kernel: Move to Linux v5.4.48-openpower1
This adds secure boot support backported from upstream and enables it
in the configuration.
Appearing in the backports is a patch to disable STRICT_KERNEL_RWX so
it drops out of the configuration.
Backported patches to support secureboot:
powerpc/ima: Fix secure boot rules in ima arch policy
powerpc/ima: Indicate kernel modules appended signatures are enforced
powerpc/xmon: Allow listing and clearing breakpoints in read-only mode
powerpc: Load firmware trusted keys/hashes into kernel keyring
x86/efi: move common keyring handler functions to new file
powerpc: expose secure variables to userspace via sysfs
powerpc/powernv: Add OPAL API interface to access secure variable
powerpc/ima: Update ima arch policy to check for blacklist
ima: Check against blacklisted hashes for files with modsig
certs: Add wrapper function to check blacklisted binary hash
ima: Make process_buffer_measurement() generic
powerpc/ima: Define trusted boot policy
powerpc: Detect the trusted boot state of the system
powerpc/ima: Add support to initialize ima policy rules
powerpc: Detect the secure boot mode of the system
PowerPC related fixes:
powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
powerpc/64s: Don't let DT CPU features set FSCR_DSCR
powerpc/kasan: Fix shadow pages allocation failure
powerpc/kasan: Fix issues by lowering KASAN_SHADOW_END
powerpc/fadump: Account for memory_limit while reserving memory
powerpc/fadump: consider reserved ranges while reserving memory
powerpc/fadump: use static allocation for reserved memory ranges
powerpc/mm: Fix conditions to perform MMU specific management by blocks on PPC32.
powerpc/spufs: fix copy_to_user while atomic
sched/core: Fix illegal RCU from offline CPUs
powerpc/ptdump: Properly handle non standard page size
powerpc/xive: Clear the page tables for the ESB IO mapping
bpf: Support llvm-objcopy for vmlinux BTF
powerpc/xmon: Restrict when kernel is locked down
powerpc/powernv: Avoid re-registration of imc debugfs directory
powerpc/64s: Disable STRICT_KERNEL_RWX
powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE
powerpc/mm: Fix CONFIG_PPC_KUAP_DEBUG on PPC32
powerpc/kuap: PPC_KUAP_DEBUG should depend on PPC_KUAP
powerpc/setup_64: Set cache-line-size based on cache-block-size
Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled"
Signed-off-by: Joel Stanley <joel@jms.id.au>
diff --git a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
new file mode 100644
index 0000000..881253c
--- /dev/null
+++ b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
@@ -0,0 +1,230 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Joel Stanley <joel@jms.id.au>
+Date: Tue, 23 Jun 2020 16:22:10 +0930
+Subject: [PATCH 17/18] powerpc/configs: Update to upstream and enable
+ secureboot
+
+Pulls in the following updates from upstream:
+
+ scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
+ powerpc/configs/skiroot: Enable some more hardening options
+ powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
+ powerpc/configs/skiroot: Enable security features
+ powerpc/configs/skiroot: Update for symbol movement only
+ powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
+ powerpc/configs/skiroot: Drop HID_LOGITECH
+ powerpc/configs: Drop NET_VENDOR_HP which moved to staging
+ powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
+ powerpc/configs: Drop CONFIG_QLGE which moved to staging
+ powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_*
+ powerpc/configs: add FADump awareness to skiroot_defconfig
+
+In addition, it enables IMA and secureboot options.
+
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/configs/skiroot_defconfig | 84 ++++++++++++++++----------
+ 1 file changed, 53 insertions(+), 31 deletions(-)
+
+diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
+index 1253482a67c0..44309e12d84a 100644
+--- a/arch/powerpc/configs/skiroot_defconfig
++++ b/arch/powerpc/configs/skiroot_defconfig
+@@ -1,13 +1,9 @@
+-CONFIG_PPC64=y
+-CONFIG_ALTIVEC=y
+-CONFIG_VSX=y
+-CONFIG_NR_CPUS=2048
+-CONFIG_CPU_LITTLE_ENDIAN=y
+ CONFIG_KERNEL_XZ=y
+ # CONFIG_SWAP is not set
+ CONFIG_SYSVIPC=y
+ CONFIG_POSIX_MQUEUE=y
+ # CONFIG_CROSS_MEMORY_ATTACH is not set
++CONFIG_AUDIT=y
+ CONFIG_NO_HZ=y
+ CONFIG_HIGH_RES_TIMERS=y
+ # CONFIG_CPU_ISOLATION is not set
+@@ -28,17 +24,15 @@ CONFIG_EXPERT=y
+ # CONFIG_AIO is not set
+ CONFIG_PERF_EVENTS=y
+ # CONFIG_COMPAT_BRK is not set
++# CONFIG_SLAB_MERGE_DEFAULT is not set
++CONFIG_SLAB_FREELIST_RANDOM=y
+ CONFIG_SLAB_FREELIST_HARDENED=y
+-CONFIG_JUMP_LABEL=y
+-CONFIG_STRICT_KERNEL_RWX=y
+-CONFIG_MODULES=y
+-CONFIG_MODULE_UNLOAD=y
+-CONFIG_MODULE_SIG=y
+-CONFIG_MODULE_SIG_FORCE=y
+-CONFIG_MODULE_SIG_SHA512=y
+-CONFIG_PARTITION_ADVANCED=y
+-# CONFIG_MQ_IOSCHED_DEADLINE is not set
+-# CONFIG_MQ_IOSCHED_KYBER is not set
++CONFIG_PPC64=y
++CONFIG_ALTIVEC=y
++CONFIG_VSX=y
++CONFIG_NR_CPUS=2048
++CONFIG_CPU_LITTLE_ENDIAN=y
++CONFIG_PANIC_TIMEOUT=30
+ # CONFIG_PPC_VAS is not set
+ # CONFIG_PPC_PSERIES is not set
+ # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set
+@@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
+ CONFIG_CPU_IDLE=y
+ CONFIG_HZ_100=y
+ CONFIG_KEXEC=y
++CONFIG_KEXEC_FILE=y
++CONFIG_PRESERVE_FA_DUMP=y
+ CONFIG_IRQ_ALL_CPUS=y
+ CONFIG_NUMA=y
+-# CONFIG_COMPACTION is not set
+-# CONFIG_MIGRATION is not set
+ CONFIG_PPC_64K_PAGES=y
+ CONFIG_SCHED_SMT=y
+ CONFIG_CMDLINE_BOOL=y
+ CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
+ # CONFIG_SECCOMP is not set
+ # CONFIG_PPC_MEM_KEYS is not set
++CONFIG_PPC_SECURE_BOOT=y
++CONFIG_JUMP_LABEL=y
++CONFIG_MODULES=y
++CONFIG_MODULE_UNLOAD=y
++CONFIG_MODULE_SIG_FORCE=y
++CONFIG_MODULE_SIG_SHA512=y
++CONFIG_PARTITION_ADVANCED=y
++# CONFIG_MQ_IOSCHED_DEADLINE is not set
++# CONFIG_MQ_IOSCHED_KYBER is not set
++# CONFIG_COMPACTION is not set
++# CONFIG_MIGRATION is not set
+ CONFIG_NET=y
+ CONFIG_PACKET=y
+ CONFIG_UNIX=y
+@@ -63,9 +68,6 @@ CONFIG_INET=y
+ CONFIG_IP_MULTICAST=y
+ CONFIG_NET_IPIP=y
+ CONFIG_SYN_COOKIES=y
+-# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+-# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+-# CONFIG_INET_XFRM_MODE_BEET is not set
+ CONFIG_DNS_RESOLVER=y
+ # CONFIG_WIRELESS is not set
+ CONFIG_DEVTMPFS=y
+@@ -83,7 +85,6 @@ CONFIG_EEPROM_AT24=m
+ # CONFIG_OCXL is not set
+ CONFIG_BLK_DEV_SD=m
+ CONFIG_BLK_DEV_SR=m
+-CONFIG_BLK_DEV_SR_VENDOR=y
+ CONFIG_CHR_DEV_SG=m
+ CONFIG_SCSI_CONSTANTS=y
+ CONFIG_SCSI_SCAN_ASYNC=y
+@@ -140,7 +141,6 @@ CONFIG_TIGON3=m
+ CONFIG_BNX2X=m
+ # CONFIG_NET_VENDOR_BROCADE is not set
+ # CONFIG_NET_VENDOR_CADENCE is not set
+-# CONFIG_NET_CADENCE is not set
+ # CONFIG_NET_VENDOR_CAVIUM is not set
+ CONFIG_CHELSIO_T1=m
+ # CONFIG_NET_VENDOR_CISCO is not set
+@@ -149,7 +149,6 @@ CONFIG_CHELSIO_T1=m
+ # CONFIG_NET_VENDOR_DLINK is not set
+ CONFIG_BE2NET=m
+ # CONFIG_NET_VENDOR_EZCHIP is not set
+-# CONFIG_NET_VENDOR_HP is not set
+ # CONFIG_NET_VENDOR_HUAWEI is not set
+ CONFIG_E1000=m
+ CONFIG_E1000E=m
+@@ -157,7 +156,6 @@ CONFIG_IGB=m
+ CONFIG_IXGB=m
+ CONFIG_IXGBE=m
+ CONFIG_I40E=m
+-CONFIG_S2IO=m
+ # CONFIG_NET_VENDOR_MARVELL is not set
+ CONFIG_MLX4_EN=m
+ # CONFIG_MLX4_CORE_GEN2 is not set
+@@ -168,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
+ # CONFIG_NET_VENDOR_MICROSEMI is not set
+ CONFIG_MYRI10GE=m
+ # CONFIG_NET_VENDOR_NATSEMI is not set
++CONFIG_S2IO=m
+ # CONFIG_NET_VENDOR_NETRONOME is not set
+ # CONFIG_NET_VENDOR_NI is not set
+ # CONFIG_NET_VENDOR_NVIDIA is not set
+ # CONFIG_NET_VENDOR_OKI is not set
+ # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
+-CONFIG_QLGE=m
+ CONFIG_NETXEN_NIC=m
+ CONFIG_QED=m
+ CONFIG_QEDE=m
+@@ -211,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
+ CONFIG_IPMI_POWERNV=y
+ CONFIG_IPMI_WATCHDOG=y
+ CONFIG_HW_RANDOM=y
+-CONFIG_TCG_TPM=y
+ CONFIG_TCG_TIS_I2C_NUVOTON=y
+ # CONFIG_DEVPORT is not set
+ CONFIG_I2C=y
+@@ -240,7 +237,6 @@ CONFIG_HID_CYPRESS=y
+ CONFIG_HID_EZKEY=y
+ CONFIG_HID_ITE=y
+ CONFIG_HID_KENSINGTON=y
+-CONFIG_HID_LOGITECH=y
+ CONFIG_HID_MICROSOFT=y
+ CONFIG_HID_MONTEREY=y
+ CONFIG_USB_HIDDEV=y
+@@ -277,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
+ CONFIG_NLS_ASCII=y
+ CONFIG_NLS_ISO8859_1=y
+ CONFIG_NLS_UTF8=y
++CONFIG_ENCRYPTED_KEYS=y
++CONFIG_SECURITY=y
++CONFIG_HARDENED_USERCOPY=y
++# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
++CONFIG_HARDENED_USERCOPY_PAGESPAN=y
++CONFIG_FORTIFY_SOURCE=y
++CONFIG_SECURITY_LOCKDOWN_LSM=y
++CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
++CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
++CONFIG_INTEGRITY_SIGNATURE=y
++CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
++CONFIG_INTEGRITY_PLATFORM_KEYRING=y
++CONFIG_IMA=y
++CONFIG_IMA_KEXEC=y
++CONFIG_IMA_SIG_TEMPLATE=y
++CONFIG_IMA_DEFAULT_HASH_SHA256=y
++CONFIG_IMA_READ_POLICY=y
++CONFIG_IMA_APPRAISE=y
++CONFIG_IMA_ARCH_POLICY=y
++CONFIG_IMA_APPRAISE_MODSIG=y
++CONFIG_LSM="yama,loadpin,safesetid,integrity"
++# CONFIG_CRYPTO_HW is not set
++CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+ CONFIG_CRC16=y
+ CONFIG_CRC_ITU_T=y
+ CONFIG_LIBCRC32C=y
+@@ -287,17 +306,20 @@ CONFIG_LIBCRC32C=y
+ # CONFIG_XZ_DEC_SPARC is not set
+ CONFIG_PRINTK_TIME=y
+ CONFIG_MAGIC_SYSRQ=y
++CONFIG_SLUB_DEBUG_ON=y
+ CONFIG_DEBUG_STACKOVERFLOW=y
+ CONFIG_SOFTLOCKUP_DETECTOR=y
+ CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
+ CONFIG_HARDLOCKUP_DETECTOR=y
+ CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
+ CONFIG_WQ_WATCHDOG=y
++CONFIG_PANIC_ON_OOPS=y
+ # CONFIG_SCHED_DEBUG is not set
++CONFIG_SCHED_STACK_END_CHECK=y
++CONFIG_DEBUG_SG=y
++CONFIG_DEBUG_NOTIFIERS=y
++CONFIG_DEBUG_CREDENTIALS=y
+ # CONFIG_FTRACE is not set
+ # CONFIG_RUNTIME_TESTING_MENU is not set
++CONFIG_BUG_ON_DATA_CORRUPTION=y
+ CONFIG_XMON=y
+-CONFIG_XMON_DEFAULT=y
+-CONFIG_ENCRYPTED_KEYS=y
+-# CONFIG_CRYPTO_ECHAINIV is not set
+-# CONFIG_CRYPTO_HW is not set