Description of problem: The Linux kernel was compiled without the support for IMA. Version-Release number of selected component (if applicable): 3.2.5-3.fc16.x86_64 How reproducible: See the kernel config in /boot. Steps to Reproduce: 1. cat /boot/config-3.2.5-3.fc16.x86_64 |grep CONFIG_IMA 2. 3. Actual results: # CONFIG_IMA is not set Expected results: CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y Additional info:
(In reply to comment #0) > Description of problem: > > The Linux kernel was compiled without the support for IMA. This forces the TPM modules to be built in, which seem to cause a number of problems on various machines with crappy TPM hardware. Also, there really isn't a great usecase for IMA in a Fedora kernel.
Hi Josh, Can you confirm what are the open issues with some TPMs out there? We've upstreamed a number of fixes to 3.3 to address the ones we were aware of. Commit 7f326ed specially assesses if a TPM is working correctly, and if not, blocks it from being used and therefore to cause suspend/resume issues. Thanks, Rajiv
(In reply to comment #2) > Hi Josh, > > Can you confirm what are the open issues with some TPMs out there? We've > upstreamed a number of fixes to 3.3 to address the ones we were aware of. They caused 2-15min boot times for some machines, which I believe got a fix. For others, they prevent suspend/resume from working correctly. Still others have issues with iTPM (which I believe might also have since been fixed). > Commit 7f326ed specially assesses if a TPM is working correctly, and if not, > blocks it from being used and therefore to cause suspend/resume issues. Yep, that's helpful for 3.3 based kernels. Your upstream work is very much appreciated. However, F16 is on 3.2 at the moment.
And you're probably picking the code from stable-3.2.y, so I assume having such patches there would be a valid course of action to have this one solved? Thanks, Rajiv
(In reply to comment #4) > And you're probably picking the code from stable-3.2.y, so I assume having such > patches there would be a valid course of action to have this one solved? For any TPM issues, sure.
[mass update] kernel-3.3.0-4.fc16 has been pushed to the Fedora 16 stable repository. Please retest with this update.
(In reply to comment #8) > [mass update] > kernel-3.3.0-4.fc16 has been pushed to the Fedora 16 stable repository. > Please retest with this update. IMA support is still disabled in kernel-3.3.0-4.fc16. Regards Roberto Sassu
Thanks for reminding us. We still aren't going to turn it back on at this time.
Given that it's now been over 5 years, is there any chance enabling IMA could be reconsidered?
(In reply to Patrick Uiterwijk from comment #11) > Given that it's now been over 5 years, is there any chance enabling IMA > could be reconsidered? Likely not without a good requirements that need IMA.
There is a growing interest in IMA so I think this is worth turning on, or at least discussing. The configuration dependency chain is quite long though so I'll send out a patch for review to see if anyone has objections.
Patrick reminded me a few weeks ago that this never got turned on. I went ahead and turned it on in rawhide with a note that it should probably be turned off on rebase (F28+ feature). If there are problems we can revert on rawhide.