Linux v5.3-13236-g97f9a3c4eee5

This is a first pass at getting the secureboot patches working with the upstream lockdown patches that got merged. The final patch from our lockdown set is the sysrq patch which also needs work. For the present it is not applied.
2019-09-30 20:00:17 +00:00 · 2019-09-30 20:00:17 +00:00 · e21e52b608
commit e21e52b608
parent b82da9d02c
35 changed files with 291 additions and 2231 deletions
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@ -1999,6 +1999,7 @@ CONFIG_IIO_TRIGGER=y
 CONFIG_IKHEADERS=m
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+# CONFIG_IMA_APPRAISE_MODSIG is not set
 CONFIG_IMA_APPRAISE=y
 # CONFIG_IMA_ARCH_POLICY is not set
 # CONFIG_IMA_BLACKLIST_KEYRING is not set
@ -2624,6 +2625,9 @@ CONFIG_LOCALVERSION=""
 # CONFIG_LOCALVERSION_AUTO is not set
 CONFIG_LOCKD=m
 # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
+# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set
+CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 # CONFIG_LOCK_DOWN_KERNEL is not set
 CONFIG_LOCKD_V4=y
 CONFIG_LOCK_EVENT_COUNTS=y
@ -3708,7 +3712,7 @@ CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_VXLAN=m
 # CONFIG_OPROFILE is not set
 CONFIG_OPT3001=m
-# CONFIG_OPTIMIZE_INLINING is not set
+CONFIG_OPTIMIZE_INLINING=y
 CONFIG_OPTPROBES=y
 CONFIG_ORANGEFS_FS=m
 CONFIG_ORINOCO_USB=m
@ -4555,6 +4559,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_INFINIBAND=y
 # CONFIG_SECURITY_LOADPIN is not set
+CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_NETWORK=y
 # CONFIG_SECURITY_PATH is not set
@ -6087,6 +6093,7 @@ CONFIG_VIRTIO_BALLOON=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
 CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_FS=m
 CONFIG_VIRTIO_INPUT=m
 # CONFIG_VIRTIO_IOMMU is not set
 CONFIG_VIRTIO_MENU=y