[OpenPower-Firmware] [PATCH 1/1] Enable IMA in skiroot

Thu Apr 28 07:56:04 AEST 2016

On 04/26/2016 10:47 PM, Joel Stanley wrote:
> Hello Dave,
>
> Thanks for the patch.
>
> I had to apply it manually though. Did you use git-send-email to mail
> off the patch? It does the right things with respect to encoding and
> doesn't reformat the patch.
>
No I didn't do that, sorry.  I did it by importing the patch directly 
into my mail reader.  Next time I will be sure to use git-send-mail.

> In terms of size increase, I measured the size of our zImage.epapr
> including the initramfs:
>
>   Old: 14198048
> New: 14234912
> Difference: 36864 = 36KB
>
> That's fine, but we're just keeping track of where our space goes as
> at some point we will hit the 15MB size limit of our current PNOR
> layout.
>
Yes, that matches my calculation pretty well as far as the delta.  In 
fact I saw even less in the final zImage.epapr.

It's off the topic but I'm curious to know how you got a zImage.epapr so 
small.  I'm getting one about 1MB larger when I build with 
habanero_defconfig.

> On Wed, Apr 27, 2016 at 11:07 AM, Dave Heller
> <hellerda at linux.vnet.ibm.com> wrote:
>> This adds basic support for the Integrity Measurement Subsystem to the
>> skiroot kernel.
>>
>> The changes to skiroot_defconfig are the kernel config options to enable IMA
>> and the basic security subsystem.  The values were obtained by running a
>> make menuconfig and configuring IMA on, tnen merging these values with
>> skiroot_defconfig and checking for duplicates.
>
> Once you've done a "make menuconfig", you can then do a "make
> savedefconfig". This will regenerate a minimal defconfig that we can
> commit to the tree.
>
> I've attached a revised patch below; if it looks okay to you I'll
> commit these changes.
>
Unfortunately this does not quite match the list I came up with.  There 
are a few options missing (e.g. CONFIG_TCG_TPM) and I'm not sure we want 
to disable CONFIG_CRYPTO_SHA256.

This is a bit tricky.  Perhaps there is a simpler way but let me explain 
the method I used and you can advise.

I first tried to set these options via "op-build menuconfig" but I don't 
think you can do it that way.  There are some options there to change 
the kernel version but not the kconfig options themselves.  To edit 
kconfig options you need to run "op-build linux-menuconfig".  There you 
can enable IMA.

The trouble with that is, this does not produce a op-build patch.  The 
file that's actually modified is ./output/build/linux-4.4.x/.config.  So 
I needed to capture the deltas there (somewhat manually, although you 
can diff the .config and .config.old files generated by the tool) and 
merge them into skiroot_defconfig.  Once that's done you can create a 
patch to op-build.

If there's a more direct way to operate on skiroot_defconfig please 
enlighten me!  My way is kind of cumbersome, but it does have the 
benefit of using the menuconfig tool to get the kconfig options, which 
is important here since there are so many and it's hard to get it right 
manually.

Specifically the process I used to find the right options:

cd op-build/
source op-build-env
op-build linux-menuconfig
[Enable different security models, enable IMA, enable EVM, save]
cd output/build/linux-4.4.8/
diff -u .config.old .config

(hint: after saving, exit the menuconfig tool via a keyboard interrupt. 
  If you exit the normal way it will update .config a 2nd time even if 
you don't want it to.)

Thx -DaveH

> Cheers,
>
> Joel
>
> --
>
>  From 3c0c24197a3316561b03d516326963581a2e0dc2 Mon Sep 17 00:00:00 2001
> From: Dave Heller <hellerda at linux.vnet.ibm.com>
> Date: Tue, 26 Apr 2016 21:37:08 -0400
> Subject: [PATCH] Enable IMA in skiroot
>
> This adds basic support for the Integrity Measurement Subsystem to the
> skiroot kernel.
>
> The changes to skiroot_defconfig are the kernel config options to enable IMA
> and the basic security subsystem.
>
> The changes to /etc/fstab ensure securityfs is mounted at boot.
>
> Signed-off-by: Dave Heller <hellerda at us.ibm.com>
> [regnerated defconfig]
> Signed-off-by: Joel Stanley <joel at jms.id.au>
>
> Signed-off-by: Joel Stanley <joel at jms.id.au>
> ---
>   openpower/configs/linux/skiroot_defconfig | 11 ++++++-----
>   openpower/overlay/etc/fstab               |  1 +
>   2 files changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/openpower/configs/linux/skiroot_defconfig
> b/openpower/configs/linux/skiroot_defconfig
> index 20d43589bde1..721d622e5c4a 100644
> --- a/openpower/configs/linux/skiroot_defconfig
> +++ b/openpower/configs/linux/skiroot_defconfig
> @@ -44,6 +44,8 @@ CONFIG_IRQ_ALL_CPUS=y
>   # CONFIG_BOUNCE is not set
>   CONFIG_PPC_64K_PAGES=y
>   CONFIG_SCHED_SMT=y
> +CONFIG_CMDLINE_BOOL=y
> +CONFIG_CMDLINE="console=tty0 console=hvc0"
>   # CONFIG_SECCOMP is not set
>   CONFIG_PCI_MSI=y
>   CONFIG_NET=y
> @@ -154,6 +156,7 @@ CONFIG_HW_RANDOM=y
>   CONFIG_GEN_RTC=y
>   CONFIG_RAW_DRIVER=y
>   CONFIG_MAX_RAW_DEVS=1024
> +CONFIG_TCG_TIS_I2C_NUVOTON=y
>   # CONFIG_I2C_COMPAT is not set
>   CONFIG_I2C_CHARDEV=y
>   # CONFIG_I2C_HELPER_AUTO is not set
> @@ -220,15 +223,13 @@ CONFIG_SCHEDSTATS=y
>   # CONFIG_FTRACE is not set
>   CONFIG_XMON=y
>   CONFIG_XMON_DEFAULT=y
> +CONFIG_SECURITY=y
> +CONFIG_IMA=y
> +CONFIG_EVM=y
>   # CONFIG_CRYPTO_ECHAINIV is not set
>   CONFIG_CRYPTO_ECB=y
>   CONFIG_CRYPTO_CMAC=y
> -CONFIG_CRYPTO_HMAC=y
>   CONFIG_CRYPTO_MD4=y
> -CONFIG_CRYPTO_MD5=y
> -CONFIG_CRYPTO_SHA256=y
>   CONFIG_CRYPTO_ARC4=y
>   CONFIG_CRYPTO_DES=y
>   # CONFIG_CRYPTO_HW is not set
> -CONFIG_CMDLINE_BOOL=y
> -CONFIG_CMDLINE="console=tty0 console=hvc0"
> diff --git a/openpower/overlay/etc/fstab b/openpower/overlay/etc/fstab
> index d373dc6baa0b..ece6d84320a3 100644
> --- a/openpower/overlay/etc/fstab
> +++ b/openpower/overlay/etc/fstab
> @@ -4,3 +4,4 @@ proc /proc proc defaults 0 0
>   devpts /dev/pts devpts defaults,gid=5,mode=620 0 0
>   tmpfs /dev/shm tmpfs mode=0777 0 0
>   sysfs /sys sysfs defaults 0 0
> +securityfs /sys/kernel/security securityfs defaults 0 0
>