commit cb9bf57ebf4c2fc8af6a3cae105086670d267cbb
author Joel Stanley <joel@jms.id.au> Tue Sep 29 16:18:12 2020 +0930
committer Klaus Heinrich Kiwi <klausk@br.ibm.com> Tue Sep 29 09:53:13 2020 -0300
tree 0b309ad12531337b16c8e9c1fbe6d122f57771a2
parent d9a7ea935b79149abc5c3bbf3dc4f3826a506dbe

kernel: Move to Linux v5.4.68-openpower1

This changes the defconfig to make OPAL_I2C=y, so IMA can work
correctly. See the mailing list[1] or the commit message for the
details.

PowerPC related fixes since 5.4.48:

 powerpc/dma: Fix dma_map_ops::get_required_mask
 powerpc/book3s64/radix: Fix boot failure with large amount of guest memory
 vgacon: remove software scrollback support
 powerpc/perf: Fix crashes with generic_compat_pmu & BHRB
 powerpc/perf: Fix soft lockups due to missed interrupt accounting
 powerpc/spufs: add CONFIG_COREDUMP dependency
 powerpc/xive: Ignore kmemleak false positives
 powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
 powerpc: Fix circular dependency between percpu.h and mmu.h
 powerpc: Allow 4224 bytes of stack expansion for the signal frame
 powerpc/ptdump: Fix build failure in hashpagetable.c
 powerpc/boot: Fix CONFIG_PPC_MPC52XX references
 powerpc/perf: Fix missing is_sier_aviable() during build
 powerpc/book3s64/pkeys: Use PVR check instead of cpu feature
 powerpc/vdso: Fix vdso cpu truncation
 powerpc/rtas: don't online CPUs for partition suspend
 Revert "powerpc/kasan: Fix shadow pages allocation failure"
 powerpc/pseries/svm: Fix incorrect check for shared_lppaca_size
 powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey
 scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
 powerpc: Fix kernel crash in show_instructions() w/DEBUG_VIRTUAL
 powerpc/64s/pgtable: fix an undefined behaviour
 powerpc/64s/exception: Fix machine check no-loss idle wakeup
 powerpc/64: Don't initialise init_task->thread.regs
 powerpc/crashkernel: Take "mem=" option into account
 powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run
 powerpc/ptdump: Add _PAGE_COHERENT flag
 powerpc/kasan: Fix stack overflow by increasing THREAD_SHIFT

[1] https://lists.ozlabs.org/pipermail/openpower-firmware/2020-September/000547.html

Signed-off-by: Joel Stanley <joel@jms.id.au>

openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch

diff --git a/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch b/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
new file mode 100644
index 0000000..b679564
--- /dev/null
+++ b/openpower/linux/0018-linux-configure-CONFIG_I2C_OPAL-as-in-built.patch
@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Joel Stanley <joel@jms.id.au>
+Date: Tue, 29 Sep 2020 16:07:53 +0930
+Subject: [PATCH 18/19] linux: configure CONFIG_I2C_OPAL as in-built.
+
+Currently, skiroot_defconfig CONFIG_I2C_OPAL is built as a loadable
+module rather than builtin, even if CONFIG_I2C=y is defined. This
+results in a delay in the TPM initialization, causing IMA to go into
+TPM bypass mode. As a result, the IMA measurements are added to the
+measurement list, but do not extend the TPM. Because of this, it is
+impossible to verify or attest to the system's integrity, either from
+skiroot or the target Host OS.
+
+Mimi Zohar <zohar@linux.ibm.com> explains more:
+
+  The concept of trusted boot requires the measurement to be added to the
+  measurement list and extend the TPM, prior to allowing access to the
+  file. By allowing access to a file before its measurement is included
+  in the measurement list and extended into the TPM PCR, a malicious file
+  could potentially prevent its own measurement from being added. As the
+  PCRs are tamper proof, measuring and extending the TPM prior to giving
+  access to the file, guarantees that all file measurements are included
+  in the measurement list, including the malicious file.
+
+  IMA needs to be enabled before any files are accessed in order to
+  verify a file's integrity and extend the TPM with the file
+  measurement.  Queueing file measurements breaks the measure and extend,
+  before usage, trusted boot paradigm.
+
+  The ima-evm-utils package includes a test for walking the IMA
+  measurement list, calculating the expected TPM PCRs, and comparing the
+  calculated PCR values with the physical TPM.  Testing is important to
+  ensure the TPM is initialized prior to IMA.  Failure to validate the
+  IMA measurement list may indicate IMA went into TPM bypass mode, like
+  in this case.
+
+Reported-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+---
+ arch/powerpc/configs/skiroot_defconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
+index 44309e12d84a..a555adb23591 100644
+--- a/arch/powerpc/configs/skiroot_defconfig
++++ b/arch/powerpc/configs/skiroot_defconfig
+@@ -216,7 +216,7 @@ CONFIG_I2C=y
+ CONFIG_I2C_CHARDEV=y
+ # CONFIG_I2C_HELPER_AUTO is not set
+ CONFIG_I2C_ALGOBIT=y
+-CONFIG_I2C_OPAL=m
++CONFIG_I2C_OPAL=y
+ CONFIG_PPS=y
+ CONFIG_SENSORS_IBMPOWERNV=m
+ CONFIG_DRM=m