| Message ID | 20230414132415.821564-6-mpe@ellerman.id.au (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d892ed0420e20a6423a165fdebb228590ece5f95 |
| Headers | show |
| Series | [01/32] powerpc/configs/64s: Update defconfig for symbol movement | expand |
On Fri, 2023-04-14 at 23:23 +1000, Michael Ellerman wrote: > Add the numerous options required to get secure boot enabled. > > Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> > --- > arch/powerpc/configs/ppc64_defconfig | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/configs/ppc64_defconfig > b/arch/powerpc/configs/ppc64_defconfig > index d98fe52a5892..f185adc128db 100644 > --- a/arch/powerpc/configs/ppc64_defconfig > +++ b/arch/powerpc/configs/ppc64_defconfig > @@ -54,6 +54,7 @@ CONFIG_CRASH_DUMP=y > CONFIG_FA_DUMP=y > CONFIG_IRQ_ALL_CPUS=y > CONFIG_SCHED_SMT=y > +CONFIG_PPC_SECURE_BOOT=y Can we add CONFIG_PPC_SECVAR_SYSFS=y as well? > CONFIG_VIRTUALIZATION=y > CONFIG_KVM_BOOK3S_64=m > CONFIG_KVM_BOOK3S_64_HV=m > @@ -335,13 +336,25 @@ CONFIG_NLS_CODEPAGE_437=y > CONFIG_NLS_ASCII=y > CONFIG_NLS_ISO8859_1=y > CONFIG_NLS_UTF8=y > +CONFIG_SECURITY=y > +CONFIG_SECURITY_LOCKDOWN_LSM=y > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > +CONFIG_INTEGRITY_SIGNATURE=y > +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y > +CONFIG_INTEGRITY_PLATFORM_KEYRING=y > +CONFIG_IMA=y > +CONFIG_IMA_KEXEC=y > +CONFIG_IMA_DEFAULT_HASH_SHA256=y > +CONFIG_IMA_WRITE_POLICY=y > +CONFIG_IMA_APPRAISE=y > +CONFIG_IMA_ARCH_POLICY=y > +CONFIG_IMA_APPRAISE_MODSIG=y > CONFIG_CRYPTO_TEST=m > CONFIG_CRYPTO_BLOWFISH=m > CONFIG_CRYPTO_CAST6=m > CONFIG_CRYPTO_SERPENT=m > CONFIG_CRYPTO_TWOFISH=m > CONFIG_CRYPTO_PCBC=m > -CONFIG_CRYPTO_HMAC=y > CONFIG_CRYPTO_MICHAEL_MIC=m > CONFIG_CRYPTO_SHA256=y > CONFIG_CRYPTO_WP512=m > @@ -352,6 +365,8 @@ CONFIG_CRYPTO_SHA1_PPC=m > CONFIG_CRYPTO_DEV_NX=y > CONFIG_CRYPTO_DEV_NX_ENCRYPT=m > CONFIG_CRYPTO_DEV_VMX=y > +CONFIG_SYSTEM_TRUSTED_KEYRING=y > +CONFIG_SYSTEM_BLACKLIST_KEYRING=y > CONFIG_PRINTK_TIME=y > CONFIG_PRINTK_CALLER=y > CONFIG_DEBUG_KERNEL=y
Andrew Donnellan <ajd@linux.ibm.com> writes: > On Fri, 2023-04-14 at 23:23 +1000, Michael Ellerman wrote: >> Add the numerous options required to get secure boot enabled. >> >> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> >> --- >> arch/powerpc/configs/ppc64_defconfig | 17 ++++++++++++++++- >> 1 file changed, 16 insertions(+), 1 deletion(-) >> >> diff --git a/arch/powerpc/configs/ppc64_defconfig >> b/arch/powerpc/configs/ppc64_defconfig >> index d98fe52a5892..f185adc128db 100644 >> --- a/arch/powerpc/configs/ppc64_defconfig >> +++ b/arch/powerpc/configs/ppc64_defconfig >> @@ -54,6 +54,7 @@ CONFIG_CRASH_DUMP=y >> CONFIG_FA_DUMP=y >> CONFIG_IRQ_ALL_CPUS=y >> CONFIG_SCHED_SMT=y >> +CONFIG_PPC_SECURE_BOOT=y > > Can we add CONFIG_PPC_SECVAR_SYSFS=y as well? We can. But would it make more sense to just make PPC_SECVAR_SYSFS a hidden symbol? Is there really any reason someone would want to turn it off? cheers
On Mon, 2023-04-17 at 13:38 +1000, Michael Ellerman wrote: > > Can we add CONFIG_PPC_SECVAR_SYSFS=y as well? > > We can. > > But would it make more sense to just make PPC_SECVAR_SYSFS a hidden > symbol? Is there really any reason someone would want to turn it off? [+ Russell, Nayna, George] I think it's conceivable that you may want to build a kernel that has no ability for userspace to read/write to the key store at all as a defence in depth measure in hardened environments, but I haven't thought about this for more than 15 seconds, so opinions welcome.
diff --git a/arch/powerpc/configs/ppc64_defconfig b/arch/powerpc/configs/ppc64_defconfig index d98fe52a5892..f185adc128db 100644 --- a/arch/powerpc/configs/ppc64_defconfig +++ b/arch/powerpc/configs/ppc64_defconfig @@ -54,6 +54,7 @@ CONFIG_CRASH_DUMP=y CONFIG_FA_DUMP=y CONFIG_IRQ_ALL_CPUS=y CONFIG_SCHED_SMT=y +CONFIG_PPC_SECURE_BOOT=y CONFIG_VIRTUALIZATION=y CONFIG_KVM_BOOK3S_64=m CONFIG_KVM_BOOK3S_64_HV=m @@ -335,13 +336,25 @@ CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ASCII=y CONFIG_NLS_ISO8859_1=y CONFIG_NLS_UTF8=y +CONFIG_SECURITY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_IMA=y +CONFIG_IMA_KEXEC=y +CONFIG_IMA_DEFAULT_HASH_SHA256=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_IMA_APPRAISE_MODSIG=y CONFIG_CRYPTO_TEST=m CONFIG_CRYPTO_BLOWFISH=m CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_SERPENT=m CONFIG_CRYPTO_TWOFISH=m CONFIG_CRYPTO_PCBC=m -CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_MICHAEL_MIC=m CONFIG_CRYPTO_SHA256=y CONFIG_CRYPTO_WP512=m @@ -352,6 +365,8 @@ CONFIG_CRYPTO_SHA1_PPC=m CONFIG_CRYPTO_DEV_NX=y CONFIG_CRYPTO_DEV_NX_ENCRYPT=m CONFIG_CRYPTO_DEV_VMX=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_PRINTK_TIME=y CONFIG_PRINTK_CALLER=y CONFIG_DEBUG_KERNEL=y
Add the numerous options required to get secure boot enabled. Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> --- arch/powerpc/configs/ppc64_defconfig | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-)