From 1eaae5d53fe05417e109993d751d977b992ba231 Mon Sep 17 00:00:00 2001
From: Jan Alexander Steffens <heftig@archlinux.org>
Date: Sun, 19 Jun 2022 20:12:31 +0000
Subject: [PATCH] FS#75102: Revert "Enable KEXEC_SIG and IMA"

Enabling IMA makes it impossible to load unsigned kernel modules when
secure boot is in use, and without shim in the boot you can't get the
kernel to trust a local key for module signing.

This reverts commit 6a241232a3275ef3e314b5b7167e13fffff71282.
---
 PKGBUILD |  2 +-
 config   | 51 ++++++++++++---------------------------------------
 2 files changed, 13 insertions(+), 40 deletions(-)

diff --git a/PKGBUILD b/PKGBUILD
index e6613ff..d472c29 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -26,7 +26,7 @@ validpgpkeys=(
   'C7E7849466FE2358343588377258734B41C31549'  # David Runge <dvzrv@archlinux.org>
 )
 sha256sums=('SKIP'
-            '74d99c4a5aaf75b9a8bc62af3cae6500759575aded4fd5625b22dd8c2c2686b5')
+            'ee1f138da9c39bc2510f25cd7bfc00edaa6e418b35e52ce7f8392135e51068b9')
 
 export KBUILD_BUILD_HOST=archlinux
 export KBUILD_BUILD_USER=$pkgbase
diff --git a/config b/config
index 48b072b..44972c4 100644
--- a/config
+++ b/config
@@ -497,9 +497,7 @@ CONFIG_SCHED_HRTICK=y
 CONFIG_KEXEC=y
 CONFIG_KEXEC_FILE=y
 CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
-CONFIG_KEXEC_SIG=y
-# CONFIG_KEXEC_SIG_FORCE is not set
-CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
+# CONFIG_KEXEC_SIG is not set
 CONFIG_CRASH_DUMP=y
 CONFIG_KEXEC_JUMP=y
 CONFIG_PHYSICAL_START=0x1000000
@@ -4428,7 +4426,7 @@ CONFIG_IPMI_IPMB=m
 CONFIG_IPMI_WATCHDOG=m
 CONFIG_IPMI_POWEROFF=m
 CONFIG_IPMB_DEVICE_INTERFACE=m
-CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM=m
 CONFIG_HW_RANDOM_TIMERIOMEM=m
 CONFIG_HW_RANDOM_INTEL=m
 CONFIG_HW_RANDOM_AMD=m
@@ -4455,10 +4453,10 @@ CONFIG_DEVPORT=y
 CONFIG_HPET=y
 # CONFIG_HPET_MMAP is not set
 CONFIG_HANGCHECK_TIMER=m
-CONFIG_TCG_TPM=y
+CONFIG_TCG_TPM=m
 CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TIS_CORE=y
-CONFIG_TCG_TIS=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
 CONFIG_TCG_TIS_SPI=m
 CONFIG_TCG_TIS_SPI_CR50=y
 CONFIG_TCG_TIS_I2C_CR50=m
@@ -4469,7 +4467,7 @@ CONFIG_TCG_NSC=m
 CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
-CONFIG_TCG_CRB=y
+CONFIG_TCG_CRB=m
 CONFIG_TCG_VTPM_PROXY=m
 CONFIG_TCG_TIS_ST33ZP24=m
 CONFIG_TCG_TIS_ST33ZP24_I2C=m
@@ -9657,7 +9655,6 @@ CONFIG_BTT=y
 CONFIG_ND_PFN=m
 CONFIG_NVDIMM_PFN=y
 CONFIG_NVDIMM_DAX=y
-CONFIG_NVDIMM_KEYS=y
 CONFIG_DAX=y
 CONFIG_DEV_DAX=m
 CONFIG_DEV_DAX_PMEM=m
@@ -10154,7 +10151,7 @@ CONFIG_KEYS=y
 CONFIG_KEYS_REQUEST_CACHE=y
 CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_TRUSTED_KEYS=m
-CONFIG_ENCRYPTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=m
 # CONFIG_USER_DECRYPTED_DATA is not set
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_KEY_NOTIFICATIONS=y
@@ -10213,40 +10210,16 @@ CONFIG_INTEGRITY_PLATFORM_KEYRING=y
 CONFIG_INTEGRITY_MACHINE_KEYRING=y
 CONFIG_LOAD_UEFI_KEYS=y
 CONFIG_INTEGRITY_AUDIT=y
-CONFIG_IMA=y
-CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_LSM_RULES=y
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_SIG_TEMPLATE is not set
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
-# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
-CONFIG_IMA_DEFAULT_HASH_SHA512=y
-CONFIG_IMA_DEFAULT_HASH="sha512"
-CONFIG_IMA_WRITE_POLICY=y
-CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_APPRAISE=y
-CONFIG_IMA_ARCH_POLICY=y
-# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
-CONFIG_IMA_APPRAISE_BOOTPARAM=y
-CONFIG_IMA_APPRAISE_MODSIG=y
-# CONFIG_IMA_TRUSTED_KEYRING is not set
+# CONFIG_IMA is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
-CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
-# CONFIG_IMA_DISABLE_HTABLE is not set
-CONFIG_EVM=y
-CONFIG_EVM_ATTR_FSUUID=y
-CONFIG_EVM_EXTRA_SMACK_XATTRS=y
-CONFIG_EVM_ADD_XATTRS=y
-# CONFIG_EVM_LOAD_X509 is not set
+# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
+# CONFIG_EVM is not set
 # CONFIG_DEFAULT_SECURITY_SELINUX is not set
 # CONFIG_DEFAULT_SECURITY_SMACK is not set
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
 # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="landlock,lockdown,yama,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,bpf"
 
 #
 # Kernel hardening options
@@ -10338,7 +10311,7 @@ CONFIG_CRYPTO_ECHAINIV=m
 #
 # Block modes
 #
-CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CBC=m
 CONFIG_CRYPTO_CFB=m
 CONFIG_CRYPTO_CTR=y
 CONFIG_CRYPTO_CTS=m