Enable IMA in skiroot

This adds basic support for the Integrity Measurement Subsystem to the
skiroot kernel.

The changes to skiroot_defconfig are the kernel config options to enable IMA
and the basic security subsystem.  The values were obtained by running a make
menuconfig, enabling IMA and the Nuvoton TPM driver, running a make defconfig,
then updating skiroot_defconfig with this result.

The changes to /etc/fstab ensure securityfs is mounted at boot.

Signed-off-by: Dave Heller <hellerda@us.ibm.com>

2 files changed, 5 insertions, 3 deletions

diff --git a/openpower/configs/linux/skiroot_defconfig b/openpower/configs/linux/skiroot_defconfig
index b76ecb86..231e55a5 100644
--- a/openpower/configs/linux/skiroot_defconfig
+++ b/openpower/configs/linux/skiroot_defconfig
@@ -157,6 +157,7 @@ CONFIG_HW_RANDOM=y
 CONFIG_GEN_RTC=y
 CONFIG_RAW_DRIVER=y
 CONFIG_MAX_RAW_DEVS=1024
+CONFIG_TCG_TIS_I2C_NUVOTON=y
 # CONFIG_I2C_COMPAT is not set
 CONFIG_I2C_CHARDEV=y
 # CONFIG_I2C_HELPER_AUTO is not set
@@ -223,13 +224,13 @@ CONFIG_SCHEDSTATS=y
 # CONFIG_FTRACE is not set
 CONFIG_XMON=y
 CONFIG_XMON_DEFAULT=y
+CONFIG_SECURITY=y
+CONFIG_IMA=y
+CONFIG_EVM=y
 # CONFIG_CRYPTO_ECHAINIV is not set
 CONFIG_CRYPTO_ECB=y
 CONFIG_CRYPTO_CMAC=y
-CONFIG_CRYPTO_HMAC=y
 CONFIG_CRYPTO_MD4=y
-CONFIG_CRYPTO_MD5=y
-CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_ARC4=y
 CONFIG_CRYPTO_DES=y
 # CONFIG_CRYPTO_HW is not set
diff --git a/openpower/overlay/etc/fstab b/openpower/overlay/etc/fstab
index d373dc6b..ece6d843 100644
--- a/openpower/overlay/etc/fstab
+++ b/openpower/overlay/etc/fstab
@@ -4,3 +4,4 @@ proc		/proc		proc	defaults	0	0
 devpts		/dev/pts	devpts	defaults,gid=5,mode=620	0	0
 tmpfs		/dev/shm	tmpfs	mode=0777	0	0
 sysfs		/sys		sysfs	defaults	0	0
+securityfs	/sys/kernel/security	securityfs	defaults	0	0