[OpenPower-Firmware] [PATCH 1/1] Enable IMA in skiroot
Joel Stanley
joel at jms.id.au
Wed Apr 27 12:47:33 AEST 2016
Hello Dave,
Thanks for the patch.
I had to apply it manually though. Did you use git-send-email to mail
off the patch? It does the right things with respect to encoding and
doesn't reformat the patch.
In terms of size increase, I measured the size of our zImage.epapr
including the initramfs:
Old: 14198048
New: 14234912
Difference: 36864 = 36KB
That's fine, but we're just keeping track of where our space goes as
at some point we will hit the 15MB size limit of our current PNOR
layout.
On Wed, Apr 27, 2016 at 11:07 AM, Dave Heller
<hellerda at linux.vnet.ibm.com> wrote:
> This adds basic support for the Integrity Measurement Subsystem to the
> skiroot kernel.
>
> The changes to skiroot_defconfig are the kernel config options to enable IMA
> and the basic security subsystem. The values were obtained by running a
> make menuconfig and configuring IMA on, tnen merging these values with
> skiroot_defconfig and checking for duplicates.
Once you've done a "make menuconfig", you can then do a "make
savedefconfig". This will regenerate a minimal defconfig that we can
commit to the tree.
I've attached a revised patch below; if it looks okay to you I'll
commit these changes.
Cheers,
Joel
--
>From 3c0c24197a3316561b03d516326963581a2e0dc2 Mon Sep 17 00:00:00 2001
From: Dave Heller <hellerda at linux.vnet.ibm.com>
Date: Tue, 26 Apr 2016 21:37:08 -0400
Subject: [PATCH] Enable IMA in skiroot
This adds basic support for the Integrity Measurement Subsystem to the
skiroot kernel.
The changes to skiroot_defconfig are the kernel config options to enable IMA
and the basic security subsystem.
The changes to /etc/fstab ensure securityfs is mounted at boot.
Signed-off-by: Dave Heller <hellerda at us.ibm.com>
[regnerated defconfig]
Signed-off-by: Joel Stanley <joel at jms.id.au>
Signed-off-by: Joel Stanley <joel at jms.id.au>
---
openpower/configs/linux/skiroot_defconfig | 11 ++++++-----
openpower/overlay/etc/fstab | 1 +
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/openpower/configs/linux/skiroot_defconfig
b/openpower/configs/linux/skiroot_defconfig
index 20d43589bde1..721d622e5c4a 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -44,6 +44,8 @@ CONFIG_IRQ_ALL_CPUS=y
# CONFIG_BOUNCE is not set
CONFIG_PPC_64K_PAGES=y
CONFIG_SCHED_SMT=y
+CONFIG_CMDLINE_BOOL=y
+CONFIG_CMDLINE="console=tty0 console=hvc0"
# CONFIG_SECCOMP is not set
CONFIG_PCI_MSI=y
CONFIG_NET=y
@@ -154,6 +156,7 @@ CONFIG_HW_RANDOM=y
CONFIG_GEN_RTC=y
CONFIG_RAW_DRIVER=y
CONFIG_MAX_RAW_DEVS=1024
+CONFIG_TCG_TIS_I2C_NUVOTON=y
# CONFIG_I2C_COMPAT is not set
CONFIG_I2C_CHARDEV=y
# CONFIG_I2C_HELPER_AUTO is not set
@@ -220,15 +223,13 @@ CONFIG_SCHEDSTATS=y
# CONFIG_FTRACE is not set
CONFIG_XMON=y
CONFIG_XMON_DEFAULT=y
+CONFIG_SECURITY=y
+CONFIG_IMA=y
+CONFIG_EVM=y
# CONFIG_CRYPTO_ECHAINIV is not set
CONFIG_CRYPTO_ECB=y
CONFIG_CRYPTO_CMAC=y
-CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_MD4=y
-CONFIG_CRYPTO_MD5=y
-CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_DES=y
# CONFIG_CRYPTO_HW is not set
-CONFIG_CMDLINE_BOOL=y
-CONFIG_CMDLINE="console=tty0 console=hvc0"
diff --git a/openpower/overlay/etc/fstab b/openpower/overlay/etc/fstab
index d373dc6baa0b..ece6d84320a3 100644
--- a/openpower/overlay/etc/fstab
+++ b/openpower/overlay/etc/fstab
@@ -4,3 +4,4 @@ proc /proc proc defaults 0 0
devpts /dev/pts devpts defaults,gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs mode=0777 0 0
sysfs /sys sysfs defaults 0 0
+securityfs /sys/kernel/security securityfs defaults 0 0
--
2.7.4
More information about the OpenPower-Firmware
mailing list