答复: Consultation on the invalidation of OpenBMC IMA/EVM function

Vantler Fan (范益) fanyi at ieisystem.com
Mon Jan 6 17:25:39 AEDT 2025


Thanks everyone‘s help a lot. After that email, I tried more methods, It can work now but can't load key from filesystem.
Here are my modifications:
	Add these cfg in ima.cfg:
	CONFIG_TMPFS_XATTR=y
	CONFIG_SQUASHFS_XATTR=y      # these two cfgs can find in https://gerrit.openbmc.org/c/openbmc/openbmc/+/66419/20
	CONFIG_IMA_APPRAISE=y         # I need appraise func
	CONFIG_IMA_LOAD_X509=y       # with this cfg, kernel will load x509 keys at init
	CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"  # default is /etc/keys/x509_ima.der, but my test will show an error log "integrity: Unable to open file: /etc/keys/x509_ima.der (-2)", so I use this cfg to test other path

Hope these can be helpful. I will try more to solve this problem.
Best wishes for you

-----邮件原件-----
发件人: Adriana Kobylak [mailto:anoo at linux.ibm.com] 
发送时间: 2025年1月4日 5:34
收件人: Vantler Fan (范益) <fanyi at ieisystem.com>
抄送: openbmc at lists.ozlabs.org; Stefan Berger <stefanb at linux.ibm.com>; patrick at stwcx.xyz
主题: Re: Consultation on the invalidation of OpenBMC IMA/EVM function

At IBM, we're picking up Stefan's work this year to get the series merged and enable IMA on the p10bmc system (AST2600-based). Feel free to follow the updates on the series (there should be patch updates in the next few weeks), and/or try the series out on your platform.


> On Dec 20, 2024, at 9:43 AM, Patrick Williams <patrick at stwcx.xyz> wrote:
> 
> On Thu, Dec 19, 2024 at 07:52:55AM +0000, Vantler Fan (范益) wrote:
>> 
>>      I have a problem with IMA/EVM func of OpenBMC. I enabled IMA 
>> function, but it doesn't seem to work.
> 
> I don't know of anyone actively using IMA on OpenBMC.
> 
> Stefan Berger @ IBM was working on a commit sequence at one point but 
> I haven't see much activity there.
> 
>   https://gerrit.openbmc.org/c/openbmc/openbmc/+/74136/2
> 
> --
> Patrick Williams

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3855 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20250106/98ea74b1/attachment-0001.p7s>


More information about the openbmc mailing list