On Fri, 2023-04-14 at 23:23 +1000, Michael Ellerman wrote: > Add the numerous options required to get secure boot enabled. > > Signed-off-by: Michael Ellerman <m...@ellerman.id.au> > --- > arch/powerpc/configs/ppc64_defconfig | 17 ++++++++++++++++- > 1 file changed, 16 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/configs/ppc64_defconfig > b/arch/powerpc/configs/ppc64_defconfig > index d98fe52a5892..f185adc128db 100644 > --- a/arch/powerpc/configs/ppc64_defconfig > +++ b/arch/powerpc/configs/ppc64_defconfig > @@ -54,6 +54,7 @@ CONFIG_CRASH_DUMP=y > CONFIG_FA_DUMP=y > CONFIG_IRQ_ALL_CPUS=y > CONFIG_SCHED_SMT=y > +CONFIG_PPC_SECURE_BOOT=y
Can we add CONFIG_PPC_SECVAR_SYSFS=y as well? > CONFIG_VIRTUALIZATION=y > CONFIG_KVM_BOOK3S_64=m > CONFIG_KVM_BOOK3S_64_HV=m > @@ -335,13 +336,25 @@ CONFIG_NLS_CODEPAGE_437=y > CONFIG_NLS_ASCII=y > CONFIG_NLS_ISO8859_1=y > CONFIG_NLS_UTF8=y > +CONFIG_SECURITY=y > +CONFIG_SECURITY_LOCKDOWN_LSM=y > +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y > +CONFIG_INTEGRITY_SIGNATURE=y > +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y > +CONFIG_INTEGRITY_PLATFORM_KEYRING=y > +CONFIG_IMA=y > +CONFIG_IMA_KEXEC=y > +CONFIG_IMA_DEFAULT_HASH_SHA256=y > +CONFIG_IMA_WRITE_POLICY=y > +CONFIG_IMA_APPRAISE=y > +CONFIG_IMA_ARCH_POLICY=y > +CONFIG_IMA_APPRAISE_MODSIG=y > CONFIG_CRYPTO_TEST=m > CONFIG_CRYPTO_BLOWFISH=m > CONFIG_CRYPTO_CAST6=m > CONFIG_CRYPTO_SERPENT=m > CONFIG_CRYPTO_TWOFISH=m > CONFIG_CRYPTO_PCBC=m > -CONFIG_CRYPTO_HMAC=y > CONFIG_CRYPTO_MICHAEL_MIC=m > CONFIG_CRYPTO_SHA256=y > CONFIG_CRYPTO_WP512=m > @@ -352,6 +365,8 @@ CONFIG_CRYPTO_SHA1_PPC=m > CONFIG_CRYPTO_DEV_NX=y > CONFIG_CRYPTO_DEV_NX_ENCRYPT=m > CONFIG_CRYPTO_DEV_VMX=y > +CONFIG_SYSTEM_TRUSTED_KEYRING=y > +CONFIG_SYSTEM_BLACKLIST_KEYRING=y > CONFIG_PRINTK_TIME=y > CONFIG_PRINTK_CALLER=y > CONFIG_DEBUG_KERNEL=y -- Andrew Donnellan OzLabs, ADL Canberra a...@linux.ibm.com IBM Australia Limited