[B-OEM-OSP1,SRU,1/1] UBUNTU: [Config]: enableCONFIG_RANDOM_TRUST_CPU

BugLink: https://bugs.launchpad.net/bugs/1828173

Enable the RANDOM_TRUST_CPU config to met security team's requirement
for kernel starting from 5.0.0.

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 debian.oem-osp1/config/annotations          | 2 +-
 debian.oem-osp1/config/config.common.ubuntu | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

On 2019-05-16 11:22:50, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1828173
> 
> Enable the RANDOM_TRUST_CPU config to met security team's requirement
> for kernel starting from 5.0.0.
> 
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>

Acked-by: Tyler Hicks <tyhicks@canonical.com>

Tyler

> ---
>  debian.oem-osp1/config/annotations          | 2 +-
>  debian.oem-osp1/config/config.common.ubuntu | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/debian.oem-osp1/config/annotations b/debian.oem-osp1/config/annotations
> index 72ab142..37015dd 100644
> --- a/debian.oem-osp1/config/annotations
> +++ b/debian.oem-osp1/config/annotations
> @@ -455,7 +455,7 @@ CONFIG_CRYPTO_DRBG_HASH                         policy<{'amd64': 'y', 'arm64': '
>  CONFIG_CRYPTO_DRBG_CTR                          policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>  
>  # Menu: Device Drivers
> -CONFIG_RANDOM_TRUST_CPU                         policy<{'amd64': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> +CONFIG_RANDOM_TRUST_CPU                         policy<{'amd64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>  CONFIG_CHARLCD                                  policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}>
>  CONFIG_THUNDERBOLT                              policy<{'amd64': 'm', 'i386': 'm'}>
>  CONFIG_TEE                                      policy<{'arm64': 'm', 'armhf': 'm'}>
> diff --git a/debian.oem-osp1/config/config.common.ubuntu b/debian.oem-osp1/config/config.common.ubuntu
> index e819cb1..c476f48 100644
> --- a/debian.oem-osp1/config/config.common.ubuntu
> +++ b/debian.oem-osp1/config/config.common.ubuntu
> @@ -5604,7 +5604,7 @@ CONFIG_RAID_ATTRS=m
>  CONFIG_RANDOMIZE_BASE=y
>  CONFIG_RANDOMIZE_MEMORY=y
>  CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
> -# CONFIG_RANDOM_TRUST_CPU is not set
> +CONFIG_RANDOM_TRUST_CPU=y
>  CONFIG_RAPIDIO=y
>  CONFIG_RAPIDIO_CHMAN=m
>  CONFIG_RAPIDIO_CPS_GEN2=m
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

On 16.5.2019 6.22, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1828173
> 
> Enable the RANDOM_TRUST_CPU config to met security team's requirement
> for kernel starting from 5.0.0.
> 
> Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> ---
>  debian.oem-osp1/config/annotations          | 2 +-
>  debian.oem-osp1/config/config.common.ubuntu | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/debian.oem-osp1/config/annotations b/debian.oem-osp1/config/annotations
> index 72ab142..37015dd 100644
> --- a/debian.oem-osp1/config/annotations
> +++ b/debian.oem-osp1/config/annotations
> @@ -455,7 +455,7 @@ CONFIG_CRYPTO_DRBG_HASH                         policy<{'amd64': 'y', 'arm64': '
>  CONFIG_CRYPTO_DRBG_CTR                          policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>  
>  # Menu: Device Drivers
> -CONFIG_RANDOM_TRUST_CPU                         policy<{'amd64': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> +CONFIG_RANDOM_TRUST_CPU                         policy<{'amd64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
>  CONFIG_CHARLCD                                  policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}>
>  CONFIG_THUNDERBOLT                              policy<{'amd64': 'm', 'i386': 'm'}>
>  CONFIG_TEE                                      policy<{'arm64': 'm', 'armhf': 'm'}>
> diff --git a/debian.oem-osp1/config/config.common.ubuntu b/debian.oem-osp1/config/config.common.ubuntu
> index e819cb1..c476f48 100644
> --- a/debian.oem-osp1/config/config.common.ubuntu
> +++ b/debian.oem-osp1/config/config.common.ubuntu
> @@ -5604,7 +5604,7 @@ CONFIG_RAID_ATTRS=m
>  CONFIG_RANDOMIZE_BASE=y
>  CONFIG_RANDOMIZE_MEMORY=y
>  CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
> -# CONFIG_RANDOM_TRUST_CPU is not set
> +CONFIG_RANDOM_TRUST_CPU=y
>  CONFIG_RAPIDIO=y
>  CONFIG_RAPIDIO_CHMAN=m
>  CONFIG_RAPIDIO_CPS_GEN2=m
> 

thanks, applied to oem-next.. I wonder if there's a tool to catch these?

On Fri, May 24, 2019 at 8:52 PM Timo Aaltonen <tjaalton@ubuntu.com> wrote:
>
> On 16.5.2019 6.22, Po-Hsu Lin wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1828173
> >
> > Enable the RANDOM_TRUST_CPU config to met security team's requirement
> > for kernel starting from 5.0.0.
> >
> > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
> > ---
> >  debian.oem-osp1/config/annotations          | 2 +-
> >  debian.oem-osp1/config/config.common.ubuntu | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/debian.oem-osp1/config/annotations b/debian.oem-osp1/config/annotations
> > index 72ab142..37015dd 100644
> > --- a/debian.oem-osp1/config/annotations
> > +++ b/debian.oem-osp1/config/annotations
> > @@ -455,7 +455,7 @@ CONFIG_CRYPTO_DRBG_HASH                         policy<{'amd64': 'y', 'arm64': '
> >  CONFIG_CRYPTO_DRBG_CTR                          policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> >
> >  # Menu: Device Drivers
> > -CONFIG_RANDOM_TRUST_CPU                         policy<{'amd64': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
> > +CONFIG_RANDOM_TRUST_CPU                         policy<{'amd64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
> >  CONFIG_CHARLCD                                  policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}>
> >  CONFIG_THUNDERBOLT                              policy<{'amd64': 'm', 'i386': 'm'}>
> >  CONFIG_TEE                                      policy<{'arm64': 'm', 'armhf': 'm'}>
> > diff --git a/debian.oem-osp1/config/config.common.ubuntu b/debian.oem-osp1/config/config.common.ubuntu
> > index e819cb1..c476f48 100644
> > --- a/debian.oem-osp1/config/config.common.ubuntu
> > +++ b/debian.oem-osp1/config/config.common.ubuntu
> > @@ -5604,7 +5604,7 @@ CONFIG_RAID_ATTRS=m
> >  CONFIG_RANDOMIZE_BASE=y
> >  CONFIG_RANDOMIZE_MEMORY=y
> >  CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa
> > -# CONFIG_RANDOM_TRUST_CPU is not set
> > +CONFIG_RANDOM_TRUST_CPU=y
> >  CONFIG_RAPIDIO=y
> >  CONFIG_RAPIDIO_CHMAN=m
> >  CONFIG_RAPIDIO_CPS_GEN2=m
> >
>
> thanks, applied to oem-next.. I wonder if there's a tool to catch these?
>

We run the test-kernel-security.py for this from qa-regression-testing,
which can be obtained from git://git.launchpad.net/qa-regression-testing

Or if you want this to be handled with the autotest framework like in
the SRU regression-testing:

sudo apt-get install git python-minimal python-yaml gdb -y
git clone --depth=1 git://kernel.ubuntu.com/ubuntu/autotest-client-tests
git clone --depth=1 git://kernel.ubuntu.com/ubuntu/autotest
rm -fr autotest/client/tests
ln -sf ~/autotest-client-tests autotest/client/tests
AUTOTEST_PATH=/home/ubuntu/autotest sudo -E
autotest/client/autotest-local --verbose
autotest/client/tests/ubuntu_qrt_kernel_security/control

> --
> t