[OpenPower-Firmware] [PATCH 1/1] Enable IMA in skiroot

Dave Heller hellerda at linux.vnet.ibm.com
Sat Apr 30 00:25:32 AEST 2016 

On 04/28/2016 01:31 AM, Joel Stanley wrote:
> Hey Dave,
>
> On Thu, Apr 28, 2016 at 7:26 AM, Dave Heller
> <hellerda at linux.vnet.ibm.com> wrote:
>>> Once you've done a "make menuconfig", you can then do a "make
>>> savedefconfig". This will regenerate a minimal defconfig that we can
>>> commit to the tree.
>>>
>>> I've attached a revised patch below; if it looks okay to you I'll
>>> commit these changes.
>>>
>> Unfortunately this does not quite match the list I came up with.  There are
>> a few options missing (e.g. CONFIG_TCG_TPM) and I'm not sure we want to
>> disable CONFIG_CRYPTO_SHA256.
>>
>> This is a bit tricky.  Perhaps there is a simpler way but let me explain the
>> method I used and you can advise.
>
> We're looking at the defconifg, not the config. The defconfig is the
> minimal configuration required to produce a given .config. A bunch of
> the options will default to on when selected, such as turning on IMA
> selects CONFIG_TCG_TPM. This means we can simply specify CONFIG_IMA=y
> in our defconfig, and the configuration will have CONFIG_TCG_TPM
> turned on.

Ah, I think I understand now.  The defconfig should hold only the 
minimal config options, which are then used to generate the actual 
.config for the build.  So then, the defconfig options should correspond 
to what you would select by "menuconfig", and all associated options get 
set automatically?

> To reassure myself that I'm not talking crap, here is the diff between
> configurations generated from the defconfig you proposed and mine:
>
> $ make skiroot_dave_defconfig
> #
> # configuration written to .config
> #
> $ cp .config dave_config
> $ make skiroot_joel_defconfig
> #
> # configuration written to .config
> #
> $ cp .config joel_defconfig
> $ diff dave_config joel_config
> $?
> 0

I follow basically what you did here, and the same should work for the 
standard skiroot_defconfig as well, right?  But from which directory did 
you run this?

>> I first tried to set these options via "op-build menuconfig" but I don't
>> think you can do it that way.  There are some options there to change the
>> kernel version but not the kconfig options themselves.  To edit kconfig
>> options you need to run "op-build linux-menuconfig".  There you can enable
>> IMA.
>
> Correct, that's how to run the kernel menuconfig from within op-build.
> The kernel and buildroot (which is what op-build is based on) both use
> the Linux "Kbuild" infrastructure, so it looks the same.
>
>> The trouble with that is, this does not produce a op-build patch.  The file
>> that's actually modified is ./output/build/linux-4.4.x/.config.  So I needed
>> to capture the deltas there (somewhat manually, although you can diff the
>> .config and .config.old files generated by the tool) and merge them into
>> skiroot_defconfig.  Once that's done you can create a patch to op-build.
>
> You can use op-build to do this:
>
> $ op-build linux-savedefconfig
> make: Entering directory '/home/shenki/dev/op-project/op-build/buildroot'
> [...]
>    HOSTCC  scripts/basic/fixdep
>    HOSTCC  scripts/basic/bin2c
>    HOSTCC  scripts/kconfig/conf.o
>    HOSTCC  scripts/kconfig/zconf.tab.o
>    HOSTLD  scripts/kconfig/conf
> scripts/kconfig/conf  --savedefconfig=defconfig Kconfig
> make: Leaving directory '/home/shenki/dev/op-project/op-build/buildroot'
>
> So now we have the defconfig saved in
> ./output/build/linux-4.4.8/defconfig that you can inspect.
>
> Cheers,
>
> Joel
>

I'm much clearer now, thank you.  I did not really understand about the 
"savedefconfig" previously.  So my process is now like this:

$ op-build habanero_defconfig
$ op-build linux-menuconfig
   [Set desired kconfig options, save]
$ op-build linux-savedefconfig
$ cp ./output/build/linux-*/defconfig 
./openpower/configs/linux/skiroot_defconfig
$ git diff > my.patch

However... :-)  Even with that, I'm still not coming up with the exact 
set of defconfig options you did.  And I can't seem to run 
linux-savedefconfig w/o it adding *some* extra changes I did not 
intend... which I guess is an artifact of running this on the existing 
config?

So, it looks like it's impossible to get away w/o at least some 
hand-stitching here.  And based on my new understanding (hopefully!), 
the minimal set we need is the following set of deltas to 
skiroot_defconfig.  I tested this and it works:

+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_I2C_NUVOTON=y
+CONFIG_SECURITY=y
+CONFIG_IMA=y
+CONFIG_EVM=y

If you agree this is the minimal set I will send a new patch with just 
these deltas.  (and the /etc/fstab changes)

We need the TPM enablement as well (first two options).  If you think 
they should be in a separate patch let me know.

Thx -Dave

More information about the OpenPower-Firmware mailing list