Fixed
Created: Jan 22, 2020
Updated: Mar 15, 2020
Resolved Date: Feb 10, 2020
Found In Version: 10.18.44.13
Fix Version: 10.18.44.14
Severity: Critical
Applicable for: Wind River Linux LTS 18
Component/s: Kernel
I see a kernel panic when trying to boot an image from a platform project with the feature/ima template.
I've tried with a combination of security features (ima + efi) or (ima + encrypted-storage) or only ima, and the result is the same.
I'm following the procedure from [https://docs.windriver.com/bundle/Wind_River_Linux_Security_Features_Guide_LTS_18_1/page/kuh1498049452269.html]. The only thing I'm doing different is the target I'm using, as I don't have a NUC5i3MYHE as the procedure states.
I checked previous cases with a similar issue and tried to follow some of their recommendations:
LIN1018-2900 states that it is required to add the --distro wrlinux in the setup.sh line when configuring the project. I did this and I still see the kernel panic.
LIN1018-5167 says that SELinux is nos compatible with IMA, which is clear in the documentation. However, I checked the kernel configuration and I don't think SELinux is enabled in my project. Also, the message is not being triggered when building the project.
LIN10-6886 mentions a similar issue in LTS17. The instructions are quite different, but in my case, I'm using LTS18.
I'm attaching pictures of two different manifestations of the kernel panic when booting this on a NUC6CAYH target.
1. Create LTS18 project with the following configuration:
--machine intel-x86-64 --distro wrlinux --dl-layers --layers meta-secure-core feature/ima
2. Source env
$ . environment-setup-x86_64-wrlinuxsdk-linux
$ . oe-init-build-env
3. Generate user key store
cd layers/meta-secure-core/meta-signing-key/scripts/
$ ./create-user-key-store.sh
4. Build project
$ bitbake wrlinux-image-glibc-std
5. Copy the image into a USB stick and boot the target
$ sudo dd if=tmp-glibc/deploy/images/intel-x86-64/wrlinux-image-glibc-std-intel-x86-64.wic of=/dev/sdc
