kernel: Move to Linux v5.4.68-openpower1
This changes the defconfig to make OPAL_I2C=y, so IMA can work
correctly. See the mailing list[1] or the commit message for the
details.
PowerPC related fixes since 5.4.48:
powerpc/dma: Fix dma_map_ops::get_required_mask
powerpc/book3s64/radix: Fix boot failure with large amount of guest memory
vgacon: remove software scrollback support
powerpc/perf: Fix crashes with generic_compat_pmu & BHRB
powerpc/perf: Fix soft lockups due to missed interrupt accounting
powerpc/spufs: add CONFIG_COREDUMP dependency
powerpc/xive: Ignore kmemleak false positives
powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
powerpc: Fix circular dependency between percpu.h and mmu.h
powerpc: Allow 4224 bytes of stack expansion for the signal frame
powerpc/ptdump: Fix build failure in hashpagetable.c
powerpc/boot: Fix CONFIG_PPC_MPC52XX references
powerpc/perf: Fix missing is_sier_aviable() during build
powerpc/book3s64/pkeys: Use PVR check instead of cpu feature
powerpc/vdso: Fix vdso cpu truncation
powerpc/rtas: don't online CPUs for partition suspend
Revert "powerpc/kasan: Fix shadow pages allocation failure"
powerpc/pseries/svm: Fix incorrect check for shared_lppaca_size
powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey
scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
powerpc: Fix kernel crash in show_instructions() w/DEBUG_VIRTUAL
powerpc/64s/pgtable: fix an undefined behaviour
powerpc/64s/exception: Fix machine check no-loss idle wakeup
powerpc/64: Don't initialise init_task->thread.regs
powerpc/crashkernel: Take "mem=" option into account
powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run
powerpc/ptdump: Add _PAGE_COHERENT flag
powerpc/kasan: Fix stack overflow by increasing THREAD_SHIFT
[1] https://lists.ozlabs.org/pipermail/openpower-firmware/2020-September/000547.html
Signed-off-by: Joel Stanley <joel@jms.id.au>
diff --git a/openpower/configs/blackbird_defconfig b/openpower/configs/blackbird_defconfig
index 39657bd..aeb9130 100644
--- a/openpower/configs/blackbird_defconfig
+++ b/openpower/configs/blackbird_defconfig
@@ -18,7 +18,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
index 44309e1..a555adb 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -216,7 +216,7 @@
CONFIG_I2C_CHARDEV=y
# CONFIG_I2C_HELPER_AUTO is not set
CONFIG_I2C_ALGOBIT=y
-CONFIG_I2C_OPAL=m
+CONFIG_I2C_OPAL=y
CONFIG_PPS=y
CONFIG_SENSORS_IBMPOWERNV=m
CONFIG_DRM=m
diff --git a/openpower/configs/mihawk_defconfig b/openpower/configs/mihawk_defconfig
index 1c162b4..f32047c 100644
--- a/openpower/configs/mihawk_defconfig
+++ b/openpower/configs/mihawk_defconfig
@@ -18,7 +18,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/nicole_defconfig b/openpower/configs/nicole_defconfig
index 250f5e6..df35e23 100644
--- a/openpower/configs/nicole_defconfig
+++ b/openpower/configs/nicole_defconfig
@@ -16,7 +16,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/opal_defconfig b/openpower/configs/opal_defconfig
index 9a74eb4..3fa62fb 100644
--- a/openpower/configs/opal_defconfig
+++ b/openpower/configs/opal_defconfig
@@ -13,7 +13,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/p9dsu_defconfig b/openpower/configs/p9dsu_defconfig
index 370c3f5..019e478 100644
--- a/openpower/configs/p9dsu_defconfig
+++ b/openpower/configs/p9dsu_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/romulus_defconfig b/openpower/configs/romulus_defconfig
index 7fca1b9..5813901 100644
--- a/openpower/configs/romulus_defconfig
+++ b/openpower/configs/romulus_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/swift_defconfig b/openpower/configs/swift_defconfig
index 415f487..9f42a7f 100644
--- a/openpower/configs/swift_defconfig
+++ b/openpower/configs/swift_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/witherspoon_defconfig b/openpower/configs/witherspoon_defconfig
index 94b215b..55f9e94 100644
--- a/openpower/configs/witherspoon_defconfig
+++ b/openpower/configs/witherspoon_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/zaius_defconfig b/openpower/configs/zaius_defconfig
index ce22163..2d9170c 100644
--- a/openpower/configs/zaius_defconfig
+++ b/openpower/configs/zaius_defconfig
@@ -17,7 +17,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/configs/zz_defconfig b/openpower/configs/zz_defconfig
index 53e399d..3195c7e 100644
--- a/openpower/configs/zz_defconfig
+++ b/openpower/configs/zz_defconfig
@@ -15,7 +15,7 @@
BR2_ROOTFS_POST_BUILD_SCRIPT="../openpower/scripts/fixup-target-var ../openpower/scripts/firmware-whitelist"
BR2_LINUX_KERNEL=y
BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.48"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.4.68"
BR2_LINUX_KERNEL_PATCH="$(BR2_EXTERNAL_OP_BUILD_PATH)/linux"
BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_OP_BUILD_PATH)/configs/linux/skiroot_defconfig"
diff --git a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
index dc4afac..bb1f1b4 100644
--- a/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
+++ b/openpower/linux/0001-xhci-Reset-controller-on-xhci-shutdown.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Brian King <brking@linux.vnet.ibm.com>
Date: Wed, 25 Oct 2017 10:42:59 +1100
-Subject: [PATCH 01/18] xhci: Reset controller on xhci shutdown
+Subject: [PATCH 01/19] xhci: Reset controller on xhci shutdown
Fixes kexec boot. Without a hard reset, some USB chips will fail to
initialize in a kexec booted kernel.
@@ -14,7 +14,7 @@
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
-index 81b54a3d2910..b0f66b42a16a 100644
+index bad154f446f8..19a9bde309a6 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -789,6 +789,9 @@ void xhci_shutdown(struct usb_hcd *hcd)
diff --git a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
index 2cdc87a..2d6f5a5 100644
--- a/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
+++ b/openpower/linux/0002-powerpc-Detect-the-secure-boot-mode-of-the-system.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Tue, 5 Nov 2019 17:00:22 -0600
-Subject: [PATCH 02/18] powerpc: Detect the secure boot mode of the system
+Subject: [PATCH 02/19] powerpc: Detect the secure boot mode of the system
This patch defines a function to detect the secure boot state of a
PowerNV system.
@@ -26,10 +26,10 @@
create mode 100644 arch/powerpc/kernel/secure_boot.c
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index 44431dc06982..bdf584b85199 100644
+index ad620637cbd1..d654bdc9e4dc 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
-@@ -934,6 +934,16 @@ config PPC_MEM_KEYS
+@@ -935,6 +935,16 @@ config PPC_MEM_KEYS
If unsure, say y.
diff --git a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
index 859a596..eef8e16 100644
--- a/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
+++ b/openpower/linux/0003-powerpc-ima-Add-support-to-initialize-ima-policy-rul.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Wed, 30 Oct 2019 23:31:27 -0400
-Subject: [PATCH 03/18] powerpc/ima: Add support to initialize ima policy rules
+Subject: [PATCH 03/19] powerpc/ima: Add support to initialize ima policy rules
PowerNV systems use a Linux-based bootloader, which rely on the IMA
subsystem to enforce different secure boot modes. Since the
@@ -29,10 +29,10 @@
create mode 100644 arch/powerpc/kernel/ima_arch.c
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index bdf584b85199..eea6c358b86c 100644
+index d654bdc9e4dc..32ce6c0b43f1 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
-@@ -938,6 +938,7 @@ config PPC_SECURE_BOOT
+@@ -939,6 +939,7 @@ config PPC_SECURE_BOOT
prompt "Enable secure boot support"
bool
depends on PPC_POWERNV
diff --git a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
index 844371d..e2c2c78 100644
--- a/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
+++ b/openpower/linux/0004-powerpc-Detect-the-trusted-boot-state-of-the-system.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Tue, 5 Nov 2019 17:02:07 -0600
-Subject: [PATCH 04/18] powerpc: Detect the trusted boot state of the system
+Subject: [PATCH 04/19] powerpc: Detect the trusted boot state of the system
While secure boot permits only properly verified signed kernels to be
booted, trusted boot calculates the file hash of the kernel image and
diff --git a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
index 76b1212..fcd871c 100644
--- a/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
+++ b/openpower/linux/0005-powerpc-ima-Define-trusted-boot-policy.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Wed, 30 Oct 2019 23:31:29 -0400
-Subject: [PATCH 05/18] powerpc/ima: Define trusted boot policy
+Subject: [PATCH 05/19] powerpc/ima: Define trusted boot policy
This patch defines an arch-specific trusted boot only policy and a
combined secure and trusted boot policy.
diff --git a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
index 3d9ccc4..7fd748f 100644
--- a/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
+++ b/openpower/linux/0006-ima-Make-process_buffer_measurement-generic.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Wed, 30 Oct 2019 23:31:30 -0400
-Subject: [PATCH 06/18] ima: Make process_buffer_measurement() generic
+Subject: [PATCH 06/19] ima: Make process_buffer_measurement() generic
process_buffer_measurement() is limited to measuring the kexec boot
command line. This patch makes process_buffer_measurement() more
@@ -27,7 +27,7 @@
2 files changed, 43 insertions(+), 18 deletions(-)
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index be469fce19e1..ae124d3a4a4a 100644
+index 8173982e00ab..04800f7f2351 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -219,6 +219,9 @@ void ima_store_measurement(struct integrity_iint_cache *iint, struct file *file,
diff --git a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch b/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
index c42014f..e33fc06 100644
--- a/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
+++ b/openpower/linux/0007-certs-Add-wrapper-function-to-check-blacklisted-bina.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Wed, 30 Oct 2019 23:31:31 -0400
-Subject: [PATCH 07/18] certs: Add wrapper function to check blacklisted binary
+Subject: [PATCH 07/19] certs: Add wrapper function to check blacklisted binary
hash
The -EKEYREJECTED error returned by existing is_hash_blacklisted() is
diff --git a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch b/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
index 1281b84..7d18cc7 100644
--- a/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
+++ b/openpower/linux/0008-ima-Check-against-blacklisted-hashes-for-files-with-.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Wed, 30 Oct 2019 23:31:32 -0400
-Subject: [PATCH 08/18] ima: Check against blacklisted hashes for files with
+Subject: [PATCH 08/19] ima: Check against blacklisted hashes for files with
modsig
Asymmetric private keys are used to sign multiple files. The kernel
@@ -104,7 +104,7 @@
(eg, ima-ng). Only valid when action is "measure".
pcr:= decimal value
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
-index ae124d3a4a4a..c508a65c3fdd 100644
+index 04800f7f2351..7d855f2c80fa 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -258,6 +258,8 @@ int ima_policy_show(struct seq_file *m, void *v);
@@ -130,7 +130,7 @@
struct integrity_iint_cache *iint,
struct file *file,
diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c
-index 136ae4e0ee92..300c8d2943c5 100644
+index 23b04c6521b2..176249e4a7ac 100644
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -12,6 +12,7 @@
@@ -141,7 +141,7 @@
#include "ima.h"
-@@ -303,6 +304,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
+@@ -309,6 +310,38 @@ static int modsig_verify(enum ima_hooks func, const struct modsig *modsig,
return rc;
}
@@ -204,7 +204,7 @@
rc = mmap_violation_check(func, file, &pathbuf,
&pathname, filename);
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
-index 558a7607bf93..24d8aa2cc8ed 100644
+index e725d4187271..42f0970b3054 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -769,8 +769,8 @@ enum {
diff --git a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch b/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
index 9dddd30..921a675 100644
--- a/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
+++ b/openpower/linux/0009-powerpc-ima-Update-ima-arch-policy-to-check-for-blac.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Wed, 30 Oct 2019 23:31:33 -0400
-Subject: [PATCH 09/18] powerpc/ima: Update ima arch policy to check for
+Subject: [PATCH 09/19] powerpc/ima: Update ima arch policy to check for
blacklist
This patch updates the arch-specific policies for PowerNV system to
diff --git a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch b/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
index b718d9f..8875930 100644
--- a/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
+++ b/openpower/linux/0010-powerpc-powernv-Add-OPAL-API-interface-to-access-sec.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Sun, 10 Nov 2019 21:10:33 -0600
-Subject: [PATCH 10/18] powerpc/powernv: Add OPAL API interface to access
+Subject: [PATCH 10/19] powerpc/powernv: Add OPAL API interface to access
secure variable
The X.509 certificates trusted by the platform and required to secure
diff --git a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch b/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
index 96f77a7..518b9c3 100644
--- a/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
+++ b/openpower/linux/0011-powerpc-expose-secure-variables-to-userspace-via-sys.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Sun, 10 Nov 2019 21:10:34 -0600
-Subject: [PATCH 11/18] powerpc: expose secure variables to userspace via sysfs
+Subject: [PATCH 11/19] powerpc: expose secure variables to userspace via sysfs
PowerNV secure variables, which store the keys used for OS kernel
verification, are managed by the firmware. These secure variables need to
@@ -80,10 +80,10 @@
+ variable. The size of the file represents the maximum size of
+ the variable data that can be written.
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
-index eea6c358b86c..785019462953 100644
+index 32ce6c0b43f1..cc6cdf821604 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
-@@ -945,6 +945,17 @@ config PPC_SECURE_BOOT
+@@ -946,6 +946,17 @@ config PPC_SECURE_BOOT
to enable OS secure boot on systems that have firmware support for
it. If in doubt say N.
diff --git a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch b/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
index e92a6e3..e0b01c9 100644
--- a/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
+++ b/openpower/linux/0012-x86-efi-move-common-keyring-handler-functions-to-new.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Sun, 10 Nov 2019 21:10:35 -0600
-Subject: [PATCH 12/18] x86/efi: move common keyring handler functions to new
+Subject: [PATCH 12/19] x86/efi: move common keyring handler functions to new
file
The handlers to add the keys to the .platform keyring and blacklisted
diff --git a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch b/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
index 9b6b06e..83a0346 100644
--- a/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
+++ b/openpower/linux/0013-powerpc-Load-firmware-trusted-keys-hashes-into-kerne.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Sun, 10 Nov 2019 21:10:36 -0600
-Subject: [PATCH 13/18] powerpc: Load firmware trusted keys/hashes into kernel
+Subject: [PATCH 13/19] powerpc: Load firmware trusted keys/hashes into kernel
keyring
The keys used to verify the Host OS kernel are managed by firmware as
diff --git a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch b/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
index c04e5fb..5559a8a 100644
--- a/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
+++ b/openpower/linux/0014-powerpc-xmon-Allow-listing-and-clearing-breakpoints-.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: "Christopher M. Riedl" <cmr@informatik.wtf>
Date: Sat, 7 Sep 2019 01:11:23 -0500
-Subject: [PATCH 14/18] powerpc/xmon: Allow listing and clearing breakpoints in
+Subject: [PATCH 14/19] powerpc/xmon: Allow listing and clearing breakpoints in
read-only mode
Read-only mode should not prevent listing and clearing any active
diff --git a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
index b2ffe5c..69f5314 100644
--- a/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
+++ b/openpower/linux/0015-powerpc-ima-Indicate-kernel-modules-appended-signatu.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.ibm.com>
Date: Wed, 30 Oct 2019 23:31:34 -0400
-Subject: [PATCH 15/18] powerpc/ima: Indicate kernel modules appended
+Subject: [PATCH 15/19] powerpc/ima: Indicate kernel modules appended
signatures are enforced
The arch specific kernel module policy rule requires kernel modules to
diff --git a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
index 6875b14..1ba2c2f 100644
--- a/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
+++ b/openpower/linux/0016-powerpc-ima-Fix-secure-boot-rules-in-ima-arch-policy.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Nayna Jain <nayna@linux.ibm.com>
Date: Fri, 1 May 2020 10:16:52 -0400
-Subject: [PATCH 16/18] powerpc/ima: Fix secure boot rules in ima arch policy
+Subject: [PATCH 16/19] powerpc/ima: Fix secure boot rules in ima arch policy
To prevent verifying the kernel module appended signature
twice (finit_module), once by the module_sig_check() and again by IMA,
diff --git a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
index 881253c..3fbe01a 100644
--- a/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
+++ b/openpower/linux/0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Joel Stanley <joel@jms.id.au>
Date: Tue, 23 Jun 2020 16:22:10 +0930
-Subject: [PATCH 17/18] powerpc/configs: Update to upstream and enable
+Subject: [PATCH 17/19] powerpc/configs: Update to upstream and enable
secureboot
Pulls in the following updates from upstream:
@@ -23,11 +23,11 @@
Signed-off-by: Joel Stanley <joel@jms.id.au>
---
- arch/powerpc/configs/skiroot_defconfig | 84 ++++++++++++++++----------
- 1 file changed, 53 insertions(+), 31 deletions(-)
+ arch/powerpc/configs/skiroot_defconfig | 83 ++++++++++++++++----------
+ 1 file changed, 53 insertions(+), 30 deletions(-)
diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
-index 1253482a67c0..44309e12d84a 100644
+index 2e25b264f70f..44309e12d84a 100644
--- a/arch/powerpc/configs/skiroot_defconfig
+++ b/arch/powerpc/configs/skiroot_defconfig
@@ -1,13 +1,9 @@
@@ -111,15 +111,7 @@
CONFIG_DNS_RESOLVER=y
# CONFIG_WIRELESS is not set
CONFIG_DEVTMPFS=y
-@@ -83,7 +85,6 @@ CONFIG_EEPROM_AT24=m
- # CONFIG_OCXL is not set
- CONFIG_BLK_DEV_SD=m
- CONFIG_BLK_DEV_SR=m
--CONFIG_BLK_DEV_SR_VENDOR=y
- CONFIG_CHR_DEV_SG=m
- CONFIG_SCSI_CONSTANTS=y
- CONFIG_SCSI_SCAN_ASYNC=y
-@@ -140,7 +141,6 @@ CONFIG_TIGON3=m
+@@ -139,7 +141,6 @@ CONFIG_TIGON3=m
CONFIG_BNX2X=m
# CONFIG_NET_VENDOR_BROCADE is not set
# CONFIG_NET_VENDOR_CADENCE is not set
@@ -127,7 +119,7 @@
# CONFIG_NET_VENDOR_CAVIUM is not set
CONFIG_CHELSIO_T1=m
# CONFIG_NET_VENDOR_CISCO is not set
-@@ -149,7 +149,6 @@ CONFIG_CHELSIO_T1=m
+@@ -148,7 +149,6 @@ CONFIG_CHELSIO_T1=m
# CONFIG_NET_VENDOR_DLINK is not set
CONFIG_BE2NET=m
# CONFIG_NET_VENDOR_EZCHIP is not set
@@ -135,7 +127,7 @@
# CONFIG_NET_VENDOR_HUAWEI is not set
CONFIG_E1000=m
CONFIG_E1000E=m
-@@ -157,7 +156,6 @@ CONFIG_IGB=m
+@@ -156,7 +156,6 @@ CONFIG_IGB=m
CONFIG_IXGB=m
CONFIG_IXGBE=m
CONFIG_I40E=m
@@ -143,7 +135,7 @@
# CONFIG_NET_VENDOR_MARVELL is not set
CONFIG_MLX4_EN=m
# CONFIG_MLX4_CORE_GEN2 is not set
-@@ -168,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
+@@ -167,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
# CONFIG_NET_VENDOR_MICROSEMI is not set
CONFIG_MYRI10GE=m
# CONFIG_NET_VENDOR_NATSEMI is not set
@@ -157,7 +149,7 @@
CONFIG_NETXEN_NIC=m
CONFIG_QED=m
CONFIG_QEDE=m
-@@ -211,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
+@@ -210,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
CONFIG_IPMI_POWERNV=y
CONFIG_IPMI_WATCHDOG=y
CONFIG_HW_RANDOM=y
@@ -165,7 +157,7 @@
CONFIG_TCG_TIS_I2C_NUVOTON=y
# CONFIG_DEVPORT is not set
CONFIG_I2C=y
-@@ -240,7 +237,6 @@ CONFIG_HID_CYPRESS=y
+@@ -239,7 +237,6 @@ CONFIG_HID_CYPRESS=y
CONFIG_HID_EZKEY=y
CONFIG_HID_ITE=y
CONFIG_HID_KENSINGTON=y
@@ -173,7 +165,7 @@
CONFIG_HID_MICROSOFT=y
CONFIG_HID_MONTEREY=y
CONFIG_USB_HIDDEV=y
-@@ -277,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
+@@ -276,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
CONFIG_NLS_UTF8=y
@@ -203,7 +195,7 @@
CONFIG_CRC16=y
CONFIG_CRC_ITU_T=y
CONFIG_LIBCRC32C=y
-@@ -287,17 +306,20 @@ CONFIG_LIBCRC32C=y
+@@ -286,17 +306,20 @@ CONFIG_LIBCRC32C=y
# CONFIG_XZ_DEC_SPARC is not set
CONFIG_PRINTK_TIME=y
CONFIG_MAGIC_SYSRQ=y
diff --git a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch b/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
new file mode 100644
index 0000000..b679564
--- /dev/null
+++ b/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Joel Stanley <joel@jms.id.au>
+Date: Tue, 29 Sep 2020 16:07:53 +0930
+Subject: [PATCH 18/19] linux: configure CONFIG_I2C_OPAL as in-built.
+
+Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
+module rather than builtin, even if CONFIG_I2C=y is defined. This
+results in a delay in the TPM initialization, causing IMA to go into
+TPM bypass mode. As a result, the IMA measurements are added to the
+measurement list, but do not extend the TPM. Because of this, it is
+impossible to verify or attest to the system's integrity, either from
+skiroot or the target Host OS.
+
+Mimi Zohar <zohar@linux.ibm.com> explains more:
+
+ The concept of trusted boot requires the measurement to be added to the
+ measurement list and extend the TPM, prior to allowing access to the
+ file. By allowing access to a file before its measurement is included
+ in the measurement list and extended into the TPM PCR, a malicious file
+ could potentially prevent its own measurement from being added. As the
+ PCRs are tamper proof, measuring and extending the TPM prior to giving
+ access to the file, guarantees that all file measurements are included
+ in the measurement list, including the malicious file.
+
+ IMA needs to be enabled before any files are accessed in order to
+ verify a file's integrity and extend the TPM with the file
+ measurement. Queueing file measurements breaks the measure and extend,
+ before usage, trusted boot paradigm.
+
+ The ima-evm-utils package includes a test for walking the IMA
+ measurement list, calculating the expected TPM PCRs, and comparing the
+ calculated PCR values with the physical TPM. Testing is important to
+ ensure the TPM is initialized prior to IMA. Failure to validate the
+ IMA measurement list may indicate IMA went into TPM bypass mode, like
+ in this case.
+
+Reported-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/configs/skiroot_defconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
+index 44309e12d84a..a555adb23591 100644
+--- a/arch/powerpc/configs/skiroot_defconfig
++++ b/arch/powerpc/configs/skiroot_defconfig
+@@ -216,7 +216,7 @@ CONFIG_I2C=y
+ CONFIG_I2C_CHARDEV=y
+ # CONFIG_I2C_HELPER_AUTO is not set
+ CONFIG_I2C_ALGOBIT=y
+-CONFIG_I2C_OPAL=m
++CONFIG_I2C_OPAL=y
+ CONFIG_PPS=y
+ CONFIG_SENSORS_IBMPOWERNV=m
+ CONFIG_DRM=m
diff --git a/openpower/linux/0018-Release-OpenPower-kernel.patch b/openpower/linux/0019-Release-OpenPower-kernel.patch
similarity index 75%
rename from openpower/linux/0018-Release-OpenPower-kernel.patch
rename to openpower/linux/0019-Release-OpenPower-kernel.patch
index f738c01..46af0ec 100644
--- a/openpower/linux/0018-Release-OpenPower-kernel.patch
+++ b/openpower/linux/0019-Release-OpenPower-kernel.patch
@@ -1,7 +1,7 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Joel Stanley <joel@jms.id.au>
-Date: Tue, 16 Jul 2019 11:40:02 +0930
-Subject: [PATCH 18/18] Release OpenPower kernel
+Date: Tue, 29 Sep 2020 15:39:53 +0930
+Subject: [PATCH 19/19] Release OpenPower kernel
Signed-off-by: Joel Stanley <joel@jms.id.au>
---
@@ -9,13 +9,13 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
-index fee4101b5d22..a7fb637de10c 100644
+index acb2499d9b05..6f2e1028c57b 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
VERSION = 5
PATCHLEVEL = 4
- SUBLEVEL = 48
+ SUBLEVEL = 68
-EXTRAVERSION =
+EXTRAVERSION = -openpower1
NAME = Kleptomaniac Octopus