Gitiles
Code Review Sign In
gerrit.openbmc.org / premsjha / op-build / 40f804058414ddf4518ac07866bb58af74db20a2 / . / openpower / linux / 0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
blob: 881253c40530de1fb18c697c1f90071351c42ab8 [file] [log] [blame]
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]1From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2From: Joel Stanley <joel@jms.id.au>
3Date: Tue, 23 Jun 2020 16:22:10 +0930
4Subject: [PATCH 17/18] powerpc/configs: Update to upstream and enable
5 secureboot
6
7Pulls in the following updates from upstream:
8
9 scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
10 powerpc/configs/skiroot: Enable some more hardening options
11 powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
12 powerpc/configs/skiroot: Enable security features
13 powerpc/configs/skiroot: Update for symbol movement only
14 powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
15 powerpc/configs/skiroot: Drop HID_LOGITECH
16 powerpc/configs: Drop NET_VENDOR_HP which moved to staging
17 powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
18 powerpc/configs: Drop CONFIG_QLGE which moved to staging
19 powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_*
20 powerpc/configs: add FADump awareness to skiroot_defconfig
21
22In addition, it enables IMA and secureboot options.
23
24Signed-off-by: Joel Stanley <joel@jms.id.au>
25---
26 arch/powerpc/configs/skiroot_defconfig | 84 ++++++++++++++++----------
27 1 file changed, 53 insertions(+), 31 deletions(-)
28
29diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
30index 1253482a67c0..44309e12d84a 100644
31--- a/arch/powerpc/configs/skiroot_defconfig
32+++ b/arch/powerpc/configs/skiroot_defconfig
33@@ -1,13 +1,9 @@
34-CONFIG_PPC64=y
35-CONFIG_ALTIVEC=y
36-CONFIG_VSX=y
37-CONFIG_NR_CPUS=2048
38-CONFIG_CPU_LITTLE_ENDIAN=y
39 CONFIG_KERNEL_XZ=y
40 # CONFIG_SWAP is not set
41 CONFIG_SYSVIPC=y
42 CONFIG_POSIX_MQUEUE=y
43 # CONFIG_CROSS_MEMORY_ATTACH is not set
44+CONFIG_AUDIT=y
45 CONFIG_NO_HZ=y
46 CONFIG_HIGH_RES_TIMERS=y
47 # CONFIG_CPU_ISOLATION is not set
48@@ -28,17 +24,15 @@ CONFIG_EXPERT=y
49 # CONFIG_AIO is not set
50 CONFIG_PERF_EVENTS=y
51 # CONFIG_COMPAT_BRK is not set
52+# CONFIG_SLAB_MERGE_DEFAULT is not set
53+CONFIG_SLAB_FREELIST_RANDOM=y
54 CONFIG_SLAB_FREELIST_HARDENED=y
55-CONFIG_JUMP_LABEL=y
56-CONFIG_STRICT_KERNEL_RWX=y
57-CONFIG_MODULES=y
58-CONFIG_MODULE_UNLOAD=y
59-CONFIG_MODULE_SIG=y
60-CONFIG_MODULE_SIG_FORCE=y
61-CONFIG_MODULE_SIG_SHA512=y
62-CONFIG_PARTITION_ADVANCED=y
63-# CONFIG_MQ_IOSCHED_DEADLINE is not set
64-# CONFIG_MQ_IOSCHED_KYBER is not set
65+CONFIG_PPC64=y
66+CONFIG_ALTIVEC=y
67+CONFIG_VSX=y
68+CONFIG_NR_CPUS=2048
69+CONFIG_CPU_LITTLE_ENDIAN=y
70+CONFIG_PANIC_TIMEOUT=30
71 # CONFIG_PPC_VAS is not set
72 # CONFIG_PPC_PSERIES is not set
73 # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set
74@@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
75 CONFIG_CPU_IDLE=y
76 CONFIG_HZ_100=y
77 CONFIG_KEXEC=y
78+CONFIG_KEXEC_FILE=y
79+CONFIG_PRESERVE_FA_DUMP=y
80 CONFIG_IRQ_ALL_CPUS=y
81 CONFIG_NUMA=y
82-# CONFIG_COMPACTION is not set
83-# CONFIG_MIGRATION is not set
84 CONFIG_PPC_64K_PAGES=y
85 CONFIG_SCHED_SMT=y
86 CONFIG_CMDLINE_BOOL=y
87 CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
88 # CONFIG_SECCOMP is not set
89 # CONFIG_PPC_MEM_KEYS is not set
90+CONFIG_PPC_SECURE_BOOT=y
91+CONFIG_JUMP_LABEL=y
92+CONFIG_MODULES=y
93+CONFIG_MODULE_UNLOAD=y
94+CONFIG_MODULE_SIG_FORCE=y
95+CONFIG_MODULE_SIG_SHA512=y
96+CONFIG_PARTITION_ADVANCED=y
97+# CONFIG_MQ_IOSCHED_DEADLINE is not set
98+# CONFIG_MQ_IOSCHED_KYBER is not set
99+# CONFIG_COMPACTION is not set
100+# CONFIG_MIGRATION is not set
101 CONFIG_NET=y
102 CONFIG_PACKET=y
103 CONFIG_UNIX=y
104@@ -63,9 +68,6 @@ CONFIG_INET=y
105 CONFIG_IP_MULTICAST=y
106 CONFIG_NET_IPIP=y
107 CONFIG_SYN_COOKIES=y
108-# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
109-# CONFIG_INET_XFRM_MODE_TUNNEL is not set
110-# CONFIG_INET_XFRM_MODE_BEET is not set
111 CONFIG_DNS_RESOLVER=y
112 # CONFIG_WIRELESS is not set
113 CONFIG_DEVTMPFS=y
114@@ -83,7 +85,6 @@ CONFIG_EEPROM_AT24=m
115 # CONFIG_OCXL is not set
116 CONFIG_BLK_DEV_SD=m
117 CONFIG_BLK_DEV_SR=m
118-CONFIG_BLK_DEV_SR_VENDOR=y
119 CONFIG_CHR_DEV_SG=m
120 CONFIG_SCSI_CONSTANTS=y
121 CONFIG_SCSI_SCAN_ASYNC=y
122@@ -140,7 +141,6 @@ CONFIG_TIGON3=m
123 CONFIG_BNX2X=m
124 # CONFIG_NET_VENDOR_BROCADE is not set
125 # CONFIG_NET_VENDOR_CADENCE is not set
126-# CONFIG_NET_CADENCE is not set
127 # CONFIG_NET_VENDOR_CAVIUM is not set
128 CONFIG_CHELSIO_T1=m
129 # CONFIG_NET_VENDOR_CISCO is not set
130@@ -149,7 +149,6 @@ CONFIG_CHELSIO_T1=m
131 # CONFIG_NET_VENDOR_DLINK is not set
132 CONFIG_BE2NET=m
133 # CONFIG_NET_VENDOR_EZCHIP is not set
134-# CONFIG_NET_VENDOR_HP is not set
135 # CONFIG_NET_VENDOR_HUAWEI is not set
136 CONFIG_E1000=m
137 CONFIG_E1000E=m
138@@ -157,7 +156,6 @@ CONFIG_IGB=m
139 CONFIG_IXGB=m
140 CONFIG_IXGBE=m
141 CONFIG_I40E=m
142-CONFIG_S2IO=m
143 # CONFIG_NET_VENDOR_MARVELL is not set
144 CONFIG_MLX4_EN=m
145 # CONFIG_MLX4_CORE_GEN2 is not set
146@@ -168,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
147 # CONFIG_NET_VENDOR_MICROSEMI is not set
148 CONFIG_MYRI10GE=m
149 # CONFIG_NET_VENDOR_NATSEMI is not set
150+CONFIG_S2IO=m
151 # CONFIG_NET_VENDOR_NETRONOME is not set
152 # CONFIG_NET_VENDOR_NI is not set
153 # CONFIG_NET_VENDOR_NVIDIA is not set
154 # CONFIG_NET_VENDOR_OKI is not set
155 # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
156-CONFIG_QLGE=m
157 CONFIG_NETXEN_NIC=m
158 CONFIG_QED=m
159 CONFIG_QEDE=m
160@@ -211,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
161 CONFIG_IPMI_POWERNV=y
162 CONFIG_IPMI_WATCHDOG=y
163 CONFIG_HW_RANDOM=y
164-CONFIG_TCG_TPM=y
165 CONFIG_TCG_TIS_I2C_NUVOTON=y
166 # CONFIG_DEVPORT is not set
167 CONFIG_I2C=y
168@@ -240,7 +237,6 @@ CONFIG_HID_CYPRESS=y
169 CONFIG_HID_EZKEY=y
170 CONFIG_HID_ITE=y
171 CONFIG_HID_KENSINGTON=y
172-CONFIG_HID_LOGITECH=y
173 CONFIG_HID_MICROSOFT=y
174 CONFIG_HID_MONTEREY=y
175 CONFIG_USB_HIDDEV=y
176@@ -277,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
177 CONFIG_NLS_ASCII=y
178 CONFIG_NLS_ISO8859_1=y
179 CONFIG_NLS_UTF8=y
180+CONFIG_ENCRYPTED_KEYS=y
181+CONFIG_SECURITY=y
182+CONFIG_HARDENED_USERCOPY=y
183+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
184+CONFIG_HARDENED_USERCOPY_PAGESPAN=y
185+CONFIG_FORTIFY_SOURCE=y
186+CONFIG_SECURITY_LOCKDOWN_LSM=y
187+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
188+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
189+CONFIG_INTEGRITY_SIGNATURE=y
190+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
191+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
192+CONFIG_IMA=y
193+CONFIG_IMA_KEXEC=y
194+CONFIG_IMA_SIG_TEMPLATE=y
195+CONFIG_IMA_DEFAULT_HASH_SHA256=y
196+CONFIG_IMA_READ_POLICY=y
197+CONFIG_IMA_APPRAISE=y
198+CONFIG_IMA_ARCH_POLICY=y
199+CONFIG_IMA_APPRAISE_MODSIG=y
200+CONFIG_LSM="yama,loadpin,safesetid,integrity"
201+# CONFIG_CRYPTO_HW is not set
202+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
203 CONFIG_CRC16=y
204 CONFIG_CRC_ITU_T=y
205 CONFIG_LIBCRC32C=y
206@@ -287,17 +306,20 @@ CONFIG_LIBCRC32C=y
207 # CONFIG_XZ_DEC_SPARC is not set
208 CONFIG_PRINTK_TIME=y
209 CONFIG_MAGIC_SYSRQ=y
210+CONFIG_SLUB_DEBUG_ON=y
211 CONFIG_DEBUG_STACKOVERFLOW=y
212 CONFIG_SOFTLOCKUP_DETECTOR=y
213 CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
214 CONFIG_HARDLOCKUP_DETECTOR=y
215 CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
216 CONFIG_WQ_WATCHDOG=y
217+CONFIG_PANIC_ON_OOPS=y
218 # CONFIG_SCHED_DEBUG is not set
219+CONFIG_SCHED_STACK_END_CHECK=y
220+CONFIG_DEBUG_SG=y
221+CONFIG_DEBUG_NOTIFIERS=y
222+CONFIG_DEBUG_CREDENTIALS=y
223 # CONFIG_FTRACE is not set
224 # CONFIG_RUNTIME_TESTING_MENU is not set
225+CONFIG_BUG_ON_DATA_CORRUPTION=y
226 CONFIG_XMON=y
227-CONFIG_XMON_DEFAULT=y
228-CONFIG_ENCRYPTED_KEYS=y
229-# CONFIG_CRYPTO_ECHAINIV is not set
230-# CONFIG_CRYPTO_HW is not set