Gitiles
Code Review Sign In
gerrit.openbmc.org / premsjha / op-build / a1fccbfd4663468c3428568a67cff8a42a21f53e
commita1fccbfd4663468c3428568a67cff8a42a21f53e[log] [tgz]
authorJoel Stanley <joel@jms.id.au>Tue Jun 23 17:25:56 2020 +0930
committerKlaus Heinrich Kiwi <klausk@br.ibm.com>Thu Jun 25 09:31:07 2020 -0300
tree5adf25692893c1f0b81d5bf9d447951f643327ff
parent725ca63b9702cb0c51caf2185ce379e8f0fcbe1a [diff]
kernel: Move to Linux v5.4.48-openpower1

This adds secure boot support backported from upstream and enables it
in the configuration.

Appearing in the backports is a patch to disable STRICT_KERNEL_RWX so
it drops out of the configuration.

Backported patches to support secureboot:

 powerpc/ima: Fix secure boot rules in ima arch policy
 powerpc/ima: Indicate kernel modules appended signatures are enforced
 powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
 powerpc: Load firmware trusted keys/hashes into kernel keyring
 x86/efi: move common keyring handler functions to new file
 powerpc: expose secure variables to userspace via sysfs
 powerpc/powernv: Add OPAL API interface to access secure variable
 powerpc/ima: Update ima arch policy to check for blacklist
 ima: Check against blacklisted hashes for files with modsig
 certs: Add wrapper function to check blacklisted binary hash
 ima: Make process_buffer_measurement() generic
 powerpc/ima: Define trusted boot policy
 powerpc: Detect the trusted boot state of the system
 powerpc/ima: Add support to initialize ima policy rules
 powerpc: Detect the secure boot mode of the system

PowerPC related fixes:

 powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
 powerpc/64s: Don't let DT CPU features set FSCR_DSCR
 powerpc/kasan: Fix shadow pages allocation failure
 powerpc/kasan: Fix issues by lowering KASAN_SHADOW_END
 powerpc/fadump: Account for memory_limit while reserving memory
 powerpc/fadump: consider reserved ranges while reserving memory
 powerpc/fadump: use static allocation for reserved memory ranges
 powerpc/mm: Fix conditions to perform MMU specific management by blocks on PPC32.
 powerpc/spufs: fix copy_to_user while atomic
 sched/core: Fix illegal RCU from offline CPUs
 powerpc/ptdump: Properly handle non standard page size
 powerpc/xive: Clear the page tables for the ESB IO mapping
 bpf: Support llvm-objcopy for vmlinux BTF
 powerpc/xmon: Restrict when kernel is locked down
 powerpc/powernv: Avoid re-registration of imc debugfs directory
 powerpc/64s: Disable STRICT_KERNEL_RWX
 powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE
 powerpc/mm: Fix CONFIG_PPC_KUAP_DEBUG on PPC32
 powerpc/kuap: PPC_KUAP_DEBUG should depend on PPC_KUAP
 powerpc/setup_64: Set cache-line-size based on cache-block-size
 Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled"

Signed-off-by: Joel Stanley <joel@jms.id.au>
38 files changed
tree: 5adf25692893c1f0b81d5bf9d447951f643327ff
  1. ci/
  2. dl/
  3. doc/
  4. openpower/
  5. output/
  6. buildroot
  7. .gitignore
  8. .gitmodules
  9. .travis.yml
  10. CONTRIBUTING.md
  11. LICENSE
  12. NOTICE
  13. op-build
  14. op-build-env
  15. README.md
README.md

OpenPOWER Firmware Build Environment

The OpenPOWER firmware build process uses Buildroot to create a toolchain and build the various components of the PNOR firmware, including Hostboot, Skiboot, OCC, Petitboot etc.

Documentation

https://open-power.github.io/op-build/

See the doc/ directory for documentation source. Contributions are VERY welcome!

Development

Issues, Milestones, pull requests and code hosting is on GitHub: https://github.com/open-power/op-build

See CONTRIBUTING.md for howto contribute code.

Building an image

To build an image for a Palmetto system:

git clone --recursive https://github.com/open-power/op-build.git
cd op-build
./op-build palmetto_defconfig && ./op-build

There are also default configurations for other platforms in openpower/configs/. Current POWER8 platforms include Habanero, Firestone, and Garrison. Current POWER9 platforms include Witherspoon, Boston (p9dsu), Romulus, and Zaius.

Buildroot/op-build supports both native and cross-compilation - it will automatically download and build an appropriate toolchain as part of the build process, so you don't need to worry about setting up a cross-compiler. Cross-compiling from a x86-64 host is officially supported.

The machine your building on will need Python 2.7, GCC 6.2 (or later), and a handful of other packages (see below).

Dependencies for 64-bit Ubuntu/Debian systems

  1. Install Ubuntu (>= 18.04) or Debian (>= 9) 64-bit.

  2. Enable Universe (Ubuntu only):

     sudo apt-get install software-properties-common
 sudo add-apt-repository universe

  3. Install the packages necessary for the build:

     sudo apt-get install cscope ctags libz-dev libexpat-dev \
   python language-pack-en texinfo gawk cpio xxd \
   build-essential g++ git bison flex unzip \
   libssl-dev libxml-simple-perl libxml-sax-perl libxml-parser-perl libxml2-dev libxml2-utils xsltproc \
   wget bc rsync

Dependencies for 64-bit Fedora systems

  1. Install Fedora (>= 25) 64-bit.

  2. Install the packages necessary for the build:

     sudo dnf install gcc-c++ flex bison git ctags cscope expat-devel patch \
   zlib-devel zlib-static texinfo "perl(bigint)" "perl(XML::Simple)" \
   "perl(YAML)" "perl(XML::SAX)" "perl(Fatal)" "perl(Thread::Queue)" \
   "perl(Env)" "perl(XML::LibXML)" "perl(Digest::SHA1)" "perl(ExtUtils::MakeMaker)" \
   libxml2-devel which wget unzip tar cpio python bzip2 bc findutils ncurses-devel \
   openssl-devel make libxslt vim-common lzo-devel python2 rsync hostname