Message ID | 20190516032250.29640-2-po-hsu.lin@canonical.com |
---|---|
State | Accepted |
Headers | show |
Series | [B-OEM-OSP1,SRU,1/1] UBUNTU: [Config]: enableCONFIG_RANDOM_TRUST_CPU | expand |
On 2019-05-16 11:22:50, Po-Hsu Lin wrote: > BugLink: https://bugs.launchpad.net/bugs/1828173 > > Enable the RANDOM_TRUST_CPU config to met security team's requirement > for kernel starting from 5.0.0. > > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> Acked-by: Tyler Hicks <tyhicks@canonical.com> Tyler > --- > debian.oem-osp1/config/annotations | 2 +- > debian.oem-osp1/config/config.common.ubuntu | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/debian.oem-osp1/config/annotations b/debian.oem-osp1/config/annotations > index 72ab142..37015dd 100644 > --- a/debian.oem-osp1/config/annotations > +++ b/debian.oem-osp1/config/annotations > @@ -455,7 +455,7 @@ CONFIG_CRYPTO_DRBG_HASH policy<{'amd64': 'y', 'arm64': ' > CONFIG_CRYPTO_DRBG_CTR policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > > # Menu: Device Drivers > -CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > +CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_CHARLCD policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> > CONFIG_THUNDERBOLT policy<{'amd64': 'm', 'i386': 'm'}> > CONFIG_TEE policy<{'arm64': 'm', 'armhf': 'm'}> > diff --git a/debian.oem-osp1/config/config.common.ubuntu b/debian.oem-osp1/config/config.common.ubuntu > index e819cb1..c476f48 100644 > --- a/debian.oem-osp1/config/config.common.ubuntu > +++ b/debian.oem-osp1/config/config.common.ubuntu > @@ -5604,7 +5604,7 @@ CONFIG_RAID_ATTRS=m > CONFIG_RANDOMIZE_BASE=y > CONFIG_RANDOMIZE_MEMORY=y > CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa > -# CONFIG_RANDOM_TRUST_CPU is not set > +CONFIG_RANDOM_TRUST_CPU=y > CONFIG_RAPIDIO=y > CONFIG_RAPIDIO_CHMAN=m > CONFIG_RAPIDIO_CPS_GEN2=m > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On 16.5.2019 6.22, Po-Hsu Lin wrote: > BugLink: https://bugs.launchpad.net/bugs/1828173 > > Enable the RANDOM_TRUST_CPU config to met security team's requirement > for kernel starting from 5.0.0. > > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > --- > debian.oem-osp1/config/annotations | 2 +- > debian.oem-osp1/config/config.common.ubuntu | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/debian.oem-osp1/config/annotations b/debian.oem-osp1/config/annotations > index 72ab142..37015dd 100644 > --- a/debian.oem-osp1/config/annotations > +++ b/debian.oem-osp1/config/annotations > @@ -455,7 +455,7 @@ CONFIG_CRYPTO_DRBG_HASH policy<{'amd64': 'y', 'arm64': ' > CONFIG_CRYPTO_DRBG_CTR policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > > # Menu: Device Drivers > -CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > +CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > CONFIG_CHARLCD policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> > CONFIG_THUNDERBOLT policy<{'amd64': 'm', 'i386': 'm'}> > CONFIG_TEE policy<{'arm64': 'm', 'armhf': 'm'}> > diff --git a/debian.oem-osp1/config/config.common.ubuntu b/debian.oem-osp1/config/config.common.ubuntu > index e819cb1..c476f48 100644 > --- a/debian.oem-osp1/config/config.common.ubuntu > +++ b/debian.oem-osp1/config/config.common.ubuntu > @@ -5604,7 +5604,7 @@ CONFIG_RAID_ATTRS=m > CONFIG_RANDOMIZE_BASE=y > CONFIG_RANDOMIZE_MEMORY=y > CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa > -# CONFIG_RANDOM_TRUST_CPU is not set > +CONFIG_RANDOM_TRUST_CPU=y > CONFIG_RAPIDIO=y > CONFIG_RAPIDIO_CHMAN=m > CONFIG_RAPIDIO_CPS_GEN2=m > thanks, applied to oem-next.. I wonder if there's a tool to catch these?
On Fri, May 24, 2019 at 8:52 PM Timo Aaltonen <tjaalton@ubuntu.com> wrote: > > On 16.5.2019 6.22, Po-Hsu Lin wrote: > > BugLink: https://bugs.launchpad.net/bugs/1828173 > > > > Enable the RANDOM_TRUST_CPU config to met security team's requirement > > for kernel starting from 5.0.0. > > > > Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> > > --- > > debian.oem-osp1/config/annotations | 2 +- > > debian.oem-osp1/config/config.common.ubuntu | 2 +- > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/debian.oem-osp1/config/annotations b/debian.oem-osp1/config/annotations > > index 72ab142..37015dd 100644 > > --- a/debian.oem-osp1/config/annotations > > +++ b/debian.oem-osp1/config/annotations > > @@ -455,7 +455,7 @@ CONFIG_CRYPTO_DRBG_HASH policy<{'amd64': 'y', 'arm64': ' > > CONFIG_CRYPTO_DRBG_CTR policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > > > > # Menu: Device Drivers > > -CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> > > +CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> > > CONFIG_CHARLCD policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> > > CONFIG_THUNDERBOLT policy<{'amd64': 'm', 'i386': 'm'}> > > CONFIG_TEE policy<{'arm64': 'm', 'armhf': 'm'}> > > diff --git a/debian.oem-osp1/config/config.common.ubuntu b/debian.oem-osp1/config/config.common.ubuntu > > index e819cb1..c476f48 100644 > > --- a/debian.oem-osp1/config/config.common.ubuntu > > +++ b/debian.oem-osp1/config/config.common.ubuntu > > @@ -5604,7 +5604,7 @@ CONFIG_RAID_ATTRS=m > > CONFIG_RANDOMIZE_BASE=y > > CONFIG_RANDOMIZE_MEMORY=y > > CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa > > -# CONFIG_RANDOM_TRUST_CPU is not set > > +CONFIG_RANDOM_TRUST_CPU=y > > CONFIG_RAPIDIO=y > > CONFIG_RAPIDIO_CHMAN=m > > CONFIG_RAPIDIO_CPS_GEN2=m > > > > thanks, applied to oem-next.. I wonder if there's a tool to catch these? > We run the test-kernel-security.py for this from qa-regression-testing, which can be obtained from git://git.launchpad.net/qa-regression-testing Or if you want this to be handled with the autotest framework like in the SRU regression-testing: sudo apt-get install git python-minimal python-yaml gdb -y git clone --depth=1 git://kernel.ubuntu.com/ubuntu/autotest-client-tests git clone --depth=1 git://kernel.ubuntu.com/ubuntu/autotest rm -fr autotest/client/tests ln -sf ~/autotest-client-tests autotest/client/tests AUTOTEST_PATH=/home/ubuntu/autotest sudo -E autotest/client/autotest-local --verbose autotest/client/tests/ubuntu_qrt_kernel_security/control > -- > t
diff --git a/debian.oem-osp1/config/annotations b/debian.oem-osp1/config/annotations index 72ab142..37015dd 100644 --- a/debian.oem-osp1/config/annotations +++ b/debian.oem-osp1/config/annotations @@ -455,7 +455,7 @@ CONFIG_CRYPTO_DRBG_HASH policy<{'amd64': 'y', 'arm64': ' CONFIG_CRYPTO_DRBG_CTR policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> # Menu: Device Drivers -CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}> +CONFIG_RANDOM_TRUST_CPU policy<{'amd64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_CHARLCD policy<{'amd64': 'm', 'arm64': 'm', 'armhf': 'm', 'i386': 'm', 'ppc64el': 'm'}> CONFIG_THUNDERBOLT policy<{'amd64': 'm', 'i386': 'm'}> CONFIG_TEE policy<{'arm64': 'm', 'armhf': 'm'}> diff --git a/debian.oem-osp1/config/config.common.ubuntu b/debian.oem-osp1/config/config.common.ubuntu index e819cb1..c476f48 100644 --- a/debian.oem-osp1/config/config.common.ubuntu +++ b/debian.oem-osp1/config/config.common.ubuntu @@ -5604,7 +5604,7 @@ CONFIG_RAID_ATTRS=m CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MEMORY=y CONFIG_RANDOMIZE_MEMORY_PHYSICAL_PADDING=0xa -# CONFIG_RANDOM_TRUST_CPU is not set +CONFIG_RANDOM_TRUST_CPU=y CONFIG_RAPIDIO=y CONFIG_RAPIDIO_CHMAN=m CONFIG_RAPIDIO_CPS_GEN2=m
BugLink: https://bugs.launchpad.net/bugs/1828173 Enable the RANDOM_TRUST_CPU config to met security team's requirement for kernel starting from 5.0.0. Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com> --- debian.oem-osp1/config/annotations | 2 +- debian.oem-osp1/config/config.common.ubuntu | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)