答复: Consultation on the invalidation of OpenBMC IMA/EVM function
Vantler Fan (范益)
fanyi at ieisystem.com
Mon Jan 6 17:25:39 AEDT 2025
Thanks everyone‘s help a lot. After that email, I tried more methods, It can work now but can't load key from filesystem.
Here are my modifications:
Add these cfg in ima.cfg:
CONFIG_TMPFS_XATTR=y
CONFIG_SQUASHFS_XATTR=y # these two cfgs can find in https://gerrit.openbmc.org/c/openbmc/openbmc/+/66419/20
CONFIG_IMA_APPRAISE=y # I need appraise func
CONFIG_IMA_LOAD_X509=y # with this cfg, kernel will load x509 keys at init
CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" # default is /etc/keys/x509_ima.der, but my test will show an error log "integrity: Unable to open file: /etc/keys/x509_ima.der (-2)", so I use this cfg to test other path
Hope these can be helpful. I will try more to solve this problem.
Best wishes for you
-----邮件原件-----
发件人: Adriana Kobylak [mailto:anoo at linux.ibm.com]
发送时间: 2025年1月4日 5:34
收件人: Vantler Fan (范益) <fanyi at ieisystem.com>
抄送: openbmc at lists.ozlabs.org; Stefan Berger <stefanb at linux.ibm.com>; patrick at stwcx.xyz
主题: Re: Consultation on the invalidation of OpenBMC IMA/EVM function
At IBM, we're picking up Stefan's work this year to get the series merged and enable IMA on the p10bmc system (AST2600-based). Feel free to follow the updates on the series (there should be patch updates in the next few weeks), and/or try the series out on your platform.
> On Dec 20, 2024, at 9:43 AM, Patrick Williams <patrick at stwcx.xyz> wrote:
>
> On Thu, Dec 19, 2024 at 07:52:55AM +0000, Vantler Fan (范益) wrote:
>>
>> I have a problem with IMA/EVM func of OpenBMC. I enabled IMA
>> function, but it doesn't seem to work.
>
> I don't know of anyone actively using IMA on OpenBMC.
>
> Stefan Berger @ IBM was working on a commit sequence at one point but
> I haven't see much activity there.
>
> https://gerrit.openbmc.org/c/openbmc/openbmc/+/74136/2
>
> --
> Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3855 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20250106/98ea74b1/attachment-0001.p7s>
More information about the openbmc
mailing list