Gitiles
Code Review Sign In
gerrit.openbmc.org / premsjha / op-build / a4bd268a233db3443fd08f352f7527405177725d
commita4bd268a233db3443fd08f352f7527405177725d[log] [tgz]
authorJoel Stanley <joel@jms.id.au>Mon Jan 20 13:03:46 2020 +1000
committerJoel Stanley <joel@jms.id.au>Fri Jan 24 16:07:03 2020 +1030
tree6f511bb39eea2fbfd6331c365448148559cd181d
parentf4126d99829d195c9cba20a871ebdd1a6f95586e [diff]
kernel: Enable security options

These options were posted on the linuxppc-dev mailing list[1]:

    Note BUG_ON_DATA_CORRUPTION selects DEBUG_LIST and is essentially just
    a synonym for it.

    DEBUG_SG, DEBUG_NOTIFIERS, DEBUG_LIST, DEBUG_CREDENTIALS and
    SCHED_STACK_END_CHECK should all be low overhead and just add a few
    extra checks.

    Unselecting SLAB_MERGE_DEFAULT causes the SLAB to use more memory, but
    the skiroot kernel shouldn't be memory constrained on any of our
    systems, all it does is run a small bootloader.

    SLAB_FREELIST_RANDOM, and SLUB_DEBUG_ON will add some overhead to the
    SLAB allocator, but nothing that should be meaningful for skiroot.

    Disable xmon default: if the skiroot kernel crashes we don't want it
    sitting at an xmon prompt forever. Instead it's more helpful to
    reboot and bring the boot loader back up, and if the crash was
    transient we can then boot successfully.

    If we panic we should reboot, with a short timeout in case someone
    is watching the console.

    Turn on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
    FORTIFY_SOURCE.

    It also enables SECURITY_LOCKDOWN_LSM with _EARLY.

    MODULE_SIG is selected by lockdown, so it is still enabled.

    Drop default n CONFIG_CRYPTO_ECHAINIV

    Drop HID_LOGITECH

    Drop NET_VENDOR_HP which moved to staging

    NET_CADENCE became NET_VENDOR_CADENCE

    Drop CONFIG_QLGE which moved to staging

[1] https://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=153437

Note that this commit does not include the change to set
LOCK_DOWN_KERNEL_FORCE_INTEGRITY, as this causes the kernel to lock down
the kexec system call.

kexec_file is enabled, and can be tested by manually running kexec with
the -s option instead of -l. Integrity mode can then be enabled by
setting the command line lockdown={integrity|confidentiality}.

 nvram -p ibm,skiboot --update-config bootargs="lockdown=integrity"

Enabling FORCE_INTEGRITY in the kernel is deferred to a later date when
petitboot has gained support for using kexec_file.

Signed-off-by: Joel Stanley <joel@jms.id.au>
1 file changed
tree: 6f511bb39eea2fbfd6331c365448148559cd181d
  1. ci/
  2. dl/
  3. doc/
  4. openpower/
  5. output/
  6. buildroot
  7. .gitignore
  8. .gitmodules
  9. .travis.yml
  10. CONTRIBUTING.md
  11. LICENSE
  12. NOTICE
  13. op-build
  14. op-build-env
  15. README.md
README.md

OpenPOWER Firmware Build Environment

The OpenPOWER firmware build process uses Buildroot to create a toolchain and build the various components of the PNOR firmware, including Hostboot, Skiboot, OCC, Petitboot etc.

Documentation

https://open-power.github.io/op-build/

See the doc/ directory for documentation source. Contributions are VERY welcome!

Development

Issues, Milestones, pull requests and code hosting is on GitHub: https://github.com/open-power/op-build

See CONTRIBUTING.md for howto contribute code.

Building an image

To build an image for a Palmetto system:

git clone --recursive git@github.com:open-power/op-build.git
cd op-build
./op-build palmetto_defconfig && ./op-build

There are also default configurations for other platforms in openpower/configs/. Current POWER8 platforms include Habanero, Firestone, and Garrison. Current POWER9 platforms include Witherspoon, Boston (p9dsu), Romulus, and Zaius.

Buildroot/op-build supports both native and cross-compilation - it will automatically download and build an appropriate toolchain as part of the build process, so you don't need to worry about setting up a cross-compiler. Cross-compiling from a x86-64 host is officially supported.

The machine your building on will need Python 2.7, GCC 6.2 (or later), and a handful of other packages (see below).

Dependencies for 64-bit Ubuntu/Debian systems

  1. Install Ubuntu (>= 18.04) or Debian (>= 9) 64-bit.

  2. Enable Universe (Ubuntu only):

     sudo apt-get install software-properties-common
 sudo add-apt-repository universe

  3. Install the packages necessary for the build:

     sudo apt-get install cscope ctags libz-dev libexpat-dev \
   python language-pack-en texinfo \
   build-essential g++ git bison flex unzip \
   libssl-dev libxml-simple-perl libxml-sax-perl libxml-parser-perl libxml2-dev libxml2-utils xsltproc \
   wget bc rsync

Dependencies for 64-bit Fedora systems

  1. Install Fedora (>= 25) 64-bit.

  2. Install the packages necessary for the build:

     sudo dnf install gcc-c++ flex bison git ctags cscope expat-devel patch \
   zlib-devel zlib-static texinfo perl-bignum "perl(XML::Simple)" \
   "perl(YAML)" "perl(XML::SAX)" "perl(Fatal)" "perl(Thread::Queue)" \
   "perl(Env)" "perl(XML::LibXML)" "perl(Digest::SHA1)" "perl(ExtUtils::MakeMaker)" \
   libxml2-devel which wget unzip tar cpio python bzip2 bc findutils ncurses-devel \
   openssl-devel make libxslt vim-common