FS#75102: Enable KEXEC_SIG and IMA
This commit is contained in:
parent
b72d91cb76
commit
0724b8895c
2
PKGBUILD
2
PKGBUILD
|
@ -26,7 +26,7 @@ validpgpkeys=(
|
||||||
'C7E7849466FE2358343588377258734B41C31549' # David Runge <dvzrv@archlinux.org>
|
'C7E7849466FE2358343588377258734B41C31549' # David Runge <dvzrv@archlinux.org>
|
||||||
)
|
)
|
||||||
sha256sums=('SKIP'
|
sha256sums=('SKIP'
|
||||||
'ee1f138da9c39bc2510f25cd7bfc00edaa6e418b35e52ce7f8392135e51068b9')
|
'74d99c4a5aaf75b9a8bc62af3cae6500759575aded4fd5625b22dd8c2c2686b5')
|
||||||
|
|
||||||
export KBUILD_BUILD_HOST=archlinux
|
export KBUILD_BUILD_HOST=archlinux
|
||||||
export KBUILD_BUILD_USER=$pkgbase
|
export KBUILD_BUILD_USER=$pkgbase
|
||||||
|
|
51
config
51
config
|
@ -497,7 +497,9 @@ CONFIG_SCHED_HRTICK=y
|
||||||
CONFIG_KEXEC=y
|
CONFIG_KEXEC=y
|
||||||
CONFIG_KEXEC_FILE=y
|
CONFIG_KEXEC_FILE=y
|
||||||
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
|
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
|
||||||
# CONFIG_KEXEC_SIG is not set
|
CONFIG_KEXEC_SIG=y
|
||||||
|
# CONFIG_KEXEC_SIG_FORCE is not set
|
||||||
|
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
|
||||||
CONFIG_CRASH_DUMP=y
|
CONFIG_CRASH_DUMP=y
|
||||||
CONFIG_KEXEC_JUMP=y
|
CONFIG_KEXEC_JUMP=y
|
||||||
CONFIG_PHYSICAL_START=0x1000000
|
CONFIG_PHYSICAL_START=0x1000000
|
||||||
|
@ -4426,7 +4428,7 @@ CONFIG_IPMI_IPMB=m
|
||||||
CONFIG_IPMI_WATCHDOG=m
|
CONFIG_IPMI_WATCHDOG=m
|
||||||
CONFIG_IPMI_POWEROFF=m
|
CONFIG_IPMI_POWEROFF=m
|
||||||
CONFIG_IPMB_DEVICE_INTERFACE=m
|
CONFIG_IPMB_DEVICE_INTERFACE=m
|
||||||
CONFIG_HW_RANDOM=m
|
CONFIG_HW_RANDOM=y
|
||||||
CONFIG_HW_RANDOM_TIMERIOMEM=m
|
CONFIG_HW_RANDOM_TIMERIOMEM=m
|
||||||
CONFIG_HW_RANDOM_INTEL=m
|
CONFIG_HW_RANDOM_INTEL=m
|
||||||
CONFIG_HW_RANDOM_AMD=m
|
CONFIG_HW_RANDOM_AMD=m
|
||||||
|
@ -4453,10 +4455,10 @@ CONFIG_DEVPORT=y
|
||||||
CONFIG_HPET=y
|
CONFIG_HPET=y
|
||||||
# CONFIG_HPET_MMAP is not set
|
# CONFIG_HPET_MMAP is not set
|
||||||
CONFIG_HANGCHECK_TIMER=m
|
CONFIG_HANGCHECK_TIMER=m
|
||||||
CONFIG_TCG_TPM=m
|
CONFIG_TCG_TPM=y
|
||||||
CONFIG_HW_RANDOM_TPM=y
|
CONFIG_HW_RANDOM_TPM=y
|
||||||
CONFIG_TCG_TIS_CORE=m
|
CONFIG_TCG_TIS_CORE=y
|
||||||
CONFIG_TCG_TIS=m
|
CONFIG_TCG_TIS=y
|
||||||
CONFIG_TCG_TIS_SPI=m
|
CONFIG_TCG_TIS_SPI=m
|
||||||
CONFIG_TCG_TIS_SPI_CR50=y
|
CONFIG_TCG_TIS_SPI_CR50=y
|
||||||
CONFIG_TCG_TIS_I2C_CR50=m
|
CONFIG_TCG_TIS_I2C_CR50=m
|
||||||
|
@ -4467,7 +4469,7 @@ CONFIG_TCG_NSC=m
|
||||||
CONFIG_TCG_ATMEL=m
|
CONFIG_TCG_ATMEL=m
|
||||||
CONFIG_TCG_INFINEON=m
|
CONFIG_TCG_INFINEON=m
|
||||||
CONFIG_TCG_XEN=m
|
CONFIG_TCG_XEN=m
|
||||||
CONFIG_TCG_CRB=m
|
CONFIG_TCG_CRB=y
|
||||||
CONFIG_TCG_VTPM_PROXY=m
|
CONFIG_TCG_VTPM_PROXY=m
|
||||||
CONFIG_TCG_TIS_ST33ZP24=m
|
CONFIG_TCG_TIS_ST33ZP24=m
|
||||||
CONFIG_TCG_TIS_ST33ZP24_I2C=m
|
CONFIG_TCG_TIS_ST33ZP24_I2C=m
|
||||||
|
@ -9655,6 +9657,7 @@ CONFIG_BTT=y
|
||||||
CONFIG_ND_PFN=m
|
CONFIG_ND_PFN=m
|
||||||
CONFIG_NVDIMM_PFN=y
|
CONFIG_NVDIMM_PFN=y
|
||||||
CONFIG_NVDIMM_DAX=y
|
CONFIG_NVDIMM_DAX=y
|
||||||
|
CONFIG_NVDIMM_KEYS=y
|
||||||
CONFIG_DAX=y
|
CONFIG_DAX=y
|
||||||
CONFIG_DEV_DAX=m
|
CONFIG_DEV_DAX=m
|
||||||
CONFIG_DEV_DAX_PMEM=m
|
CONFIG_DEV_DAX_PMEM=m
|
||||||
|
@ -10151,7 +10154,7 @@ CONFIG_KEYS=y
|
||||||
CONFIG_KEYS_REQUEST_CACHE=y
|
CONFIG_KEYS_REQUEST_CACHE=y
|
||||||
CONFIG_PERSISTENT_KEYRINGS=y
|
CONFIG_PERSISTENT_KEYRINGS=y
|
||||||
CONFIG_TRUSTED_KEYS=m
|
CONFIG_TRUSTED_KEYS=m
|
||||||
CONFIG_ENCRYPTED_KEYS=m
|
CONFIG_ENCRYPTED_KEYS=y
|
||||||
# CONFIG_USER_DECRYPTED_DATA is not set
|
# CONFIG_USER_DECRYPTED_DATA is not set
|
||||||
CONFIG_KEY_DH_OPERATIONS=y
|
CONFIG_KEY_DH_OPERATIONS=y
|
||||||
CONFIG_KEY_NOTIFICATIONS=y
|
CONFIG_KEY_NOTIFICATIONS=y
|
||||||
|
@ -10210,16 +10213,40 @@ CONFIG_INTEGRITY_PLATFORM_KEYRING=y
|
||||||
CONFIG_INTEGRITY_MACHINE_KEYRING=y
|
CONFIG_INTEGRITY_MACHINE_KEYRING=y
|
||||||
CONFIG_LOAD_UEFI_KEYS=y
|
CONFIG_LOAD_UEFI_KEYS=y
|
||||||
CONFIG_INTEGRITY_AUDIT=y
|
CONFIG_INTEGRITY_AUDIT=y
|
||||||
# CONFIG_IMA is not set
|
CONFIG_IMA=y
|
||||||
|
CONFIG_IMA_MEASURE_PCR_IDX=10
|
||||||
|
CONFIG_IMA_LSM_RULES=y
|
||||||
|
CONFIG_IMA_NG_TEMPLATE=y
|
||||||
|
# CONFIG_IMA_SIG_TEMPLATE is not set
|
||||||
|
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
|
||||||
|
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
|
||||||
|
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
|
||||||
|
CONFIG_IMA_DEFAULT_HASH_SHA512=y
|
||||||
|
CONFIG_IMA_DEFAULT_HASH="sha512"
|
||||||
|
CONFIG_IMA_WRITE_POLICY=y
|
||||||
|
CONFIG_IMA_READ_POLICY=y
|
||||||
|
CONFIG_IMA_APPRAISE=y
|
||||||
|
CONFIG_IMA_ARCH_POLICY=y
|
||||||
|
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
|
||||||
|
CONFIG_IMA_APPRAISE_BOOTPARAM=y
|
||||||
|
CONFIG_IMA_APPRAISE_MODSIG=y
|
||||||
|
# CONFIG_IMA_TRUSTED_KEYRING is not set
|
||||||
# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
|
# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
|
||||||
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
|
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
|
||||||
# CONFIG_EVM is not set
|
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
|
||||||
|
CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
|
||||||
|
# CONFIG_IMA_DISABLE_HTABLE is not set
|
||||||
|
CONFIG_EVM=y
|
||||||
|
CONFIG_EVM_ATTR_FSUUID=y
|
||||||
|
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
|
||||||
|
CONFIG_EVM_ADD_XATTRS=y
|
||||||
|
# CONFIG_EVM_LOAD_X509 is not set
|
||||||
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
|
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
|
||||||
# CONFIG_DEFAULT_SECURITY_SMACK is not set
|
# CONFIG_DEFAULT_SECURITY_SMACK is not set
|
||||||
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
|
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
|
||||||
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
|
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
|
||||||
CONFIG_DEFAULT_SECURITY_DAC=y
|
CONFIG_DEFAULT_SECURITY_DAC=y
|
||||||
CONFIG_LSM="landlock,lockdown,yama,bpf"
|
CONFIG_LSM="landlock,lockdown,yama,integrity,bpf"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Kernel hardening options
|
# Kernel hardening options
|
||||||
|
@ -10311,7 +10338,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
||||||
#
|
#
|
||||||
# Block modes
|
# Block modes
|
||||||
#
|
#
|
||||||
CONFIG_CRYPTO_CBC=m
|
CONFIG_CRYPTO_CBC=y
|
||||||
CONFIG_CRYPTO_CFB=m
|
CONFIG_CRYPTO_CFB=m
|
||||||
CONFIG_CRYPTO_CTR=y
|
CONFIG_CRYPTO_CTR=y
|
||||||
CONFIG_CRYPTO_CTS=m
|
CONFIG_CRYPTO_CTS=m
|
||||||
|
|
Loading…
Reference in New Issue