[OpenPower-Firmware] [PATCH 1/1] Enable IMA in skiroot
Dave Heller
hellerda at linux.vnet.ibm.com
Wed Apr 27 11:37:08 AEST 2016
This adds basic support for the Integrity Measurement Subsystem to the
skiroot kernel.
The changes to skiroot_defconfig are the kernel config options to enable IMA
and the basic security subsystem. The values were obtained by running a
make menuconfig and configuring IMA on, tnen merging these values with
skiroot_defconfig and checking for duplicates.
The changes to /etc/fstab ensure securityfs is mounted at boot.
Signed-off-by: Dave Heller <hellerda at us.ibm.com>
---
openpower/configs/linux/skiroot_defconfig | 34
+++++++++++++++++++++++++++++++
openpower/overlay/etc/fstab | 1 +
2 files changed, 35 insertions(+)
diff --git a/openpower/configs/linux/skiroot_defconfig
b/openpower/configs/linux/skiroot_defconfig
index 20d4358..b4fc3af 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -229,6 +229,40 @@ CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_DES=y
+# CONFIG_NETLABEL is not set
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+# CONFIG_TCG_TIS_I2C_ATMEL is not set
+# CONFIG_TCG_TIS_I2C_INFINEON is not set
+CONFIG_TCG_TIS_I2C_NUVOTON=y
+# CONFIG_TCG_ATMEL is not set
+# CONFIG_TRUSTED_KEYS is not set
+CONFIG_ENCRYPTED_KEYS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITYFS=y
+# CONFIG_SECURITY_NETWORK is not set
+# CONFIG_SECURITY_PATH is not set
+# CONFIG_SECURITY_SMACK is not set
+# CONFIG_SECURITY_TOMOYO is not set
+# CONFIG_SECURITY_APPARMOR is not set
+# CONFIG_SECURITY_YAMA is not set
+CONFIG_INTEGRITY=y
+# CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+# CONFIG_IMA_TEMPLATE is not set
+CONFIG_IMA_NG_TEMPLATE=y
+# CONFIG_IMA_SIG_TEMPLATE is not set
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_HASH_SHA1=y
+# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+CONFIG_IMA_DEFAULT_HASH="sha1"
+# CONFIG_IMA_APPRAISE is not set
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_SHA1=y
+CONFIG_CRYPTO_HASH_INFO=y
# CONFIG_CRYPTO_HW is not set
CONFIG_CMDLINE_BOOL=y
CONFIG_CMDLINE="console=tty0 console=hvc0"
diff --git a/openpower/overlay/etc/fstab b/openpower/overlay/etc/fstab
index d373dc6..8f2be7b 100644
--- a/openpower/overlay/etc/fstab
+++ b/openpower/overlay/etc/fstab
@@ -4,3 +4,4 @@ proc /proc proc defaults 0 0
devpts /dev/pts devpts defaults,gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs mode=0777 0 0
sysfs /sys sysfs defaults 0 0
+securityfs /sys/kernel/security securityfs defaults 0 0
--
2.5.0
More information about the OpenPower-Firmware
mailing list