[OpenPower-Firmware] [PATCH 1/1] Enable IMA in skiroot

Sat May 14 01:57:16 AEST 2016

On 05/05/2016 12:34 AM, Joel Stanley wrote:
> On Fri, Apr 29, 2016 at 11:55 PM, Dave Heller
> <hellerda at linux.vnet.ibm.com> wrote:
>>> To reassure myself that I'm not talking crap, here is the diff between
>>> configurations generated from the defconfig you proposed and mine:
>>>
>>> $ make skiroot_dave_defconfig
>>> #
>>> # configuration written to .config
>>> #
>>> $ cp .config dave_config
>>> $ make skiroot_joel_defconfig
>>> #
>>> # configuration written to .config
>>> #
>>> $ cp .config joel_defconfig
>>> $ diff dave_config joel_config
>>> $?
>>> 0
>>
>>
>> I follow basically what you did here, and the same should work for the
>> standard skiroot_defconfig as well, right?  But from which directory did you
>> run this?
>
> This is from the kernel directory.
>
>> I'm much clearer now, thank you.  I did not really understand about the
>> "savedefconfig" previously.  So my process is now like this:
>>
>> $ op-build habanero_defconfig
>> $ op-build linux-menuconfig
>>    [Set desired kconfig options, save]
>> $ op-build linux-savedefconfig
>> $ cp ./output/build/linux-*/defconfig
>> ./openpower/configs/linux/skiroot_defconfig
>> $ git diff > my.patch
>
> That looks good. Instead of the last step, you can commit the
> resulting changes and use "git format-patch -1" to create a patch
> file.
>
>> However... :-)  Even with that, I'm still not coming up with the exact set
>> of defconfig options you did.  And I can't seem to run linux-savedefconfig
>> w/o it adding *some* extra changes I did not intend... which I guess is an
>> artifact of running this on the existing config?
>
> What are the extra changes? It could be our defconfig is out of date.
> I noticed that a recent patch that went in changed the defconfig by
> hand instead of regenerating it.
>
Hi Joel, sorry for the delay.  I understand better how this works now. 
I can see, the set of options in the defconfig is really the minimal set 
-- reduced set, if you will -- of required options.  So, when you run 
the make savedefconfig, not only does it *not* add the implicit options 
that go along with the explicit options your are selecting (in the 
menuconfig), but it actually *removes* options, if they are now implicit 
with the options you're selecting.  (I hope I put that right).  That is 
why several options were removed when I enabled IMA.  Those options are 
the CONFIG_CRYPTO_HMAC, CONFIG_CRYPTO_MD5 and CONFIG_CRYPTO_SHA256.  So, 
this is one of the deltas I did not understand, but I do now.  :-)

The 2nd delta was the pair of CONFIG_CMDLINE options, which were just 
moved so it was purely cosmetic, but this is now gone with your recent 
patches to bump to kernel 4.4.9.

The last thing is the addition of this line:

+ CONFIG_INITRAMFS_SOURCE="${BR_BINARIES_DIR}/rootfs.cpio"

which is something the gets naturally added when buildroot builds the 
kernel, but I don't think it's intended to be in the skiroot_defconfig.

I traced this back to ./buildroot/linux/linux.mk, which is where it is 
added, and quite easily found if I remove the the 
"BR2_TARGET_ROOTFS_INITRAMFS" from my habanero_defconfig, the problem 
goes away.  So this is a sort of workaround but it produces what I think 
is the correct patch.

So...

1. If you agree this is the correct patch, which will add the three IMA 
related options (plus the nuvoton), and remove the three CRYPTO related 
options I mentioned above, I will submit that.  Which will essentially 
look like your patch below.

2. I'm guessing you have an explanation for my CONFIG_INITRAMFS issue 
:-).  If so, let me know, else I'll use my workarond.

Thanks!  -DaveH

>> So, it looks like it's impossible to get away w/o at least some
>> hand-stitching here.  And based on my new understanding (hopefully!), the
>> minimal set we need is the following set of deltas to skiroot_defconfig.  I
>> tested this and it works:
>>
>> +CONFIG_TCG_TPM=y
>> +CONFIG_TCG_TIS_I2C_NUVOTON=y
>> +CONFIG_SECURITY=y
>> +CONFIG_IMA=y
>> +CONFIG_EVM=y
>>
>> If you agree this is the minimal set I will send a new patch with just these
>> deltas.  (and the /etc/fstab changes)
>
> Submit the patch from the generated configs. I've pushed a change
> today that updates the defconfig so your patch should just have the
> suggested options. I've shown you below what I get; hopefully our
> patch should come out the same.
>
>> We need the TPM enablement as well (first two options).  If you think they
>> should be in a separate patch let me know.
>
> They can go in the same patch.

If you are sure.  I guess, for habanero, it will always be the nuvoton TPM.

> Thanks for your patentice and taking the time to do this properly! It
> will save us work down the track.
>
> Cheers,
>
> Joel
>
> --
>  From 979820849eb7feb6be61edd80656be8c43633b15 Mon Sep 17 00:00:00 2001
> From: Joel Stanley <joel at jms.id.au>
> Date: Thu, 5 May 2016 13:59:57 +0930
> Subject: [PATCH] openpower/configs: Enable IMA in kernel
>
> This adds basic support for the Integrity Measurement Subsystem to the
> skiroot kernel.
>
> Signed-off-by: Joel Stanley <joel at jms.id.au>
> ---
>   openpower/configs/linux/skiroot_defconfig | 8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/openpower/configs/linux/skiroot_defconfig
> b/openpower/configs/linux/skiroot_defconfig
> index b76ecb862635..fd3e7751d20c 100644
> --- a/openpower/configs/linux/skiroot_defconfig
> +++ b/openpower/configs/linux/skiroot_defconfig
> @@ -154,9 +154,11 @@ CONFIG_IPMI_HANDLER=y
>   CONFIG_IPMI_DEVICE_INTERFACE=y
>   CONFIG_IPMI_POWERNV=y
>   CONFIG_HW_RANDOM=y
> +# CONFIG_HW_RANDOM_TPM is not set
>   CONFIG_GEN_RTC=y
>   CONFIG_RAW_DRIVER=y
>   CONFIG_MAX_RAW_DEVS=1024
> +CONFIG_TCG_TIS_I2C_NUVOTON=m
>   # CONFIG_I2C_COMPAT is not set
>   CONFIG_I2C_CHARDEV=y
>   # CONFIG_I2C_HELPER_AUTO is not set
> @@ -223,13 +225,13 @@ CONFIG_SCHEDSTATS=y
>   # CONFIG_FTRACE is not set
>   CONFIG_XMON=y
>   CONFIG_XMON_DEFAULT=y
> +CONFIG_SECURITY=y
> +CONFIG_IMA=y
> +CONFIG_EVM=y
>   # CONFIG_CRYPTO_ECHAINIV is not set
>   CONFIG_CRYPTO_ECB=y
>   CONFIG_CRYPTO_CMAC=y
> -CONFIG_CRYPTO_HMAC=y
>   CONFIG_CRYPTO_MD4=y
> -CONFIG_CRYPTO_MD5=y
> -CONFIG_CRYPTO_SHA256=y
>   CONFIG_CRYPTO_ARC4=y
>   CONFIG_CRYPTO_DES=y
>   # CONFIG_CRYPTO_HW is not set
>