Gitiles
Code Review Sign In
gerrit.openbmc.org / premsjha / op-build / a1fccbfd4663468c3428568a67cff8a42a21f53e^! / . / openpower / linux / 0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
commita1fccbfd4663468c3428568a67cff8a42a21f53e[log] [tgz]
authorJoel Stanley <joel@jms.id.au>Tue Jun 23 17:25:56 2020 +0930
committerKlaus Heinrich Kiwi <klausk@br.ibm.com>Thu Jun 25 09:31:07 2020 -0300
tree5adf25692893c1f0b81d5bf9d447951f643327ff
parent725ca63b9702cb0c51caf2185ce379e8f0fcbe1a [diff] [blame]
kernel: Move to Linux v5.4.48-openpower1

This adds secure boot support backported from upstream and enables it
in the configuration.

Appearing in the backports is a patch to disable STRICT_KERNEL_RWX so
it drops out of the configuration.

Backported patches to support secureboot:

 powerpc/ima: Fix secure boot rules in ima arch policy
 powerpc/ima: Indicate kernel modules appended signatures are enforced
 powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
 powerpc: Load firmware trusted keys/hashes into kernel keyring
 x86/efi: move common keyring handler functions to new file
 powerpc: expose secure variables to userspace via sysfs
 powerpc/powernv: Add OPAL API interface to access secure variable
 powerpc/ima: Update ima arch policy to check for blacklist
 ima: Check against blacklisted hashes for files with modsig
 certs: Add wrapper function to check blacklisted binary hash
 ima: Make process_buffer_measurement() generic
 powerpc/ima: Define trusted boot policy
 powerpc: Detect the trusted boot state of the system
 powerpc/ima: Add support to initialize ima policy rules
 powerpc: Detect the secure boot mode of the system

PowerPC related fixes:

 powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
 powerpc/64s: Don't let DT CPU features set FSCR_DSCR
 powerpc/kasan: Fix shadow pages allocation failure
 powerpc/kasan: Fix issues by lowering KASAN_SHADOW_END
 powerpc/fadump: Account for memory_limit while reserving memory
 powerpc/fadump: consider reserved ranges while reserving memory
 powerpc/fadump: use static allocation for reserved memory ranges
 powerpc/mm: Fix conditions to perform MMU specific management by blocks on PPC32.
 powerpc/spufs: fix copy_to_user while atomic
 sched/core: Fix illegal RCU from offline CPUs
 powerpc/ptdump: Properly handle non standard page size
 powerpc/xive: Clear the page tables for the ESB IO mapping
 bpf: Support llvm-objcopy for vmlinux BTF
 powerpc/xmon: Restrict when kernel is locked down
 powerpc/powernv: Avoid re-registration of imc debugfs directory
 powerpc/64s: Disable STRICT_KERNEL_RWX
 powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE
 powerpc/mm: Fix CONFIG_PPC_KUAP_DEBUG on PPC32
 powerpc/kuap: PPC_KUAP_DEBUG should depend on PPC_KUAP
 powerpc/setup_64: Set cache-line-size based on cache-block-size
 Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled"

Signed-off-by: Joel Stanley <joel@jms.id.au>

diff --git a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
new file mode 100644
index 0000000..b2ffe5c
--- /dev/null
+++ b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch

@@ -0,0 +1,46 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.ibm.com>
+Date: Wed, 30 Oct 2019 23:31:34 -0400
+Subject: [PATCH 15/18] powerpc/ima: Indicate kernel modules appended
+ signatures are enforced
+
+The arch specific kernel module policy rule requires kernel modules to
+be signed, either as an IMA signature, stored as an xattr, or as an
+appended signature. As a result, kernel modules appended signatures
+could be enforced without "sig_enforce" being set or reflected in
+/sys/module/module/parameters/sig_enforce. This patch sets
+"sig_enforce".
+
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1572492694-6520-10-git-send-email-zohar@linux.ibm.com
+(cherry picked from commit d72ea4915c7e6fa5e7b9022a34df66e375bfe46c)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/kernel/ima_arch.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+index b9de0fb45bb9..e34116255ced 100644
+--- a/arch/powerpc/kernel/ima_arch.c
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -62,13 +62,17 @@ static const char *const secure_and_trusted_rules[] = {
+  */
+ const char *const *arch_get_ima_policy(void)
+ {
+-	if (is_ppc_secureboot_enabled())
++	if (is_ppc_secureboot_enabled()) {
++		if (IS_ENABLED(CONFIG_MODULE_SIG))
++			set_module_sig_enforced();
++
+ 		if (is_ppc_trustedboot_enabled())
+ 			return secure_and_trusted_rules;
+ 		else
+ 			return secure_rules;
+-	else if (is_ppc_trustedboot_enabled())
++	} else if (is_ppc_trustedboot_enabled()) {
+ 		return trusted_rules;
++	}
+ 
+ 	return NULL;
+ }