt, "euid<%s"},
+ {Opt_fowner_lt, "fowner<%s"},
+ {Opt_appraise_type, "appraise_type=%s"},
++ {Opt_appraise_flag, "appraise_flag=%s"},
+ {Opt_permit_directio, "permit_directio"},
+ {Opt_pcr, "pcr=%s"},
+ {Opt_template, "template=%s"},
+@@ -1182,6 +1183,11 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
+ else
+ result = -EINVAL;
+ break;
++ case Opt_appraise_flag:
++ ima_log_string(ab, "appraise_flag", args[0].from);
++ if (strstr(args[0].from, "blacklist"))
++ entry->flags |= IMA_CHECK_BLACKLIST;
++ break;
+ case Opt_permit_directio:
+ entry->flags |= IMA_PERMIT_DIRECTIO;
+ break;
+@@ -1510,6 +1516,8 @@ int ima_policy_show(struct seq_file *m, void *v)
+ else
+ seq_puts(m, "appraise_type=imasig ");
+ }
++ if (entry->flags & IMA_CHECK_BLACKLIST)
++ seq_puts(m, "appraise_flag=check_blacklist ");
+ if (entry->flags & IMA_PERMIT_DIRECTIO)
+ seq_puts(m, "permit_directio ");
+ rcu_read_unlock();
+diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
+index d9323d31a3a8..73fc286834d7 100644
+--- a/security/integrity/integrity.h
++++ b/security/integrity/integrity.h
+@@ -32,6 +32,7 @@
+ #define EVM_IMMUTABLE_DIGSIG 0x08000000
+ #define IMA_FAIL_UNVERIFIABLE_SIGS 0x10000000
+ #define IMA_MODSIG_ALLOWED 0x20000000
++#define IMA_CHECK_BLACKLIST 0x40000000
+
+ #define IMA_DO_MASK (IMA_MEASURE | IMA_APPRAISE | IMA_AUDIT | \
+ IMA_HASH | IMA_APPRAISE_SUBMASK)
diff --git a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch b/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
new file mode 100644
index 0000000..9dddd30
--- /dev/null
+++ b/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:33 -0400
+Subject: [PATCH 09/18] powerpc/ima: Update ima arch policy to check for
+ blacklist
+
+This patch updates the arch-specific policies for PowerNV system to
+make sure that the binary hash is not blacklisted.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-9-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit dc87f18615db9dc74a75cfb4a57ed33b07a3903a)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/kernel/ima_arch.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+index 0ef5956c9753..b9de0fb45bb9 100644
+--- a/arch/powerpc/kernel/ima_arch.c
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -23,9 +23,9 @@ bool arch_ima_get_secureboot(void)
+ * is not enabled.
+ */
+ static const char *const secure_rules[] = {
+- "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
++ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #ifndef CONFIG_MODULE_SIG_FORCE
+- "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
++ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #endif
+ NULL
+ };
+@@ -49,9 +49,9 @@ static const char *const trusted_rules[] = {
+ static const char *const secure_and_trusted_rules[] = {
+ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
+ "measure func=MODULE_CHECK template=ima-modsig",
+- "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
++ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #ifndef CONFIG_MODULE_SIG_FORCE
+- "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
++ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #endif
+ NULL
+ };
diff --git a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch b/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
new file mode 100644
index 0000000..b718d9f
--- /dev/null
+++ b/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
@@ -0,0 +1,329 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Sun, 10 Nov 2019 21:10:33 -0600
+Subject: [PATCH 10/18] powerpc/powernv: Add OPAL API interface to access
+ secure variable
+
+The X.509 certificates trusted by the platform and required to secure
+boot the OS kernel are wrapped in secure variables, which are
+controlled by OPAL.
+
+This patch adds firmware/kernel interface to read and write OPAL
+secure variables based on the unique key.
+
+This support can be enabled using CONFIG_OPAL_SECVAR.
+
+Signed-off-by: Claudio Carvalho <cclaudio@linux.ibm.com>
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Eric Richter <erichte@linux.ibm.com>
+[mpe: Make secvar_ops __ro_after_init, only build opal-secvar.c if PPC_SECURE_BOOT=y]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1573441836-3632-2-git-send-email-nayna@linux.ibm.com
+(cherry picked from commit 9155e2341aa8b5df057dc1c77633b33d1a4f17d2)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/include/asm/opal-api.h | 5 +-
+ arch/powerpc/include/asm/opal.h | 7 +
+ arch/powerpc/include/asm/secvar.h | 35 +++++
+ arch/powerpc/kernel/Makefile | 2 +-
+ arch/powerpc/kernel/secvar-ops.c | 17 +++
+ arch/powerpc/platforms/powernv/Makefile | 1 +
+ arch/powerpc/platforms/powernv/opal-call.c | 3 +
+ arch/powerpc/platforms/powernv/opal-secvar.c | 140 +++++++++++++++++++
+ arch/powerpc/platforms/powernv/opal.c | 3 +
+ 9 files changed, 211 insertions(+), 2 deletions(-)
+ create mode 100644 arch/powerpc/include/asm/secvar.h
+ create mode 100644 arch/powerpc/kernel/secvar-ops.c
+ create mode 100644 arch/powerpc/platforms/powernv/opal-secvar.c
+
+diff --git a/arch/powerpc/include/asm/opal-api.h b/arch/powerpc/include/asm/opal-api.h
+index 378e3997845a..c1f25a760eb1 100644
+--- a/arch/powerpc/include/asm/opal-api.h
++++ b/arch/powerpc/include/asm/opal-api.h
+@@ -211,7 +211,10 @@
+ #define OPAL_MPIPL_UPDATE 173
+ #define OPAL_MPIPL_REGISTER_TAG 174
+ #define OPAL_MPIPL_QUERY_TAG 175
+-#define OPAL_LAST 175
++#define OPAL_SECVAR_GET 176
++#define OPAL_SECVAR_GET_NEXT 177
++#define OPAL_SECVAR_ENQUEUE_UPDATE 178
++#define OPAL_LAST 178
+
+ #define QUIESCE_HOLD 1 /* Spin all calls at entry */
+ #define QUIESCE_REJECT 2 /* Fail all calls with OPAL_BUSY */
+diff --git a/arch/powerpc/include/asm/opal.h b/arch/powerpc/include/asm/opal.h
+index a0cf8fba4d12..9986ac34b8e2 100644
+--- a/arch/powerpc/include/asm/opal.h
++++ b/arch/powerpc/include/asm/opal.h
+@@ -298,6 +298,13 @@ int opal_sensor_group_clear(u32 group_hndl, int token);
+ int opal_sensor_group_enable(u32 group_hndl, int token, bool enable);
+ int opal_nx_coproc_init(uint32_t chip_id, uint32_t ct);
+
++int opal_secvar_get(const char *key, uint64_t key_len, u8 *data,
++ uint64_t *data_size);
++int opal_secvar_get_next(const char *key, uint64_t *key_len,
++ uint64_t key_buf_size);
++int opal_secvar_enqueue_update(const char *key, uint64_t key_len, u8 *data,
++ uint64_t data_size);
++
+ s64 opal_mpipl_update(enum opal_mpipl_ops op, u64 src, u64 dest, u64 size);
+ s64 opal_mpipl_register_tag(enum opal_mpipl_tags tag, u64 addr);
+ s64 opal_mpipl_query_tag(enum opal_mpipl_tags tag, u64 *addr);
+diff --git a/arch/powerpc/include/asm/secvar.h b/arch/powerpc/include/asm/secvar.h
+new file mode 100644
+index 000000000000..4cc35b58b986
+--- /dev/null
++++ b/arch/powerpc/include/asm/secvar.h
+@@ -0,0 +1,35 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++/*
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Nayna Jain
++ *
++ * PowerPC secure variable operations.
++ */
++#ifndef SECVAR_OPS_H
++#define SECVAR_OPS_H
++
++#include <linux/types.h>
++#include <linux/errno.h>
++
++extern const struct secvar_operations *secvar_ops;
++
++struct secvar_operations {
++ int (*get)(const char *key, uint64_t key_len, u8 *data,
++ uint64_t *data_size);
++ int (*get_next)(const char *key, uint64_t *key_len,
++ uint64_t keybufsize);
++ int (*set)(const char *key, uint64_t key_len, u8 *data,
++ uint64_t data_size);
++};
++
++#ifdef CONFIG_PPC_SECURE_BOOT
++
++extern void set_secvar_ops(const struct secvar_operations *ops);
++
++#else
++
++static inline void set_secvar_ops(const struct secvar_operations *ops) { }
++
++#endif
++
++#endif
+diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
+index b82f7f5e5121..93b0336090f2 100644
+--- a/arch/powerpc/kernel/Makefile
++++ b/arch/powerpc/kernel/Makefile
+@@ -158,7 +158,7 @@ ifneq ($(CONFIG_PPC_POWERNV)$(CONFIG_PPC_SVM),)
+ obj-y += ucall.o
+ endif
+
+-obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o
++obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o secvar-ops.o
+
+ # Disable GCOV, KCOV & sanitizers in odd or sensitive code
+ GCOV_PROFILE_prom_init.o := n
+diff --git a/arch/powerpc/kernel/secvar-ops.c b/arch/powerpc/kernel/secvar-ops.c
+new file mode 100644
+index 000000000000..6a29777d6a2d
+--- /dev/null
++++ b/arch/powerpc/kernel/secvar-ops.c
+@@ -0,0 +1,17 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Nayna Jain
++ *
++ * This file initializes secvar operations for PowerPC Secureboot
++ */
++
++#include <linux/cache.h>
++#include <asm/secvar.h>
++
++const struct secvar_operations *secvar_ops __ro_after_init;
++
++void set_secvar_ops(const struct secvar_operations *ops)
++{
++ secvar_ops = ops;
++}
+diff --git a/arch/powerpc/platforms/powernv/Makefile b/arch/powerpc/platforms/powernv/Makefile
+index a3ac9646119d..c0f8120045c3 100644
+--- a/arch/powerpc/platforms/powernv/Makefile
++++ b/arch/powerpc/platforms/powernv/Makefile
+@@ -20,3 +20,4 @@ obj-$(CONFIG_PPC_MEMTRACE) += memtrace.o
+ obj-$(CONFIG_PPC_VAS) += vas.o vas-window.o vas-debug.o
+ obj-$(CONFIG_OCXL_BASE) += ocxl.o
+ obj-$(CONFIG_SCOM_DEBUGFS) += opal-xscom.o
++obj-$(CONFIG_PPC_SECURE_BOOT) += opal-secvar.o
+diff --git a/arch/powerpc/platforms/powernv/opal-call.c b/arch/powerpc/platforms/powernv/opal-call.c
+index a2aa5e433ac8..5cd0f52d258f 100644
+--- a/arch/powerpc/platforms/powernv/opal-call.c
++++ b/arch/powerpc/platforms/powernv/opal-call.c
+@@ -290,3 +290,6 @@ OPAL_CALL(opal_nx_coproc_init, OPAL_NX_COPROC_INIT);
+ OPAL_CALL(opal_mpipl_update, OPAL_MPIPL_UPDATE);
+ OPAL_CALL(opal_mpipl_register_tag, OPAL_MPIPL_REGISTER_TAG);
+ OPAL_CALL(opal_mpipl_query_tag, OPAL_MPIPL_QUERY_TAG);
++OPAL_CALL(opal_secvar_get, OPAL_SECVAR_GET);
++OPAL_CALL(opal_secvar_get_next, OPAL_SECVAR_GET_NEXT);
++OPAL_CALL(opal_secvar_enqueue_update, OPAL_SECVAR_ENQUEUE_UPDATE);
+diff --git a/arch/powerpc/platforms/powernv/opal-secvar.c b/arch/powerpc/platforms/powernv/opal-secvar.c
+new file mode 100644
+index 000000000000..14133e120bdd
+--- /dev/null
++++ b/arch/powerpc/platforms/powernv/opal-secvar.c
+@@ -0,0 +1,140 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * PowerNV code for secure variables
++ *
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Claudio Carvalho
++ * Nayna Jain
++ *
++ * APIs to access secure variables managed by OPAL.
++ */
++
++#define pr_fmt(fmt) "secvar: "fmt
++
++#include <linux/types.h>
++#include <linux/platform_device.h>
++#include <linux/of_platform.h>
++#include <asm/opal.h>
++#include <asm/secvar.h>
++#include <asm/secure_boot.h>
++
++static int opal_status_to_err(int rc)
++{
++ int err;
++
++ switch (rc) {
++ case OPAL_SUCCESS:
++ err = 0;
++ break;
++ case OPAL_UNSUPPORTED:
++ err = -ENXIO;
++ break;
++ case OPAL_PARAMETER:
++ err = -EINVAL;
++ break;
++ case OPAL_RESOURCE:
++ err = -ENOSPC;
++ break;
++ case OPAL_HARDWARE:
++ err = -EIO;
++ break;
++ case OPAL_NO_MEM:
++ err = -ENOMEM;
++ break;
++ case OPAL_EMPTY:
++ err = -ENOENT;
++ break;
++ case OPAL_PARTIAL:
++ err = -EFBIG;
++ break;
++ default:
++ err = -EINVAL;
++ }
++
++ return err;
++}
++
++static int opal_get_variable(const char *key, uint64_t ksize,
++ u8 *data, uint64_t *dsize)
++{
++ int rc;
++
++ if (!key || !dsize)
++ return -EINVAL;
++
++ *dsize = cpu_to_be64(*dsize);
++
++ rc = opal_secvar_get(key, ksize, data, dsize);
++
++ *dsize = be64_to_cpu(*dsize);
++
++ return opal_status_to_err(rc);
++}
++
++static int opal_get_next_variable(const char *key, uint64_t *keylen,
++ uint64_t keybufsize)
++{
++ int rc;
++
++ if (!key || !keylen)
++ return -EINVAL;
++
++ *keylen = cpu_to_be64(*keylen);
++
++ rc = opal_secvar_get_next(key, keylen, keybufsize);
++
++ *keylen = be64_to_cpu(*keylen);
++
++ return opal_status_to_err(rc);
++}
++
++static int opal_set_variable(const char *key, uint64_t ksize, u8 *data,
++ uint64_t dsize)
++{
++ int rc;
++
++ if (!key || !data)
++ return -EINVAL;
++
++ rc = opal_secvar_enqueue_update(key, ksize, data, dsize);
++
++ return opal_status_to_err(rc);
++}
++
++static const struct secvar_operations opal_secvar_ops = {
++ .get = opal_get_variable,
++ .get_next = opal_get_next_variable,
++ .set = opal_set_variable,
++};
++
++static int opal_secvar_probe(struct platform_device *pdev)
++{
++ if (!opal_check_token(OPAL_SECVAR_GET)
++ || !opal_check_token(OPAL_SECVAR_GET_NEXT)
++ || !opal_check_token(OPAL_SECVAR_ENQUEUE_UPDATE)) {
++ pr_err("OPAL doesn't support secure variables\n");
++ return -ENODEV;
++ }
++
++ set_secvar_ops(&opal_secvar_ops);
++
++ return 0;
++}
++
++static const struct of_device_id opal_secvar_match[] = {
++ { .compatible = "ibm,secvar-backend",},
++ {},
++};
++
++static struct platform_driver opal_secvar_driver = {
++ .driver = {
++ .name = "secvar",
++ .of_match_table = opal_secvar_match,
++ },
++};
++
++static int __init opal_secvar_init(void)
++{
++ return platform_driver_probe(&opal_secvar_driver, opal_secvar_probe);
++}
++device_initcall(opal_secvar_init);
+diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
+index 38e90270280b..8355bcd00f93 100644
+--- a/arch/powerpc/platforms/powernv/opal.c
++++ b/arch/powerpc/platforms/powernv/opal.c
+@@ -1002,6 +1002,9 @@ static int __init opal_init(void)
+ /* Initialise OPAL Power control interface */
+ opal_power_control_init();
+
++ /* Initialize OPAL secure variables */
++ opal_pdev_init("ibm,secvar-backend");
++
+ return 0;
+ }
+ machine_subsys_initcall(powernv, opal_init);
diff --git a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch b/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
new file mode 100644
index 0000000..96f77a7
--- /dev/null
+++ b/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
@@ -0,0 +1,369 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Sun, 10 Nov 2019 21:10:34 -0600
+Subject: [PATCH 11/18] powerpc: expose secure variables to userspace via sysfs
+
+PowerNV secure variables, which store the keys used for OS kernel
+verification, are managed by the firmware. These secure variables need to
+be accessed by the userspace for addition/deletion of the certificates.
+
+This patch adds the sysfs interface to expose secure variables for PowerNV
+secureboot. The users shall use this interface for manipulating
+the keys stored in the secure variables.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Eric Richter <erichte@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1573441836-3632-3-git-send-email-nayna@linux.ibm.com
+(cherry picked from commit bd5d9c743d38f67d64ea1b512a461f6b5a5f6bec)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ Documentation/ABI/testing/sysfs-secvar | 46 +++++
+ arch/powerpc/Kconfig | 11 ++
+ arch/powerpc/kernel/Makefile | 1 +
+ arch/powerpc/kernel/secvar-sysfs.c | 248 +++++++++++++++++++++++++
+ 4 files changed, 306 insertions(+)
+ create mode 100644 Documentation/ABI/testing/sysfs-secvar
+ create mode 100644 arch/powerpc/kernel/secvar-sysfs.c
+
+diff --git a/Documentation/ABI/testing/sysfs-secvar b/Documentation/ABI/testing/sysfs-secvar
+new file mode 100644
+index 000000000000..feebb8c57294
+--- /dev/null
++++ b/Documentation/ABI/testing/sysfs-secvar
+@@ -0,0 +1,46 @@
++What: /sys/firmware/secvar
++Date: August 2019
++Contact: Nayna Jain <nayna@linux.ibm.com>
++Description: This directory is created if the POWER firmware supports OS
++ secureboot, thereby secure variables. It exposes interface
++ for reading/writing the secure variables
++
++What: /sys/firmware/secvar/vars
++Date: August 2019
++Contact: Nayna Jain <nayna@linux.ibm.com>
++Description: This directory lists all the secure variables that are supported
++ by the firmware.
++
++What: /sys/firmware/secvar/format
++Date: August 2019
++Contact: Nayna Jain <nayna@linux.ibm.com>
++Description: A string indicating which backend is in use by the firmware.
++ This determines the format of the variable and the accepted
++ format of variable updates.
++
++What: /sys/firmware/secvar/vars/<variable name>
++Date: August 2019
++Contact: Nayna Jain <nayna@linux.ibm.com>
++Description: Each secure variable is represented as a directory named as
++ <variable_name>. The variable name is unique and is in ASCII
++ representation. The data and size can be determined by reading
++ their respective attribute files.
++
++What: /sys/firmware/secvar/vars/<variable_name>/size
++Date: August 2019
++Contact: Nayna Jain <nayna@linux.ibm.com>
++Description: An integer representation of the size of the content of the
++ variable. In other words, it represents the size of the data.
++
++What: /sys/firmware/secvar/vars/<variable_name>/data
++Date: August 2019
++Contact: Nayna Jain h<nayna@linux.ibm.com>
++Description: A read-only file containing the value of the variable. The size
++ of the file represents the maximum size of the variable data.
++
++What: /sys/firmware/secvar/vars/<variable_name>/update
++Date: August 2019
++Contact: Nayna Jain <nayna@linux.ibm.com>
++Description: A write-only file that is used to submit the new value for the
++ variable. The size of the file represents the maximum size of
++ the variable data that can be written.
+diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
+index eea6c358b86c..785019462953 100644
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -945,6 +945,17 @@ config PPC_SECURE_BOOT
+ to enable OS secure boot on systems that have firmware support for
+ it. If in doubt say N.
+
++config PPC_SECVAR_SYSFS
++ bool "Enable sysfs interface for POWER secure variables"
++ default y
++ depends on PPC_SECURE_BOOT
++ depends on SYSFS
++ help
++ POWER secure variables are managed and controlled by firmware.
++ These variables are exposed to userspace via sysfs to enable
++ read/write operations on these variables. Say Y if you have
++ secure boot enabled and want to expose variables to userspace.
++
+ endmenu
+
+ config ISA_DMA_API
+diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
+index 93b0336090f2..b97c018a2f53 100644
+--- a/arch/powerpc/kernel/Makefile
++++ b/arch/powerpc/kernel/Makefile
+@@ -159,6 +159,7 @@ obj-y += ucall.o
+ endif
+
+ obj-$(CONFIG_PPC_SECURE_BOOT) += secure_boot.o ima_arch.o secvar-ops.o
++obj-$(CONFIG_PPC_SECVAR_SYSFS) += secvar-sysfs.o
+
+ # Disable GCOV, KCOV & sanitizers in odd or sensitive code
+ GCOV_PROFILE_prom_init.o := n
+diff --git a/arch/powerpc/kernel/secvar-sysfs.c b/arch/powerpc/kernel/secvar-sysfs.c
+new file mode 100644
+index 000000000000..a0a78aba2083
+--- /dev/null
++++ b/arch/powerpc/kernel/secvar-sysfs.c
+@@ -0,0 +1,248 @@
++// SPDX-License-Identifier: GPL-2.0+
++/*
++ * Copyright (C) 2019 IBM Corporation <nayna@linux.ibm.com>
++ *
++ * This code exposes secure variables to user via sysfs
++ */
++
++#define pr_fmt(fmt) "secvar-sysfs: "fmt
++
++#include <linux/slab.h>
++#include <linux/compat.h>
++#include <linux/string.h>
++#include <linux/of.h>
++#include <asm/secvar.h>
++
++#define NAME_MAX_SIZE 1024
++
++static struct kobject *secvar_kobj;
++static struct kset *secvar_kset;
++
++static ssize_t format_show(struct kobject *kobj, struct kobj_attribute *attr,
++ char *buf)
++{
++ ssize_t rc = 0;
++ struct device_node *node;
++ const char *format;
++
++ node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
++ if (!of_device_is_available(node))
++ return -ENODEV;
++
++ rc = of_property_read_string(node, "format", &format);
++ if (rc)
++ return rc;
++
++ rc = sprintf(buf, "%s\n", format);
++
++ of_node_put(node);
++
++ return rc;
++}
++
++
++static ssize_t size_show(struct kobject *kobj, struct kobj_attribute *attr,
++ char *buf)
++{
++ uint64_t dsize;
++ int rc;
++
++ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
++ if (rc) {
++ pr_err("Error retrieving %s variable size %d\n", kobj->name,
++ rc);
++ return rc;
++ }
++
++ return sprintf(buf, "%llu\n", dsize);
++}
++
++static ssize_t data_read(struct file *filep, struct kobject *kobj,
++ struct bin_attribute *attr, char *buf, loff_t off,
++ size_t count)
++{
++ uint64_t dsize;
++ char *data;
++ int rc;
++
++ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, NULL, &dsize);
++ if (rc) {
++ pr_err("Error getting %s variable size %d\n", kobj->name, rc);
++ return rc;
++ }
++ pr_debug("dsize is %llu\n", dsize);
++
++ data = kzalloc(dsize, GFP_KERNEL);
++ if (!data)
++ return -ENOMEM;
++
++ rc = secvar_ops->get(kobj->name, strlen(kobj->name) + 1, data, &dsize);
++ if (rc) {
++ pr_err("Error getting %s variable %d\n", kobj->name, rc);
++ goto data_fail;
++ }
++
++ rc = memory_read_from_buffer(buf, count, &off, data, dsize);
++
++data_fail:
++ kfree(data);
++ return rc;
++}
++
++static ssize_t update_write(struct file *filep, struct kobject *kobj,
++ struct bin_attribute *attr, char *buf, loff_t off,
++ size_t count)
++{
++ int rc;
++
++ pr_debug("count is %ld\n", count);
++ rc = secvar_ops->set(kobj->name, strlen(kobj->name) + 1, buf, count);
++ if (rc) {
++ pr_err("Error setting the %s variable %d\n", kobj->name, rc);
++ return rc;
++ }
++
++ return count;
++}
++
++static struct kobj_attribute format_attr = __ATTR_RO(format);
++
++static struct kobj_attribute size_attr = __ATTR_RO(size);
++
++static struct bin_attribute data_attr = __BIN_ATTR_RO(data, 0);
++
++static struct bin_attribute update_attr = __BIN_ATTR_WO(update, 0);
++
++static struct bin_attribute *secvar_bin_attrs[] = {
++ &data_attr,
++ &update_attr,
++ NULL,
++};
++
++static struct attribute *secvar_attrs[] = {
++ &size_attr.attr,
++ NULL,
++};
++
++static const struct attribute_group secvar_attr_group = {
++ .attrs = secvar_attrs,
++ .bin_attrs = secvar_bin_attrs,
++};
++__ATTRIBUTE_GROUPS(secvar_attr);
++
++static struct kobj_type secvar_ktype = {
++ .sysfs_ops = &kobj_sysfs_ops,
++ .default_groups = secvar_attr_groups,
++};
++
++static int update_kobj_size(void)
++{
++
++ struct device_node *node;
++ u64 varsize;
++ int rc = 0;
++
++ node = of_find_compatible_node(NULL, NULL, "ibm,secvar-backend");
++ if (!of_device_is_available(node)) {
++ rc = -ENODEV;
++ goto out;
++ }
++
++ rc = of_property_read_u64(node, "max-var-size", &varsize);
++ if (rc)
++ goto out;
++
++ data_attr.size = varsize;
++ update_attr.size = varsize;
++
++out:
++ of_node_put(node);
++
++ return rc;
++}
++
++static int secvar_sysfs_load(void)
++{
++ char *name;
++ uint64_t namesize = 0;
++ struct kobject *kobj;
++ int rc;
++
++ name = kzalloc(NAME_MAX_SIZE, GFP_KERNEL);
++ if (!name)
++ return -ENOMEM;
++
++ do {
++ rc = secvar_ops->get_next(name, &namesize, NAME_MAX_SIZE);
++ if (rc) {
++ if (rc != -ENOENT)
++ pr_err("error getting secvar from firmware %d\n",
++ rc);
++ break;
++ }
++
++ kobj = kzalloc(sizeof(*kobj), GFP_KERNEL);
++ if (!kobj) {
++ rc = -ENOMEM;
++ break;
++ }
++
++ kobject_init(kobj, &secvar_ktype);
++
++ rc = kobject_add(kobj, &secvar_kset->kobj, "%s", name);
++ if (rc) {
++ pr_warn("kobject_add error %d for attribute: %s\n", rc,
++ name);
++ kobject_put(kobj);
++ kobj = NULL;
++ }
++
++ if (kobj)
++ kobject_uevent(kobj, KOBJ_ADD);
++
++ } while (!rc);
++
++ kfree(name);
++ return rc;
++}
++
++static int secvar_sysfs_init(void)
++{
++ int rc;
++
++ if (!secvar_ops) {
++ pr_warn("secvar: failed to retrieve secvar operations.\n");
++ return -ENODEV;
++ }
++
++ secvar_kobj = kobject_create_and_add("secvar", firmware_kobj);
++ if (!secvar_kobj) {
++ pr_err("secvar: Failed to create firmware kobj\n");
++ return -ENOMEM;
++ }
++
++ rc = sysfs_create_file(secvar_kobj, &format_attr.attr);
++ if (rc) {
++ kobject_put(secvar_kobj);
++ return -ENOMEM;
++ }
++
++ secvar_kset = kset_create_and_add("vars", NULL, secvar_kobj);
++ if (!secvar_kset) {
++ pr_err("secvar: sysfs kobject registration failed.\n");
++ kobject_put(secvar_kobj);
++ return -ENOMEM;
++ }
++
++ rc = update_kobj_size();
++ if (rc) {
++ pr_err("Cannot read the size of the attribute\n");
++ return rc;
++ }
++
++ secvar_sysfs_load();
++
++ return 0;
++}
++
++late_initcall(secvar_sysfs_init);
diff --git a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch b/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
new file mode 100644
index 0000000..e92a6e3
--- /dev/null
+++ b/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
@@ -0,0 +1,251 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Sun, 10 Nov 2019 21:10:35 -0600
+Subject: [PATCH 12/18] x86/efi: move common keyring handler functions to new
+ file
+
+The handlers to add the keys to the .platform keyring and blacklisted
+hashes to the .blacklist keyring is common for both the uefi and powerpc
+mechanisms of loading the keys/hashes from the firmware.
+
+This patch moves the common code from load_uefi.c to keyring_handler.c
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Acked-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Eric Richter <erichte@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1573441836-3632-4-git-send-email-nayna@linux.ibm.com
+(cherry picked from commit ad723674d6758478829ee766e3f1a2a24d56236f)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ security/integrity/Makefile | 3 +-
+ .../platform_certs/keyring_handler.c | 80 +++++++++++++++++++
+ .../platform_certs/keyring_handler.h | 32 ++++++++
+ security/integrity/platform_certs/load_uefi.c | 67 +---------------
+ 4 files changed, 115 insertions(+), 67 deletions(-)
+ create mode 100644 security/integrity/platform_certs/keyring_handler.c
+ create mode 100644 security/integrity/platform_certs/keyring_handler.h
+
+diff --git a/security/integrity/Makefile b/security/integrity/Makefile
+index 35e6ca773734..351c9662994b 100644
+--- a/security/integrity/Makefile
++++ b/security/integrity/Makefile
+@@ -11,7 +11,8 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
+ integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
+ integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o
+ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
+- platform_certs/load_uefi.o
++ platform_certs/load_uefi.o \
++ platform_certs/keyring_handler.o
+ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
+
+ obj-$(CONFIG_IMA) += ima/
+diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
+new file mode 100644
+index 000000000000..c5ba695c10e3
+--- /dev/null
++++ b/security/integrity/platform_certs/keyring_handler.c
+@@ -0,0 +1,80 @@
++// SPDX-License-Identifier: GPL-2.0
++
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/cred.h>
++#include <linux/err.h>
++#include <linux/efi.h>
++#include <linux/slab.h>
++#include <keys/asymmetric-type.h>
++#include <keys/system_keyring.h>
++#include "../integrity.h"
++
++static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
++static efi_guid_t efi_cert_x509_sha256_guid __initdata =
++ EFI_CERT_X509_SHA256_GUID;
++static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
++
++/*
++ * Blacklist a hash.
++ */
++static __init void uefi_blacklist_hash(const char *source, const void *data,
++ size_t len, const char *type,
++ size_t type_len)
++{
++ char *hash, *p;
++
++ hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
++ if (!hash)
++ return;
++ p = memcpy(hash, type, type_len);
++ p += type_len;
++ bin2hex(p, data, len);
++ p += len * 2;
++ *p = 0;
++
++ mark_hash_blacklisted(hash);
++ kfree(hash);
++}
++
++/*
++ * Blacklist an X509 TBS hash.
++ */
++static __init void uefi_blacklist_x509_tbs(const char *source,
++ const void *data, size_t len)
++{
++ uefi_blacklist_hash(source, data, len, "tbs:", 4);
++}
++
++/*
++ * Blacklist the hash of an executable.
++ */
++static __init void uefi_blacklist_binary(const char *source,
++ const void *data, size_t len)
++{
++ uefi_blacklist_hash(source, data, len, "bin:", 4);
++}
++
++/*
++ * Return the appropriate handler for particular signature list types found in
++ * the UEFI db and MokListRT tables.
++ */
++__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
++{
++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
++ return add_to_platform_keyring;
++ return 0;
++}
++
++/*
++ * Return the appropriate handler for particular signature list types found in
++ * the UEFI dbx and MokListXRT tables.
++ */
++__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
++{
++ if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
++ return uefi_blacklist_x509_tbs;
++ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
++ return uefi_blacklist_binary;
++ return 0;
++}
+diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
+new file mode 100644
+index 000000000000..2462bfa08fe3
+--- /dev/null
++++ b/security/integrity/platform_certs/keyring_handler.h
+@@ -0,0 +1,32 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++
++#ifndef PLATFORM_CERTS_INTERNAL_H
++#define PLATFORM_CERTS_INTERNAL_H
++
++#include <linux/efi.h>
++
++void blacklist_hash(const char *source, const void *data,
++ size_t len, const char *type,
++ size_t type_len);
++
++/*
++ * Blacklist an X509 TBS hash.
++ */
++void blacklist_x509_tbs(const char *source, const void *data, size_t len);
++
++/*
++ * Blacklist the hash of an executable.
++ */
++void blacklist_binary(const char *source, const void *data, size_t len);
++
++/*
++ * Return the handler for particular signature list types found in the db.
++ */
++efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
++
++/*
++ * Return the handler for particular signature list types found in the dbx.
++ */
++efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
++
++#endif
+diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
+index 020fc7a11ef0..aa874d84e413 100644
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -9,6 +9,7 @@
+ #include <keys/asymmetric-type.h>
+ #include <keys/system_keyring.h>
+ #include "../integrity.h"
++#include "keyring_handler.h"
+
+ static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
+ static efi_guid_t efi_cert_x509_sha256_guid __initdata =
+@@ -69,72 +70,6 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ return db;
+ }
+
+-/*
+- * Blacklist a hash.
+- */
+-static __init void uefi_blacklist_hash(const char *source, const void *data,
+- size_t len, const char *type,
+- size_t type_len)
+-{
+- char *hash, *p;
+-
+- hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
+- if (!hash)
+- return;
+- p = memcpy(hash, type, type_len);
+- p += type_len;
+- bin2hex(p, data, len);
+- p += len * 2;
+- *p = 0;
+-
+- mark_hash_blacklisted(hash);
+- kfree(hash);
+-}
+-
+-/*
+- * Blacklist an X509 TBS hash.
+- */
+-static __init void uefi_blacklist_x509_tbs(const char *source,
+- const void *data, size_t len)
+-{
+- uefi_blacklist_hash(source, data, len, "tbs:", 4);
+-}
+-
+-/*
+- * Blacklist the hash of an executable.
+- */
+-static __init void uefi_blacklist_binary(const char *source,
+- const void *data, size_t len)
+-{
+- uefi_blacklist_hash(source, data, len, "bin:", 4);
+-}
+-
+-/*
+- * Return the appropriate handler for particular signature list types found in
+- * the UEFI db and MokListRT tables.
+- */
+-static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *
+- sig_type)
+-{
+- if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
+- return add_to_platform_keyring;
+- return 0;
+-}
+-
+-/*
+- * Return the appropriate handler for particular signature list types found in
+- * the UEFI dbx and MokListXRT tables.
+- */
+-static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *
+- sig_type)
+-{
+- if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
+- return uefi_blacklist_x509_tbs;
+- if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
+- return uefi_blacklist_binary;
+- return 0;
+-}
+-
+ /*
+ * Load the certs contained in the UEFI databases into the platform trusted
+ * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
diff --git a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch b/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
new file mode 100644
index 0000000..9b6b06e
--- /dev/null
+++ b/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
@@ -0,0 +1,163 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Sun, 10 Nov 2019 21:10:36 -0600
+Subject: [PATCH 13/18] powerpc: Load firmware trusted keys/hashes into kernel
+ keyring
+
+The keys used to verify the Host OS kernel are managed by firmware as
+secure variables. This patch loads the verification keys into the
+.platform keyring and revocation hashes into .blacklist keyring. This
+enables verification and loading of the kernels signed by the boot
+time keys which are trusted by firmware.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Eric Richter <erichte@linux.ibm.com>
+[mpe: Search by compatible in load_powerpc_certs(), not using format]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com
+(cherry picked from commit 8220e22d11a05049aab9693839ab82e5e177ccde)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ security/integrity/Kconfig | 9 ++
+ security/integrity/Makefile | 4 +-
+ .../integrity/platform_certs/load_powerpc.c | 96 +++++++++++++++++++
+ 3 files changed, 108 insertions(+), 1 deletion(-)
+ create mode 100644 security/integrity/platform_certs/load_powerpc.c
+
+diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
+index 0bae6adb63a9..71f0177e8716 100644
+--- a/security/integrity/Kconfig
++++ b/security/integrity/Kconfig
+@@ -72,6 +72,15 @@ config LOAD_IPL_KEYS
+ depends on S390
+ def_bool y
+
++config LOAD_PPC_KEYS
++ bool "Enable loading of platform and blacklisted keys for POWER"
++ depends on INTEGRITY_PLATFORM_KEYRING
++ depends on PPC_SECURE_BOOT
++ default y
++ help
++ Enable loading of keys to the .platform keyring and blacklisted
++ hashes to the .blacklist keyring for powerpc based platforms.
++
+ config INTEGRITY_AUDIT
+ bool "Enables integrity auditing support "
+ depends on AUDIT
+diff --git a/security/integrity/Makefile b/security/integrity/Makefile
+index 351c9662994b..7ee39d66cf16 100644
+--- a/security/integrity/Makefile
++++ b/security/integrity/Makefile
+@@ -14,6 +14,8 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
+ platform_certs/load_uefi.o \
+ platform_certs/keyring_handler.o
+ integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
+-
++integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \
++ platform_certs/load_powerpc.o \
++ platform_certs/keyring_handler.o
+ obj-$(CONFIG_IMA) += ima/
+ obj-$(CONFIG_EVM) += evm/
+diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c
+new file mode 100644
+index 000000000000..a2900cb85357
+--- /dev/null
++++ b/security/integrity/platform_certs/load_powerpc.c
+@@ -0,0 +1,96 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * Copyright (C) 2019 IBM Corporation
++ * Author: Nayna Jain
++ *
++ * - loads keys and hashes stored and controlled by the firmware.
++ */
++#include <linux/kernel.h>
++#include <linux/sched.h>
++#include <linux/cred.h>
++#include <linux/err.h>
++#include <linux/slab.h>
++#include <linux/of.h>
++#include <asm/secure_boot.h>
++#include <asm/secvar.h>
++#include "keyring_handler.h"
++
++/*
++ * Get a certificate list blob from the named secure variable.
++ */
++static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size)
++{
++ int rc;
++ void *db;
++
++ rc = secvar_ops->get(key, keylen, NULL, size);
++ if (rc) {
++ pr_err("Couldn't get size: %d\n", rc);
++ return NULL;
++ }
++
++ db = kmalloc(*size, GFP_KERNEL);
++ if (!db)
++ return NULL;
++
++ rc = secvar_ops->get(key, keylen, db, size);
++ if (rc) {
++ kfree(db);
++ pr_err("Error reading %s var: %d\n", key, rc);
++ return NULL;
++ }
++
++ return db;
++}
++
++/*
++ * Load the certs contained in the keys databases into the platform trusted
++ * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist
++ * keyring.
++ */
++static int __init load_powerpc_certs(void)
++{
++ void *db = NULL, *dbx = NULL;
++ uint64_t dbsize = 0, dbxsize = 0;
++ int rc = 0;
++ struct device_node *node;
++
++ if (!secvar_ops)
++ return -ENODEV;
++
++ /* The following only applies for the edk2-compat backend. */
++ node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
++ if (!node)
++ return -ENODEV;
++
++ /*
++ * Get db, and dbx. They might not exist, so it isn't an error if we
++ * can't get them.
++ */
++ db = get_cert_list("db", 3, &dbsize);
++ if (!db) {
++ pr_err("Couldn't get db list from firmware\n");
++ } else {
++ rc = parse_efi_signature_list("powerpc:db", db, dbsize,
++ get_handler_for_db);
++ if (rc)
++ pr_err("Couldn't parse db signatures: %d\n", rc);
++ kfree(db);
++ }
++
++ dbx = get_cert_list("dbx", 4, &dbxsize);
++ if (!dbx) {
++ pr_info("Couldn't get dbx list from firmware\n");
++ } else {
++ rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
++ get_handler_for_dbx);
++ if (rc)
++ pr_err("Couldn't parse dbx signatures: %d\n", rc);
++ kfree(dbx);
++ }
++
++ of_node_put(node);
++
++ return rc;
++}
++late_initcall(load_powerpc_certs);
diff --git a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch b/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
new file mode 100644
index 0000000..c04e5fb
--- /dev/null
+++ b/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
@@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: "Christopher M. Riedl" <cmr@informatik.wtf>
+Date: Sat, 7 Sep 2019 01:11:23 -0500
+Subject: [PATCH 14/18] powerpc/xmon: Allow listing and clearing breakpoints in
+ read-only mode
+
+Read-only mode should not prevent listing and clearing any active
+breakpoints.
+
+Tested-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190907061124.1947-2-cmr@informatik.wtf
+(cherry picked from commit 96664dee5cf1815777286227b09884b4f019727f)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/xmon/xmon.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index 6d130c89fbd8..ab6371aedfcb 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -1096,10 +1096,6 @@ cmds(struct pt_regs *excp)
+ set_lpp_cmd();
+ break;
+ case 'b':
+- if (xmon_is_ro) {
+- printf(xmon_ro_msg);
+- break;
+- }
+ bpt_cmds();
+ break;
+ case 'C':
+@@ -1368,11 +1364,16 @@ bpt_cmds(void)
+ struct bpt *bp;
+
+ cmd = inchar();
++
+ switch (cmd) {
+ #ifndef CONFIG_PPC_8xx
+ static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
+ int mode;
+ case 'd': /* bd - hardware data breakpoint */
++ if (xmon_is_ro) {
++ printf(xmon_ro_msg);
++ break;
++ }
+ if (!ppc_breakpoint_available()) {
+ printf("Hardware data breakpoint not supported on this cpu\n");
+ break;
+@@ -1400,6 +1401,10 @@ bpt_cmds(void)
+ break;
+
+ case 'i': /* bi - hardware instr breakpoint */
++ if (xmon_is_ro) {
++ printf(xmon_ro_msg);
++ break;
++ }
+ if (!cpu_has_feature(CPU_FTR_ARCH_207S)) {
+ printf("Hardware instruction breakpoint "
+ "not supported on this cpu\n");
+@@ -1458,7 +1463,8 @@ bpt_cmds(void)
+ break;
+ }
+ termch = cmd;
+- if (!scanhex(&a)) {
++
++ if (xmon_is_ro || !scanhex(&a)) {
+ /* print all breakpoints */
+ printf(" type address\n");
+ if (dabr.enabled) {
diff --git a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
new file mode 100644
index 0000000..b2ffe5c
--- /dev/null
+++ b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:34 -0400
+Subject: [PATCH 15/18] powerpc/ima: Indicate kernel modules appended
+ signatures are enforced
+
+The arch specific kernel module policy rule requires kernel modules to
+be signed, either as an IMA signature, stored as an xattr, or as an
+appended signature. As a result, kernel modules appended signatures
+could be enforced without "sig_enforce" being set or reflected in
+/sys/module/module/parameters/sig_enforce. This patch sets
+"sig_enforce".
+
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/kernel/ima_arch.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+index b9de0fb45bb9..e34116255ced 100644
+--- a/arch/powerpc/kernel/ima_arch.c
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
+ */
+ const char *const *arch_get_ima_policy(void)
+ {
+- if (is_ppc_secureboot_enabled())
++ if (is_ppc_secureboot_enabled()) {
++ if (IS_ENABLED(CONFIG_MODULE_SIG))
++ set_module_sig_enforced();
++
+ if (is_ppc_trustedboot_enabled())
+ return secure_and_trusted_rules;
+ else
+ return secure_rules;
+- else if (is_ppc_trustedboot_enabled())
++ } else if (is_ppc_trustedboot_enabled()) {
+ return trusted_rules;
++ }
+
+ return NULL;
+ }
diff --git a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
new file mode 100644
index 0000000..6875b14
--- /dev/null
+++ b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Fri, 1 May 2020 10:16:52 -0400
+Subject: [PATCH 16/18] powerpc/ima: Fix secure boot rules in ima arch policy
+
+To prevent verifying the kernel module appended signature
+twice (finit_module), once by the module_sig_check() and again by IMA,
+powerpc secure boot rules define an IMA architecture specific policy
+rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
+unfortunately, does not take into account the ability of enabling
+"sig_enforce" on the boot command line (module.sig_enforce=1).
+
+Including the IMA module appraise rule results in failing the
+finit_module syscall, unless the module signing public key is loaded
+onto the IMA keyring.
+
+This patch fixes secure boot policy rules to be based on
+CONFIG_MODULE_SIG instead.
+
+Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
+(cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/kernel/ima_arch.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+index e34116255ced..957abd592075 100644
+--- a/arch/powerpc/kernel/ima_arch.c
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
+ * to be stored as an xattr or as an appended signature.
+ *
+ * To avoid duplicate signature verification as much as possible, the IMA
+- * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
++ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
+ * is not enabled.
+ */
+ static const char *const secure_rules[] = {
+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+-#ifndef CONFIG_MODULE_SIG_FORCE
++#ifndef CONFIG_MODULE_SIG
+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #endif
+ NULL
+@@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
+ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
+ "measure func=MODULE_CHECK template=ima-modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+-#ifndef CONFIG_MODULE_SIG_FORCE
++#ifndef CONFIG_MODULE_SIG
+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #endif
+ NULL
diff --git a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
new file mode 100644
index 0000000..881253c
--- /dev/null
+++ b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
@@ -0,0 +1,230 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Joel Stanley <joel@jms.id.au>
+Date: Tue, 23 Jun 2020 16:22:10 +0930
+Subject: [PATCH 17/18] powerpc/configs: Update to upstream and enable
+ secureboot
+
+Pulls in the following updates from upstream:
+
+ scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
+ powerpc/configs/skiroot: Enable some more hardening options
+ powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
+ powerpc/configs/skiroot: Enable security features
+ powerpc/configs/skiroot: Update for symbol movement only
+ powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
+ powerpc/configs/skiroot: Drop HID_LOGITECH
+ powerpc/configs: Drop NET_VENDOR_HP which moved to staging
+ powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
+ powerpc/configs: Drop CONFIG_QLGE which moved to staging
+ powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_*
+ powerpc/configs: add FADump awareness to skiroot_defconfig
+
+In addition, it enables IMA and secureboot options.
+
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/configs/skiroot_defconfig | 84 ++++++++++++++++----------
+ 1 file changed, 53 insertions(+), 31 deletions(-)
+
+diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
+index 1253482a67c0..44309e12d84a 100644
+--- a/arch/powerpc/configs/skiroot_defconfig
++++ b/arch/powerpc/configs/skiroot_defconfig
+@@ -1,13 +1,9 @@
+-CONFIG_PPC64=y
+-CONFIG_ALTIVEC=y
+-CONFIG_VSX=y
+-CONFIG_NR_CPUS=2048
+-CONFIG_CPU_LITTLE_ENDIAN=y
+ CONFIG_KERNEL_XZ=y
+ # CONFIG_SWAP is not set
+ CONFIG_SYSVIPC=y
+ CONFIG_POSIX_MQUEUE=y
+ # CONFIG_CROSS_MEMORY_ATTACH is not set
++CONFIG_AUDIT=y
+ CONFIG_NO_HZ=y
+ CONFIG_HIGH_RES_TIMERS=y
+ # CONFIG_CPU_ISOLATION is not set
+@@ -28,17 +24,15 @@ CONFIG_EXPERT=y
+ # CONFIG_AIO is not set
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_COMPAT_BRK is not set
++# CONFIG_SLAB_MERGE_DEFAULT is not set
++CONFIG_SLAB_FREELIST_RANDOM=y
+ CONFIG_SLAB_FREELIST_HARDENED=y
+-CONFIG_JUMP_LABEL=y
+-CONFIG_STRICT_KERNEL_RWX=y
+-CONFIG_MODULES=y
+-CONFIG_MODULE_UNLOAD=y
+-CONFIG_MODULE_SIG=y
+-CONFIG_MODULE_SIG_FORCE=y
+-CONFIG_MODULE_SIG_SHA512=y
+-CONFIG_PARTITION_ADVANCED=y
+-# CONFIG_MQ_IOSCHED_DEADLINE is not set
+-# CONFIG_MQ_IOSCHED_KYBER is not set
++CONFIG_PPC64=y
++CONFIG_ALTIVEC=y
++CONFIG_VSX=y
++CONFIG_NR_CPUS=2048
++CONFIG_CPU_LITTLE_ENDIAN=y
++CONFIG_PANIC_TIMEOUT=30
+ # CONFIG_PPC_VAS is not set
+ # CONFIG_PPC_PSERIES is not set
+ # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set
+@@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
+ CONFIG_CPU_IDLE=y
+ CONFIG_HZ_100=y
+ CONFIG_KEXEC=y
++CONFIG_KEXEC_FILE=y
++CONFIG_PRESERVE_FA_DUMP=y
+ CONFIG_IRQ_ALL_CPUS=y
+ CONFIG_NUMA=y
+-# CONFIG_COMPACTION is not set
+-# CONFIG_MIGRATION is not set
+ CONFIG_PPC_64K_PAGES=y
+ CONFIG_SCHED_SMT=y
+ CONFIG_CMDLINE_BOOL=y
+ CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
+ # CONFIG_SECCOMP is not set
+ # CONFIG_PPC_MEM_KEYS is not set
++CONFIG_PPC_SECURE_BOOT=y
++CONFIG_JUMP_LABEL=y
++CONFIG_MODULES=y
++CONFIG_MODULE_UNLOAD=y
++CONFIG_MODULE_SIG_FORCE=y
++CONFIG_MODULE_SIG_SHA512=y
++CONFIG_PARTITION_ADVANCED=y
++# CONFIG_MQ_IOSCHED_DEADLINE is not set
++# CONFIG_MQ_IOSCHED_KYBER is not set
++# CONFIG_COMPACTION is not set
++# CONFIG_MIGRATION is not set
+ CONFIG_NET=y
+ CONFIG_PACKET=y
+ CONFIG_UNIX=y
+@@ -63,9 +68,6 @@ CONFIG_INET=y
+ CONFIG_IP_MULTICAST=y
+ CONFIG_NET_IPIP=y
+ CONFIG_SYN_COOKIES=y
+-# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+-# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+-# CONFIG_INET_XFRM_MODE_BEET is not set
+ CONFIG_DNS_RESOLVER=y
+ # CONFIG_WIRELESS is not set
+ CONFIG_DEVTMPFS=y
+@@ -83,7 +85,6 @@ CONFIG_EEPROM_AT24=m
+ # CONFIG_OCXL is not set
+ CONFIG_BLK_DEV_SD=m
+ CONFIG_BLK_DEV_SR=m
+-CONFIG_BLK_DEV_SR_VENDOR=y
+ CONFIG_CHR_DEV_SG=m
+ CONFIG_SCSI_CONSTANTS=y
+ CONFIG_SCSI_SCAN_ASYNC=y
+@@ -140,7 +141,6 @@ CONFIG_TIGON3=m
+ CONFIG_BNX2X=m
+ # CONFIG_NET_VENDOR_BROCADE is not set
+ # CONFIG_NET_VENDOR_CADENCE is not set
+-# CONFIG_NET_CADENCE is not set
+ # CONFIG_NET_VENDOR_CAVIUM is not set
+ CONFIG_CHELSIO_T1=m
+ # CONFIG_NET_VENDOR_CISCO is not set
+@@ -149,7 +149,6 @@ CONFIG_CHELSIO_T1=m
+ # CONFIG_NET_VENDOR_DLINK is not set
+ CONFIG_BE2NET=m
+ # CONFIG_NET_VENDOR_EZCHIP is not set
+-# CONFIG_NET_VENDOR_HP is not set
+ # CONFIG_NET_VENDOR_HUAWEI is not set
+ CONFIG_E1000=m
+ CONFIG_E1000E=m
+@@ -157,7 +156,6 @@ CONFIG_IGB=m
+ CONFIG_IXGB=m
+ CONFIG_IXGBE=m
+ CONFIG_I40E=m
+-CONFIG_S2IO=m
+ # CONFIG_NET_VENDOR_MARVELL is not set
+ CONFIG_MLX4_EN=m
+ # CONFIG_MLX4_CORE_GEN2 is not set
+@@ -168,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
+ # CONFIG_NET_VENDOR_MICROSEMI is not set
+ CONFIG_MYRI10GE=m
+ # CONFIG_NET_VENDOR_NATSEMI is not set
++CONFIG_S2IO=m
+ # CONFIG_NET_VENDOR_NETRONOME is not set
+ # CONFIG_NET_VENDOR_NI is not set
+ # CONFIG_NET_VENDOR_NVIDIA is not set
+ # CONFIG_NET_VENDOR_OKI is not set
+ # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
+-CONFIG_QLGE=m
+ CONFIG_NETXEN_NIC=m
+ CONFIG_QED=m
+ CONFIG_QEDE=m
+@@ -211,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
+ CONFIG_IPMI_POWERNV=y
+ CONFIG_IPMI_WATCHDOG=y
+ CONFIG_HW_RANDOM=y
+-CONFIG_TCG_TPM=y
+ CONFIG_TCG_TIS_I2C_NUVOTON=y
+ # CONFIG_DEVPORT is not set
+ CONFIG_I2C=y
+@@ -240,7 +237,6 @@ CONFIG_HID_CYPRESS=y
+ CONFIG_HID_EZKEY=y
+ CONFIG_HID_ITE=y
+ CONFIG_HID_KENSINGTON=y
+-CONFIG_HID_LOGITECH=y
+ CONFIG_HID_MICROSOFT=y
+ CONFIG_HID_MONTEREY=y
+ CONFIG_USB_HIDDEV=y
+@@ -277,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
+ CONFIG_NLS_ASCII=y
+ CONFIG_NLS_ISO8859_1=y
+ CONFIG_NLS_UTF8=y
++CONFIG_ENCRYPTED_KEYS=y
++CONFIG_SECURITY=y
++CONFIG_HARDENED_USERCOPY=y
++# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
++CONFIG_HARDENED_USERCOPY_PAGESPAN=y
++CONFIG_FORTIFY_SOURCE=y
++CONFIG_SECURITY_LOCKDOWN_LSM=y
++CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
++CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
++CONFIG_INTEGRITY_SIGNATURE=y
++CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
++CONFIG_INTEGRITY_PLATFORM_KEYRING=y
++CONFIG_IMA=y
++CONFIG_IMA_KEXEC=y
++CONFIG_IMA_SIG_TEMPLATE=y
++CONFIG_IMA_DEFAULT_HASH_SHA256=y
++CONFIG_IMA_READ_POLICY=y
++CONFIG_IMA_APPRAISE=y
++CONFIG_IMA_ARCH_POLICY=y
++CONFIG_IMA_APPRAISE_MODSIG=y
++CONFIG_LSM="yama,loadpin,safesetid,integrity"
++# CONFIG_CRYPTO_HW is not set
++CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+ CONFIG_CRC16=y
+ CONFIG_CRC_ITU_T=y
+ CONFIG_LIBCRC32C=y
+@@ -287,17 +306,20 @@ CONFIG_LIBCRC32C=y
+ # CONFIG_XZ_DEC_SPARC is not set
+ CONFIG_PRINTK_TIME=y
+ CONFIG_MAGIC_SYSRQ=y
++CONFIG_SLUB_DEBUG_ON=y
+ CONFIG_DEBUG_STACKOVERFLOW=y
+ CONFIG_SOFTLOCKUP_DETECTOR=y
+ CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
+ CONFIG_HARDLOCKUP_DETECTOR=y
+ CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
+ CONFIG_WQ_WATCHDOG=y
++CONFIG_PANIC_ON_OOPS=y
+ # CONFIG_SCHED_DEBUG is not set
++CONFIG_SCHED_STACK_END_CHECK=y
++CONFIG_DEBUG_SG=y
++CONFIG_DEBUG_NOTIFIERS=y
++CONFIG_DEBUG_CREDENTIALS=y
+ # CONFIG_FTRACE is not set
+ # CONFIG_RUNTIME_TESTING_MENU is not set
++CONFIG_BUG_ON_DATA_CORRUPTION=y
+ CONFIG_XMON=y
+-CONFIG_XMON_DEFAULT=y
+-CONFIG_ENCRYPTED_KEYS=y
+-# CONFIG_CRYPTO_ECHAINIV is not set
+-# CONFIG_CRYPTO_HW is not set
diff --git a/openpower/linux/0002-Release-OpenPower-kernel.patch b/openpower/linux/0018-Release-OpenPower-kernel.patch
similarity index 81%
rename from openpower/linux/0002-Release-OpenPower-kernel.patch
rename to openpower/linux/0018-Release-OpenPower-kernel.patch
index 87ff292..f738c01 100644
--- a/openpower/linux/0002-Release-OpenPower-kernel.patch
+++ b/openpower/linux/0018-Release-OpenPower-kernel.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Joel Stanley <joel@jms.id.au>
Date: Tue, 16 Jul 2019 11:40:02 +0930
-Subject: [PATCH 2/2] Release OpenPower kernel
+Subject: [PATCH 18/18] Release OpenPower kernel
Signed-off-by: Joel Stanley <joel@jms.id.au>
---
@@ -9,13 +9,13 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
-index c09d5a4d2e7a..6a59ef669154 100644
+index fee4101b5d22..a7fb637de10c 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
VERSION = 5
PATCHLEVEL = 4
- SUBLEVEL = 33
+ SUBLEVEL = 48
-EXTRAVERSION =
+EXTRAVERSION = -openpower1
NAME = Kleptomaniac Octopus