Comment 5 for bug 1643652

------- Comment From <email address hidden> 2017-02-23 16:09 EDT-------
I've verified that the kernel config options we requested are in fact enabled in the Ubuntu 17.04 daily kernel. However, there are 2 problems for which I'll open separate bugs.

1. Some additional options that were not requested and should not be enabled were enabled:

CONFIG_IMA_APPRAISE_SIGNED_INIT
CONFIG_IMA_BLACKLIST_KEYRING
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
CONFIG_IIMA_READ_POLICY
CONFIG_IIMA_WRITE_POLICY

2. We've found that msleep() is buggy and causes excessive delays in TPM extend operations during bursts of measurements from IMA. Currently with IMA enabled by passing ima_tcb on the kernel command line, the kernel will not boot. We have a proof of concept patch that changes msleep() to usleep_ranged() in the Nuvoton I2C TPM device driver, which remedies the problem on our platform.