Enable IMA in skiroot This adds basic support for the Integrity Measurement Subsystem to the skiroot kernel. The changes to skiroot_defconfig are the kernel config options to enable IMA and the basic security subsystem. The values were obtained by running a make menuconfig, enabling IMA and the Nuvoton TPM driver, running a make defconfig, then updating skiroot_defconfig with this result. The changes to /etc/fstab ensure securityfs is mounted at boot. Signed-off-by: Dave Heller <hellerda@us.ibm.com>

commit: a541bf744d1e1ddf8f30c7848775da5a6f0a3782 [log] [tgz]
author: Dave Heller <hellerda@us.ibm.com> Sun Jun 05 16:39:56 2016 -0400
committer: Dave Heller <hellerda@us.ibm.com> Sun Jun 05 16:39:56 2016 -0400
tree: 401456bf39349a3443fcb8d2ef676f7e012aeba2
parent: a24eb9843bf0b0f8789042bbc00c464e914e727c [diff] [blame]
diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
index b76ecb8..231e55a 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig

@@ -157,6 +157,7 @@
 CONFIG_GEN_RTC=y
 CONFIG_RAW_DRIVER=y
 CONFIG_MAX_RAW_DEVS=1024
+CONFIG_TCG_TIS_I2C_NUVOTON=y
 # CONFIG_I2C_COMPAT is not set
 CONFIG_I2C_CHARDEV=y
 # CONFIG_I2C_HELPER_AUTO is not set
@@ -223,13 +224,13 @@
 # CONFIG_FTRACE is not set
 CONFIG_XMON=y
 CONFIG_XMON_DEFAULT=y
+CONFIG_SECURITY=y
+CONFIG_IMA=y
+CONFIG_EVM=y
 # CONFIG_CRYPTO_ECHAINIV is not set
 CONFIG_CRYPTO_ECB=y
 CONFIG_CRYPTO_CMAC=y
-CONFIG_CRYPTO_HMAC=y
 CONFIG_CRYPTO_MD4=y
-CONFIG_CRYPTO_MD5=y
-CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_ARC4=y
 CONFIG_CRYPTO_DES=y
 # CONFIG_CRYPTO_HW is not set
commit	a541bf744d1e1ddf8f30c7848775da5a6f0a3782	[log] [tgz]
author	Dave Heller <hellerda@us.ibm.com>	Sun Jun 05 16:39:56 2016 -0400
committer	Dave Heller <hellerda@us.ibm.com>	Sun Jun 05 16:39:56 2016 -0400
tree	401456bf39349a3443fcb8d2ef676f7e012aeba2
parent	a24eb9843bf0b0f8789042bbc00c464e914e727c [diff] [blame]