Gitiles
Code Review Sign In
gerrit.openbmc.org / premsjha / op-build / f8dd11590ba383d05ca1c781b84d21c28ad44398 / . / openpower / linux / 0017-powerpc-configs-Update-to-upstream-and-enable-secure.patch
blob: 3fbe01aedb2634d4b5c07721feba9b2967a69111 [file] [log] [blame]
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]1From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2From: Joel Stanley <joel@jms.id.au>
3Date: Tue, 23 Jun 2020 16:22:10 +0930
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]4Subject: [PATCH 17/19] powerpc/configs: Update to upstream and enable
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]5 secureboot
6
7Pulls in the following updates from upstream:
8
9 scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled
10 powerpc/configs/skiroot: Enable some more hardening options
11 powerpc/configs/skiroot: Disable xmon default & enable reboot on panic
12 powerpc/configs/skiroot: Enable security features
13 powerpc/configs/skiroot: Update for symbol movement only
14 powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV
15 powerpc/configs/skiroot: Drop HID_LOGITECH
16 powerpc/configs: Drop NET_VENDOR_HP which moved to staging
17 powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE
18 powerpc/configs: Drop CONFIG_QLGE which moved to staging
19 powerpc/configs: remove obsolete CONFIG_INET_XFRM_MODE_* and CONFIG_INET6_XFRM_MODE_*
20 powerpc/configs: add FADump awareness to skiroot_defconfig
21
22In addition, it enables IMA and secureboot options.
23
24Signed-off-by: Joel Stanley <joel@jms.id.au>
25---
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]26 arch/powerpc/configs/skiroot_defconfig | 83 ++++++++++++++++----------
27 1 file changed, 53 insertions(+), 30 deletions(-)
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]28
29diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]30index 2e25b264f70f..44309e12d84a 100644
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]31--- a/arch/powerpc/configs/skiroot_defconfig
32+++ b/arch/powerpc/configs/skiroot_defconfig
33@@ -1,13 +1,9 @@
34-CONFIG_PPC64=y
35-CONFIG_ALTIVEC=y
36-CONFIG_VSX=y
37-CONFIG_NR_CPUS=2048
38-CONFIG_CPU_LITTLE_ENDIAN=y
39 CONFIG_KERNEL_XZ=y
40 # CONFIG_SWAP is not set
41 CONFIG_SYSVIPC=y
42 CONFIG_POSIX_MQUEUE=y
43 # CONFIG_CROSS_MEMORY_ATTACH is not set
44+CONFIG_AUDIT=y
45 CONFIG_NO_HZ=y
46 CONFIG_HIGH_RES_TIMERS=y
47 # CONFIG_CPU_ISOLATION is not set
48@@ -28,17 +24,15 @@ CONFIG_EXPERT=y
49 # CONFIG_AIO is not set
50 CONFIG_PERF_EVENTS=y
51 # CONFIG_COMPAT_BRK is not set
52+# CONFIG_SLAB_MERGE_DEFAULT is not set
53+CONFIG_SLAB_FREELIST_RANDOM=y
54 CONFIG_SLAB_FREELIST_HARDENED=y
55-CONFIG_JUMP_LABEL=y
56-CONFIG_STRICT_KERNEL_RWX=y
57-CONFIG_MODULES=y
58-CONFIG_MODULE_UNLOAD=y
59-CONFIG_MODULE_SIG=y
60-CONFIG_MODULE_SIG_FORCE=y
61-CONFIG_MODULE_SIG_SHA512=y
62-CONFIG_PARTITION_ADVANCED=y
63-# CONFIG_MQ_IOSCHED_DEADLINE is not set
64-# CONFIG_MQ_IOSCHED_KYBER is not set
65+CONFIG_PPC64=y
66+CONFIG_ALTIVEC=y
67+CONFIG_VSX=y
68+CONFIG_NR_CPUS=2048
69+CONFIG_CPU_LITTLE_ENDIAN=y
70+CONFIG_PANIC_TIMEOUT=30
71 # CONFIG_PPC_VAS is not set
72 # CONFIG_PPC_PSERIES is not set
73 # CONFIG_PPC_OF_BOOT_TRAMPOLINE is not set
74@@ -46,16 +40,27 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND=y
75 CONFIG_CPU_IDLE=y
76 CONFIG_HZ_100=y
77 CONFIG_KEXEC=y
78+CONFIG_KEXEC_FILE=y
79+CONFIG_PRESERVE_FA_DUMP=y
80 CONFIG_IRQ_ALL_CPUS=y
81 CONFIG_NUMA=y
82-# CONFIG_COMPACTION is not set
83-# CONFIG_MIGRATION is not set
84 CONFIG_PPC_64K_PAGES=y
85 CONFIG_SCHED_SMT=y
86 CONFIG_CMDLINE_BOOL=y
87 CONFIG_CMDLINE="console=tty0 console=hvc0 ipr.fast_reboot=1 quiet"
88 # CONFIG_SECCOMP is not set
89 # CONFIG_PPC_MEM_KEYS is not set
90+CONFIG_PPC_SECURE_BOOT=y
91+CONFIG_JUMP_LABEL=y
92+CONFIG_MODULES=y
93+CONFIG_MODULE_UNLOAD=y
94+CONFIG_MODULE_SIG_FORCE=y
95+CONFIG_MODULE_SIG_SHA512=y
96+CONFIG_PARTITION_ADVANCED=y
97+# CONFIG_MQ_IOSCHED_DEADLINE is not set
98+# CONFIG_MQ_IOSCHED_KYBER is not set
99+# CONFIG_COMPACTION is not set
100+# CONFIG_MIGRATION is not set
101 CONFIG_NET=y
102 CONFIG_PACKET=y
103 CONFIG_UNIX=y
104@@ -63,9 +68,6 @@ CONFIG_INET=y
105 CONFIG_IP_MULTICAST=y
106 CONFIG_NET_IPIP=y
107 CONFIG_SYN_COOKIES=y
108-# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
109-# CONFIG_INET_XFRM_MODE_TUNNEL is not set
110-# CONFIG_INET_XFRM_MODE_BEET is not set
111 CONFIG_DNS_RESOLVER=y
112 # CONFIG_WIRELESS is not set
113 CONFIG_DEVTMPFS=y
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]114@@ -139,7 +141,6 @@ CONFIG_TIGON3=m
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]115 CONFIG_BNX2X=m
116 # CONFIG_NET_VENDOR_BROCADE is not set
117 # CONFIG_NET_VENDOR_CADENCE is not set
118-# CONFIG_NET_CADENCE is not set
119 # CONFIG_NET_VENDOR_CAVIUM is not set
120 CONFIG_CHELSIO_T1=m
121 # CONFIG_NET_VENDOR_CISCO is not set
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]122@@ -148,7 +149,6 @@ CONFIG_CHELSIO_T1=m
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]123 # CONFIG_NET_VENDOR_DLINK is not set
124 CONFIG_BE2NET=m
125 # CONFIG_NET_VENDOR_EZCHIP is not set
126-# CONFIG_NET_VENDOR_HP is not set
127 # CONFIG_NET_VENDOR_HUAWEI is not set
128 CONFIG_E1000=m
129 CONFIG_E1000E=m
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]130@@ -156,7 +156,6 @@ CONFIG_IGB=m
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]131 CONFIG_IXGB=m
132 CONFIG_IXGBE=m
133 CONFIG_I40E=m
134-CONFIG_S2IO=m
135 # CONFIG_NET_VENDOR_MARVELL is not set
136 CONFIG_MLX4_EN=m
137 # CONFIG_MLX4_CORE_GEN2 is not set
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]138@@ -167,12 +166,12 @@ CONFIG_MLX5_CORE_EN=y
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]139 # CONFIG_NET_VENDOR_MICROSEMI is not set
140 CONFIG_MYRI10GE=m
141 # CONFIG_NET_VENDOR_NATSEMI is not set
142+CONFIG_S2IO=m
143 # CONFIG_NET_VENDOR_NETRONOME is not set
144 # CONFIG_NET_VENDOR_NI is not set
145 # CONFIG_NET_VENDOR_NVIDIA is not set
146 # CONFIG_NET_VENDOR_OKI is not set
147 # CONFIG_NET_VENDOR_PACKET_ENGINES is not set
148-CONFIG_QLGE=m
149 CONFIG_NETXEN_NIC=m
150 CONFIG_QED=m
151 CONFIG_QEDE=m
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]152@@ -210,7 +209,6 @@ CONFIG_IPMI_DEVICE_INTERFACE=y
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]153 CONFIG_IPMI_POWERNV=y
154 CONFIG_IPMI_WATCHDOG=y
155 CONFIG_HW_RANDOM=y
156-CONFIG_TCG_TPM=y
157 CONFIG_TCG_TIS_I2C_NUVOTON=y
158 # CONFIG_DEVPORT is not set
159 CONFIG_I2C=y
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]160@@ -239,7 +237,6 @@ CONFIG_HID_CYPRESS=y
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]161 CONFIG_HID_EZKEY=y
162 CONFIG_HID_ITE=y
163 CONFIG_HID_KENSINGTON=y
164-CONFIG_HID_LOGITECH=y
165 CONFIG_HID_MICROSOFT=y
166 CONFIG_HID_MONTEREY=y
167 CONFIG_USB_HIDDEV=y
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]168@@ -276,6 +273,29 @@ CONFIG_NLS_CODEPAGE_437=y
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]169 CONFIG_NLS_ASCII=y
170 CONFIG_NLS_ISO8859_1=y
171 CONFIG_NLS_UTF8=y
172+CONFIG_ENCRYPTED_KEYS=y
173+CONFIG_SECURITY=y
174+CONFIG_HARDENED_USERCOPY=y
175+# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
176+CONFIG_HARDENED_USERCOPY_PAGESPAN=y
177+CONFIG_FORTIFY_SOURCE=y
178+CONFIG_SECURITY_LOCKDOWN_LSM=y
179+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
180+CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=y
181+CONFIG_INTEGRITY_SIGNATURE=y
182+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
183+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
184+CONFIG_IMA=y
185+CONFIG_IMA_KEXEC=y
186+CONFIG_IMA_SIG_TEMPLATE=y
187+CONFIG_IMA_DEFAULT_HASH_SHA256=y
188+CONFIG_IMA_READ_POLICY=y
189+CONFIG_IMA_APPRAISE=y
190+CONFIG_IMA_ARCH_POLICY=y
191+CONFIG_IMA_APPRAISE_MODSIG=y
192+CONFIG_LSM="yama,loadpin,safesetid,integrity"
193+# CONFIG_CRYPTO_HW is not set
194+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
195 CONFIG_CRC16=y
196 CONFIG_CRC_ITU_T=y
197 CONFIG_LIBCRC32C=y
Joel Stanleycb9bf572020-09-29 16:18:12 +0930[diff] [blame]198@@ -286,17 +306,20 @@ CONFIG_LIBCRC32C=y
Joel Stanleya1fccbf2020-06-23 17:25:56 +0930[diff] [blame]199 # CONFIG_XZ_DEC_SPARC is not set
200 CONFIG_PRINTK_TIME=y
201 CONFIG_MAGIC_SYSRQ=y
202+CONFIG_SLUB_DEBUG_ON=y
203 CONFIG_DEBUG_STACKOVERFLOW=y
204 CONFIG_SOFTLOCKUP_DETECTOR=y
205 CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
206 CONFIG_HARDLOCKUP_DETECTOR=y
207 CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
208 CONFIG_WQ_WATCHDOG=y
209+CONFIG_PANIC_ON_OOPS=y
210 # CONFIG_SCHED_DEBUG is not set
211+CONFIG_SCHED_STACK_END_CHECK=y
212+CONFIG_DEBUG_SG=y
213+CONFIG_DEBUG_NOTIFIERS=y
214+CONFIG_DEBUG_CREDENTIALS=y
215 # CONFIG_FTRACE is not set
216 # CONFIG_RUNTIME_TESTING_MENU is not set
217+CONFIG_BUG_ON_DATA_CORRUPTION=y
218 CONFIG_XMON=y
219-CONFIG_XMON_DEFAULT=y
220-CONFIG_ENCRYPTED_KEYS=y
221-# CONFIG_CRYPTO_ECHAINIV is not set
222-# CONFIG_CRYPTO_HW is not set