kernel: Move to Linux v5.4.48-openpower1
This adds secure boot support backported from upstream and enables it
in the configuration.
Appearing in the backports is a patch to disable STRICT_KERNEL_RWX so
it drops out of the configuration.
Backported patches to support secureboot:
powerpc/ima: Fix secure boot rules in ima arch policy
powerpc/ima: Indicate kernel modules appended signatures are enforced
powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
powerpc: Load firmware trusted keys/hashes into kernel keyring
x86/efi: move common keyring handler functions to new file
powerpc: expose secure variables to userspace via sysfs
powerpc/powernv: Add OPAL API interface to access secure variable
powerpc/ima: Update ima arch policy to check for blacklist
ima: Check against blacklisted hashes for files with modsig
certs: Add wrapper function to check blacklisted binary hash
ima: Make process_buffer_measurement() generic
powerpc/ima: Define trusted boot policy
powerpc: Detect the trusted boot state of the system
powerpc/ima: Add support to initialize ima policy rules
powerpc: Detect the secure boot mode of the system
PowerPC related fixes:
powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
powerpc/64s: Don't let DT CPU features set FSCR_DSCR
powerpc/kasan: Fix shadow pages allocation failure
powerpc/kasan: Fix issues by lowering KASAN_SHADOW_END
powerpc/fadump: Account for memory_limit while reserving memory
powerpc/fadump: consider reserved ranges while reserving memory
powerpc/fadump: use static allocation for reserved memory ranges
powerpc/mm: Fix conditions to perform MMU specific management by blocks on PPC32.
powerpc/spufs: fix copy_to_user while atomic
sched/core: Fix illegal RCU from offline CPUs
powerpc/ptdump: Properly handle non standard page size
powerpc/xive: Clear the page tables for the ESB IO mapping
bpf: Support llvm-objcopy for vmlinux BTF
powerpc/xmon: Restrict when kernel is locked down
powerpc/powernv: Avoid re-registration of imc debugfs directory
powerpc/64s: Disable STRICT_KERNEL_RWX
powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE
powerpc/mm: Fix CONFIG_PPC_KUAP_DEBUG on PPC32
powerpc/kuap: PPC_KUAP_DEBUG should depend on PPC_KUAP
powerpc/setup_64: Set cache-line-size based on cache-block-size
Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled"
Signed-off-by: Joel Stanley <joel@jms.id.au>
diff --git a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
new file mode 100644
index 0000000..6875b14
--- /dev/null
+++ b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
@@ -0,0 +1,58 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Nayna Jain <nayna@linux.ibm.com>
+Date: Fri, 1 May 2020 10:16:52 -0400
+Subject: [PATCH 16/18] powerpc/ima: Fix secure boot rules in ima arch policy
+
+To prevent verifying the kernel module appended signature
+twice (finit_module), once by the module_sig_check() and again by IMA,
+powerpc secure boot rules define an IMA architecture specific policy
+rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This,
+unfortunately, does not take into account the ability of enabling
+"sig_enforce" on the boot command line (module.sig_enforce=1).
+
+Including the IMA module appraise rule results in failing the
+finit_module syscall, unless the module signing public key is loaded
+onto the IMA keyring.
+
+This patch fixes secure boot policy rules to be based on
+CONFIG_MODULE_SIG instead.
+
+Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules")
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com
+(cherry picked from commit fa4f3f56ccd28ac031ab275e673ed4098855fed4)
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/kernel/ima_arch.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kernel/ima_arch.c b/arch/powerpc/kernel/ima_arch.c
+index e34116255ced..957abd592075 100644
+--- a/arch/powerpc/kernel/ima_arch.c
++++ b/arch/powerpc/kernel/ima_arch.c
+@@ -19,12 +19,12 @@ bool arch_ima_get_secureboot(void)
+ * to be stored as an xattr or as an appended signature.
+ *
+ * To avoid duplicate signature verification as much as possible, the IMA
+- * policy rule for module appraisal is added only if CONFIG_MODULE_SIG_FORCE
++ * policy rule for module appraisal is added only if CONFIG_MODULE_SIG
+ * is not enabled.
+ */
+ static const char *const secure_rules[] = {
+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+-#ifndef CONFIG_MODULE_SIG_FORCE
++#ifndef CONFIG_MODULE_SIG
+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #endif
+ NULL
+@@ -50,7 +50,7 @@ static const char *const secure_and_trusted_rules[] = {
+ "measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
+ "measure func=MODULE_CHECK template=ima-modsig",
+ "appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+-#ifndef CONFIG_MODULE_SIG_FORCE
++#ifndef CONFIG_MODULE_SIG
+ "appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
+ #endif
+ NULL