From 0724b8895c823ce8942a9534ff82588c3625b722 Mon Sep 17 00:00:00 2001 From: Jan Alexander Steffens Date: Sun, 19 Jun 2022 19:23:48 +0000 Subject: [PATCH] FS#75102: Enable KEXEC_SIG and IMA --- PKGBUILD | 2 +- config | 51 +++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 40 insertions(+), 13 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index d472c29..e6613ff 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -26,7 +26,7 @@ validpgpkeys=( 'C7E7849466FE2358343588377258734B41C31549' # David Runge ) sha256sums=('SKIP' - 'ee1f138da9c39bc2510f25cd7bfc00edaa6e418b35e52ce7f8392135e51068b9') + '74d99c4a5aaf75b9a8bc62af3cae6500759575aded4fd5625b22dd8c2c2686b5') export KBUILD_BUILD_HOST=archlinux export KBUILD_BUILD_USER=$pkgbase diff --git a/config b/config index 44972c4..48b072b 100644 --- a/config +++ b/config @@ -497,7 +497,9 @@ CONFIG_SCHED_HRTICK=y CONFIG_KEXEC=y CONFIG_KEXEC_FILE=y CONFIG_ARCH_HAS_KEXEC_PURGATORY=y -# CONFIG_KEXEC_SIG is not set +CONFIG_KEXEC_SIG=y +# CONFIG_KEXEC_SIG_FORCE is not set +CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_CRASH_DUMP=y CONFIG_KEXEC_JUMP=y CONFIG_PHYSICAL_START=0x1000000 @@ -4426,7 +4428,7 @@ CONFIG_IPMI_IPMB=m CONFIG_IPMI_WATCHDOG=m CONFIG_IPMI_POWEROFF=m CONFIG_IPMB_DEVICE_INTERFACE=m -CONFIG_HW_RANDOM=m +CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m CONFIG_HW_RANDOM_INTEL=m CONFIG_HW_RANDOM_AMD=m @@ -4453,10 +4455,10 @@ CONFIG_DEVPORT=y CONFIG_HPET=y # CONFIG_HPET_MMAP is not set CONFIG_HANGCHECK_TIMER=m -CONFIG_TCG_TPM=m +CONFIG_TCG_TPM=y CONFIG_HW_RANDOM_TPM=y -CONFIG_TCG_TIS_CORE=m -CONFIG_TCG_TIS=m +CONFIG_TCG_TIS_CORE=y +CONFIG_TCG_TIS=y CONFIG_TCG_TIS_SPI=m CONFIG_TCG_TIS_SPI_CR50=y CONFIG_TCG_TIS_I2C_CR50=m @@ -4467,7 +4469,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m CONFIG_TCG_XEN=m -CONFIG_TCG_CRB=m +CONFIG_TCG_CRB=y CONFIG_TCG_VTPM_PROXY=m CONFIG_TCG_TIS_ST33ZP24=m CONFIG_TCG_TIS_ST33ZP24_I2C=m @@ -9655,6 +9657,7 @@ CONFIG_BTT=y CONFIG_ND_PFN=m CONFIG_NVDIMM_PFN=y CONFIG_NVDIMM_DAX=y +CONFIG_NVDIMM_KEYS=y CONFIG_DAX=y CONFIG_DEV_DAX=m CONFIG_DEV_DAX_PMEM=m @@ -10151,7 +10154,7 @@ CONFIG_KEYS=y CONFIG_KEYS_REQUEST_CACHE=y CONFIG_PERSISTENT_KEYRINGS=y CONFIG_TRUSTED_KEYS=m -CONFIG_ENCRYPTED_KEYS=m +CONFIG_ENCRYPTED_KEYS=y # CONFIG_USER_DECRYPTED_DATA is not set CONFIG_KEY_DH_OPERATIONS=y CONFIG_KEY_NOTIFICATIONS=y @@ -10210,16 +10213,40 @@ CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_MACHINE_KEYRING=y CONFIG_LOAD_UEFI_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_IMA is not set +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +CONFIG_IMA_NG_TEMPLATE=y +# CONFIG_IMA_SIG_TEMPLATE is not set +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +CONFIG_IMA_DEFAULT_HASH_SHA512=y +CONFIG_IMA_DEFAULT_HASH="sha512" +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_APPRAISE_MODSIG=y +# CONFIG_IMA_TRUSTED_KEYRING is not set # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set -# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set -# CONFIG_EVM is not set +CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y +CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y +# CONFIG_IMA_DISABLE_HTABLE is not set +CONFIG_EVM=y +CONFIG_EVM_ATTR_FSUUID=y +CONFIG_EVM_EXTRA_SMACK_XATTRS=y +CONFIG_EVM_ADD_XATTRS=y +# CONFIG_EVM_LOAD_X509 is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_SMACK is not set # CONFIG_DEFAULT_SECURITY_TOMOYO is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="landlock,lockdown,yama,bpf" +CONFIG_LSM="landlock,lockdown,yama,integrity,bpf" # # Kernel hardening options @@ -10311,7 +10338,7 @@ CONFIG_CRYPTO_ECHAINIV=m # # Block modes # -CONFIG_CRYPTO_CBC=m +CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CFB=m CONFIG_CRYPTO_CTR=y CONFIG_CRYPTO_CTS=m