Merge branch 'topic/ima' into topic/secureboot

From Nayna's cover letter:
  The IMA subsystem supports custom, built-in, arch-specific policies
  to define the files to be measured and appraised. These policies are
  honored based on priority, where arch-specific policy is the highest
  and custom is the lowest.

  PowerNV systems use a Linux-based bootloader to kexec the OS. The
  bootloader kernel relies on IMA for signature verification of the OS
  kernel before doing the kexec. This patchset adds support for
  powerpc arch-specific IMA policies that are conditionally defined
  based on a system's secure boot and trusted boot states. The OS
  secure boot and trusted boot states are determined via device-tree
  properties.

  The verification needs to be performed only for binaries that are
  not blacklisted. The kernel currently only checks against the
  blacklist of keys. However, doing so results in blacklisting all the
  binaries that are signed by the same key. In order to prevent just
  one particular binary from being loaded, it must be checked against
  a blacklist of binary hashes. This patchset also adds support to IMA
  for checking against a hash blacklist for files. signed by appended
  signature.