------- Comment From [email protected] 2017-02-23 16:09 EDT------- I've verified that the kernel config options we requested are in fact enabled in the Ubuntu 17.04 daily kernel. However, there are 2 problems for which I'll open separate bugs.
1. Some additional options that were not requested and should not be enabled were enabled: CONFIG_IMA_APPRAISE_SIGNED_INIT CONFIG_IMA_BLACKLIST_KEYRING CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY CONFIG_IIMA_READ_POLICY CONFIG_IIMA_WRITE_POLICY 2. We've found that msleep() is buggy and causes excessive delays in TPM extend operations during bursts of measurements from IMA. Currently with IMA enabled by passing ima_tcb on the kernel command line, the kernel will not boot. We have a proof of concept patch that changes msleep() to usleep_ranged() in the Nuvoton I2C TPM device driver, which remedies the problem on our platform. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1643652 Title: [17.04 FEAT] Build IMA and the TPM device drivers into the KVM on POWER host/NV kernel Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Won't Fix Status in linux source package in Yakkety: Won't Fix Status in linux source package in Zesty: Fix Released Bug description: Update the kernel config such that the I2C TPM device drivers and their dependencies are built into the kernel so that IMA can start measuring from the first file the kernel loads from storage: CONFIG_TCG_TPM=y CONFIG_TCG_TIS_I2C_ATMEL=y CONFIG_TCG_TIS_I2C_INFINEON=y CONFIG_TCG_TIS_I2C_NUVOTON=y Also update IMA and EVM config options and their dependencies such that IMA and EVM are enabled: CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_LSM_RULES=y CONFIG_IMA_SIG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_DEFAULT_HASH="sha256" CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y CONFIG_IMA_TRUSTED_KEYRING=y CONFIG_IMA_LOAD_X509=y CONFIG_IMA_X509_PATH="y" CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y CONFIG_EVM_LOAD_X509=y CONFIG_EVM_X509_PATH="y" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1643652/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
