[PATCH 06/32] powerpc/configs/64s: Add secure boot options to defconfig

[Andrew Donnellan]

On Fri, 2023-04-14 at 23:23 +1000, Michael Ellerman wrote:
> Add the numerous options required to get secure boot enabled.
> 
> Signed-off-by: Michael Ellerman <mpe at ellerman.id.au>
> ---
>  arch/powerpc/configs/ppc64_defconfig | 17 ++++++++++++++++-
>  1 file changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/powerpc/configs/ppc64_defconfig
> b/arch/powerpc/configs/ppc64_defconfig
> index d98fe52a5892..f185adc128db 100644
> --- a/arch/powerpc/configs/ppc64_defconfig
> +++ b/arch/powerpc/configs/ppc64_defconfig
> @@ -54,6 +54,7 @@ CONFIG_CRASH_DUMP=y
>  CONFIG_FA_DUMP=y
>  CONFIG_IRQ_ALL_CPUS=y
>  CONFIG_SCHED_SMT=y
> +CONFIG_PPC_SECURE_BOOT=y

Can we add CONFIG_PPC_SECVAR_SYSFS=y as well?

>  CONFIG_VIRTUALIZATION=y
>  CONFIG_KVM_BOOK3S_64=m
>  CONFIG_KVM_BOOK3S_64_HV=m
> @@ -335,13 +336,25 @@ CONFIG_NLS_CODEPAGE_437=y
>  CONFIG_NLS_ASCII=y
>  CONFIG_NLS_ISO8859_1=y
>  CONFIG_NLS_UTF8=y
> +CONFIG_SECURITY=y
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +CONFIG_INTEGRITY_SIGNATURE=y
> +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
> +CONFIG_INTEGRITY_PLATFORM_KEYRING=y
> +CONFIG_IMA=y
> +CONFIG_IMA_KEXEC=y
> +CONFIG_IMA_DEFAULT_HASH_SHA256=y
> +CONFIG_IMA_WRITE_POLICY=y
> +CONFIG_IMA_APPRAISE=y
> +CONFIG_IMA_ARCH_POLICY=y
> +CONFIG_IMA_APPRAISE_MODSIG=y
>  CONFIG_CRYPTO_TEST=m
>  CONFIG_CRYPTO_BLOWFISH=m
>  CONFIG_CRYPTO_CAST6=m
>  CONFIG_CRYPTO_SERPENT=m
>  CONFIG_CRYPTO_TWOFISH=m
>  CONFIG_CRYPTO_PCBC=m
> -CONFIG_CRYPTO_HMAC=y
>  CONFIG_CRYPTO_MICHAEL_MIC=m
>  CONFIG_CRYPTO_SHA256=y
>  CONFIG_CRYPTO_WP512=m
> @@ -352,6 +365,8 @@ CONFIG_CRYPTO_SHA1_PPC=m
>  CONFIG_CRYPTO_DEV_NX=y
>  CONFIG_CRYPTO_DEV_NX_ENCRYPT=m
>  CONFIG_CRYPTO_DEV_VMX=y
> +CONFIG_SYSTEM_TRUSTED_KEYRING=y
> +CONFIG_SYSTEM_BLACKLIST_KEYRING=y
>  CONFIG_PRINTK_TIME=y
>  CONFIG_PRINTK_CALLER=y
>  CONFIG_DEBUG_KERNEL=y

-- 
Andrew Donnellan    OzLabs, ADL Canberra
ajd at linux.ibm.com   IBM Australia Limited