kernel: Move to Linux v5.4.48-openpower1
This adds secure boot support backported from upstream and enables it
in the configuration.
Appearing in the backports is a patch to disable STRICT_KERNEL_RWX so
it drops out of the configuration.
Backported patches to support secureboot:
powerpc/ima: Fix secure boot rules in ima arch policy
powerpc/ima: Indicate kernel modules appended signatures are enforced
powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
powerpc: Load firmware trusted keys/hashes into kernel keyring
x86/efi: move common keyring handler functions to new file
powerpc: expose secure variables to userspace via sysfs
powerpc/powernv: Add OPAL API interface to access secure variable
powerpc/ima: Update ima arch policy to check for blacklist
ima: Check against blacklisted hashes for files with modsig
certs: Add wrapper function to check blacklisted binary hash
ima: Make process_buffer_measurement() generic
powerpc/ima: Define trusted boot policy
powerpc: Detect the trusted boot state of the system
powerpc/ima: Add support to initialize ima policy rules
powerpc: Detect the secure boot mode of the system
PowerPC related fixes:
powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
powerpc/64s: Don't let DT CPU features set FSCR_DSCR
powerpc/kasan: Fix shadow pages allocation failure
powerpc/kasan: Fix issues by lowering KASAN_SHADOW_END
powerpc/fadump: Account for memory_limit while reserving memory
powerpc/fadump: consider reserved ranges while reserving memory
powerpc/fadump: use static allocation for reserved memory ranges
powerpc/mm: Fix conditions to perform MMU specific management by blocks on PPC32.
powerpc/spufs: fix copy_to_user while atomic
sched/core: Fix illegal RCU from offline CPUs
powerpc/ptdump: Properly handle non standard page size
powerpc/xive: Clear the page tables for the ESB IO mapping
bpf: Support llvm-objcopy for vmlinux BTF
powerpc/xmon: Restrict when kernel is locked down
powerpc/powernv: Avoid re-registration of imc debugfs directory
powerpc/64s: Disable STRICT_KERNEL_RWX
powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE
powerpc/mm: Fix CONFIG_PPC_KUAP_DEBUG on PPC32
powerpc/kuap: PPC_KUAP_DEBUG should depend on PPC_KUAP
powerpc/setup_64: Set cache-line-size based on cache-block-size
Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled"
Signed-off-by: Joel Stanley <joel@jms.id.au>
diff --git a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
new file mode 100644
index 0000000..76b1212
--- /dev/null
+++ b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
@@ -0,0 +1,69 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:29 -0400
+Subject: [PATCH 05/18] powerpc/ima: Define trusted boot policy
+
+This patch defines an arch-specific trusted boot only policy and a
+combined secure and trusted boot policy.
+
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-5-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit 1917855f4e0658c313e280671ad87774dbfb7b24)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/kernel/ima_arch.c | 33 ++++++++++++++++++++++++++++++++-
+ 1 file changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+index d88913dc0da7..0ef5956c9753 100644
+--- a/arch/powerpc/kernel/ima_arch.c
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -30,6 +30,32 @@ static const char *const secure_rules[] = {
+ NULL
+ };
+
++/*
++ * The "trusted_rules" are enabled only on "trustedboot" enabled systems.
++ * These rules add the kexec kernel image and kernel modules file hashes to
++ * the IMA measurement list.
++ */
++static const char *const trusted_rules[] = {
++ "measure func=KEXEC_KERNEL_CHECK",
++ "measure func=MODULE_CHECK",
++ NULL
++};
++
++/*
++ * The "secure_and_trusted_rules" contains rules for both the secure boot and
++ * trusted boot. The "template=ima-modsig" option includes the appended
++ * signature, when available, in the IMA measurement list.
++ */
++static const char *const secure_and_trusted_rules[] = {
++ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
++ "measure func=MODULE_CHECK template=ima-modsig",
++ "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig",
++#ifndef CONFIG_MODULE_SIG_FORCE
++ "appraise func=MODULE_CHECK appraise_type=imasig|modsig",
++#endif
++ NULL
++};
++
+ /*
+ * Returns the relevant IMA arch-specific policies based on the system secure
+ * boot state.
+@@ -37,7 +63,12 @@ static const char *const secure_rules[] = {
+ const char *const *arch_get_ima_policy(void)
+ {
+ if (is_ppc_secureboot_enabled())
+- return secure_rules;
++ if (is_ppc_trustedboot_enabled())
++ return secure_and_trusted_rules;
++ else
++ return secure_rules;
++ else if (is_ppc_trustedboot_enabled())
++ return trusted_rules;
+
+ return NULL;
+ }