[17.04 FEAT] Build IMA and the TPM device drivers into the KVM on POWER host/NV kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Tim Gardner | ||
Xenial |
Won't Fix
|
Undecided
|
Tim Gardner | ||
Yakkety |
Won't Fix
|
Undecided
|
Tim Gardner | ||
Zesty |
Fix Released
|
High
|
Tim Gardner |
Bug Description
Update the kernel config such that the I2C TPM device drivers and their dependencies are built into the kernel so that IMA can start measuring from the first file the kernel loads from storage:
CONFIG_TCG_TPM=y
CONFIG_
CONFIG_
CONFIG_
Also update IMA and EVM config options and their dependencies such that IMA and EVM are enabled:
CONFIG_IMA=y
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_
CONFIG_EVM=y
CONFIG_
CONFIG_
CONFIG_
tags: | added: architecture-ppc64le bugnameltc-148911 severity-critical targetmilestone-inin1704 |
Changed in ubuntu: | |
assignee: | nobody → Taco Screen team (taco-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
assignee: | Taco Screen team (taco-screen-team) → Canonical Kernel Team (canonical-kernel-team) |
importance: | Undecided → High |
status: | New → Triaged |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
Changed in linux (Ubuntu Yakkety): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
Changed in linux (Ubuntu Zesty): | |
assignee: | Canonical Kernel Team (canonical-kernel-team) → Tim Gardner (timg-tpi) |
status: | Triaged → Fix Committed |
How should I set IMA_APPRAISE_ SIGNED_ INIT ? (y/n)
The X509 paths do not appear to be correct, so I've changed them to
CONFIG_ IMA_X509_ PATH="/ etc/keys/ x509_ima. der" EVM_X509_ PATH="/ etc/keys/ x509_evm. der"
CONFIG_