[OpenPower-Firmware] [PATCH 1/1] Enable IMA in skiroot
Joel Stanley
joel at jms.id.au
Thu Apr 28 15:31:35 AEST 2016
Hey Dave,
On Thu, Apr 28, 2016 at 7:26 AM, Dave Heller
<hellerda at linux.vnet.ibm.com> wrote:
>> Once you've done a "make menuconfig", you can then do a "make
>> savedefconfig". This will regenerate a minimal defconfig that we can
>> commit to the tree.
>>
>> I've attached a revised patch below; if it looks okay to you I'll
>> commit these changes.
>>
> Unfortunately this does not quite match the list I came up with. There are
> a few options missing (e.g. CONFIG_TCG_TPM) and I'm not sure we want to
> disable CONFIG_CRYPTO_SHA256.
>
> This is a bit tricky. Perhaps there is a simpler way but let me explain the
> method I used and you can advise.
We're looking at the defconifg, not the config. The defconfig is the
minimal configuration required to produce a given .config. A bunch of
the options will default to on when selected, such as turning on IMA
selects CONFIG_TCG_TPM. This means we can simply specify CONFIG_IMA=y
in our defconfig, and the configuration will have CONFIG_TCG_TPM
turned on.
To reassure myself that I'm not talking crap, here is the diff between
configurations generated from the defconfig you proposed and mine:
$ make skiroot_dave_defconfig
#
# configuration written to .config
#
$ cp .config dave_config
$ make skiroot_joel_defconfig
#
# configuration written to .config
#
$ cp .config joel_defconfig
$ diff dave_config joel_config
$?
0
> I first tried to set these options via "op-build menuconfig" but I don't
> think you can do it that way. There are some options there to change the
> kernel version but not the kconfig options themselves. To edit kconfig
> options you need to run "op-build linux-menuconfig". There you can enable
> IMA.
Correct, that's how to run the kernel menuconfig from within op-build.
The kernel and buildroot (which is what op-build is based on) both use
the Linux "Kbuild" infrastructure, so it looks the same.
> The trouble with that is, this does not produce a op-build patch. The file
> that's actually modified is ./output/build/linux-4.4.x/.config. So I needed
> to capture the deltas there (somewhat manually, although you can diff the
> .config and .config.old files generated by the tool) and merge them into
> skiroot_defconfig. Once that's done you can create a patch to op-build.
You can use op-build to do this:
$ op-build linux-savedefconfig
make: Entering directory '/home/shenki/dev/op-project/op-build/buildroot'
[...]
HOSTCC scripts/basic/fixdep
HOSTCC scripts/basic/bin2c
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/zconf.tab.o
HOSTLD scripts/kconfig/conf
scripts/kconfig/conf --savedefconfig=defconfig Kconfig
make: Leaving directory '/home/shenki/dev/op-project/op-build/buildroot'
So now we have the defconfig saved in
./output/build/linux-4.4.8/defconfig that you can inspect.
Cheers,
Joel
More information about the OpenPower-Firmware
mailing list