[OpenPower-Firmware] [PATCH 1/1] Enable IMA in skiroot

Joel Stanley joel at jms.id.au
Thu May 5 14:34:04 AEST 2016 

On Fri, Apr 29, 2016 at 11:55 PM, Dave Heller
<hellerda at linux.vnet.ibm.com> wrote:
>> To reassure myself that I'm not talking crap, here is the diff between
>> configurations generated from the defconfig you proposed and mine:
>>
>> $ make skiroot_dave_defconfig
>> #
>> # configuration written to .config
>> #
>> $ cp .config dave_config
>> $ make skiroot_joel_defconfig
>> #
>> # configuration written to .config
>> #
>> $ cp .config joel_defconfig
>> $ diff dave_config joel_config
>> $?
>> 0
>
>
> I follow basically what you did here, and the same should work for the
> standard skiroot_defconfig as well, right?  But from which directory did you
> run this?

This is from the kernel directory.

> I'm much clearer now, thank you.  I did not really understand about the
> "savedefconfig" previously.  So my process is now like this:
>
> $ op-build habanero_defconfig
> $ op-build linux-menuconfig
>   [Set desired kconfig options, save]
> $ op-build linux-savedefconfig
> $ cp ./output/build/linux-*/defconfig
> ./openpower/configs/linux/skiroot_defconfig
> $ git diff > my.patch

That looks good. Instead of the last step, you can commit the
resulting changes and use "git format-patch -1" to create a patch
file.

> However... :-)  Even with that, I'm still not coming up with the exact set
> of defconfig options you did.  And I can't seem to run linux-savedefconfig
> w/o it adding *some* extra changes I did not intend... which I guess is an
> artifact of running this on the existing config?

What are the extra changes? It could be our defconfig is out of date.
I noticed that a recent patch that went in changed the defconfig by
hand instead of regenerating it.

> So, it looks like it's impossible to get away w/o at least some
> hand-stitching here.  And based on my new understanding (hopefully!), the
> minimal set we need is the following set of deltas to skiroot_defconfig.  I
> tested this and it works:
>
> +CONFIG_TCG_TPM=y
> +CONFIG_TCG_TIS_I2C_NUVOTON=y
> +CONFIG_SECURITY=y
> +CONFIG_IMA=y
> +CONFIG_EVM=y
>
> If you agree this is the minimal set I will send a new patch with just these
> deltas.  (and the /etc/fstab changes)

Submit the patch from the generated configs. I've pushed a change
today that updates the defconfig so your patch should just have the
suggested options. I've shown you below what I get; hopefully our
patch should come out the same.

> We need the TPM enablement as well (first two options).  If you think they
> should be in a separate patch let me know.

They can go in the same patch.

Thanks for your patentice and taking the time to do this properly! It
will save us work down the track.

Cheers,

Joel

--
>From 979820849eb7feb6be61edd80656be8c43633b15 Mon Sep 17 00:00:00 2001
From: Joel Stanley <joel at jms.id.au>
Date: Thu, 5 May 2016 13:59:57 +0930
Subject: [PATCH] openpower/configs: Enable IMA in kernel

This adds basic support for the Integrity Measurement Subsystem to the
skiroot kernel.

Signed-off-by: Joel Stanley <joel at jms.id.au>
---
 openpower/configs/linux/skiroot_defconfig | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/openpower/configs/linux/skiroot_defconfig
b/openpower/configs/linux/skiroot_defconfig
index b76ecb862635..fd3e7751d20c 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -154,9 +154,11 @@ CONFIG_IPMI_HANDLER=y
 CONFIG_IPMI_DEVICE_INTERFACE=y
 CONFIG_IPMI_POWERNV=y
 CONFIG_HW_RANDOM=y
+# CONFIG_HW_RANDOM_TPM is not set
 CONFIG_GEN_RTC=y
 CONFIG_RAW_DRIVER=y
 CONFIG_MAX_RAW_DEVS=1024
+CONFIG_TCG_TIS_I2C_NUVOTON=m
 # CONFIG_I2C_COMPAT is not set
 CONFIG_I2C_CHARDEV=y
 # CONFIG_I2C_HELPER_AUTO is not set
@@ -223,13 +225,13 @@ CONFIG_SCHEDSTATS=y
 # CONFIG_FTRACE is not set
 CONFIG_XMON=y
 CONFIG_XMON_DEFAULT=y
+CONFIG_SECURITY=y
+CONFIG_IMA=y
+CONFIG_EVM=y
 # CONFIG_CRYPTO_ECHAINIV is not set
 CONFIG_CRYPTO_ECB=y
 CONFIG_CRYPTO_CMAC=y
-CONFIG_CRYPTO_HMAC=y
 CONFIG_CRYPTO_MD4=y
-CONFIG_CRYPTO_MD5=y
-CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_ARC4=y
 CONFIG_CRYPTO_DES=y
 # CONFIG_CRYPTO_HW is not set
-- 
2.8.1

More information about the OpenPower-Firmware mailing list