[OpenPower-Firmware] [PATCH] linux: CONFIGs to be enabled for secureboot
Nayna Jain
nayna at linux.ibm.com
Tue Jun 16 05:22:47 AEST 2020
This patch adds new skiroot CONFIGs as required for secureboot.
Signed-off-by: Nayna Jain <nayna at linux.ibm.com>
---
openpower/configs/linux/skiroot_defconfig | 35 +++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
index d0cda0e1..b6337165 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -312,3 +312,38 @@ CONFIG_DEBUG_CREDENTIALS=y
# CONFIG_RUNTIME_TESTING_MENU is not set
CONFIG_BUG_ON_DATA_CORRUPTION=y
CONFIG_XMON=y
+
+#secureboot configs
+CONFIG_BUILD_BIN2C=y
+CONFIG_KEXEC_FILE=y
+CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
+CONFIG_PPC_SECURE_BOOT=y
+CONFIG_PPC_SECVAR_SYSFS=y
+CONFIG_KEXEC_ELF=y
+CONFIG_HAVE_IMA_KEXEC=y
+CONFIG_SECURITY=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_LOAD_PPC_KEYS=y
+CONFIG_IMA=y
+CONFIG_IMA_KEXEC=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_SHA1=y
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+CONFIG_SIGNATURE=y
+CONFIG_AUDIT=y
+CONFIG_INTEGRITY_AUDIT=y
--
2.17.1
More information about the OpenPower-Firmware
mailing list