FS#75102: Revert "Enable KEXEC_SIG and IMA"
Enabling IMA makes it impossible to load unsigned kernel modules when secure boot is in use, and without shim in the boot you can't get the kernel to trust a local key for module signing. This reverts commit 6a241232a3275ef3e314b5b7167e13fffff71282.
This commit is contained in:
parent
0724b8895c
commit
1eaae5d53f
2
PKGBUILD
2
PKGBUILD
@ -26,7 +26,7 @@ validpgpkeys=(
|
|||||||
'C7E7849466FE2358343588377258734B41C31549' # David Runge <dvzrv@archlinux.org>
|
'C7E7849466FE2358343588377258734B41C31549' # David Runge <dvzrv@archlinux.org>
|
||||||
)
|
)
|
||||||
sha256sums=('SKIP'
|
sha256sums=('SKIP'
|
||||||
'74d99c4a5aaf75b9a8bc62af3cae6500759575aded4fd5625b22dd8c2c2686b5')
|
'ee1f138da9c39bc2510f25cd7bfc00edaa6e418b35e52ce7f8392135e51068b9')
|
||||||
|
|
||||||
export KBUILD_BUILD_HOST=archlinux
|
export KBUILD_BUILD_HOST=archlinux
|
||||||
export KBUILD_BUILD_USER=$pkgbase
|
export KBUILD_BUILD_USER=$pkgbase
|
||||||
|
51
config
51
config
@ -497,9 +497,7 @@ CONFIG_SCHED_HRTICK=y
|
|||||||
CONFIG_KEXEC=y
|
CONFIG_KEXEC=y
|
||||||
CONFIG_KEXEC_FILE=y
|
CONFIG_KEXEC_FILE=y
|
||||||
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
|
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
|
||||||
CONFIG_KEXEC_SIG=y
|
# CONFIG_KEXEC_SIG is not set
|
||||||
# CONFIG_KEXEC_SIG_FORCE is not set
|
|
||||||
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
|
|
||||||
CONFIG_CRASH_DUMP=y
|
CONFIG_CRASH_DUMP=y
|
||||||
CONFIG_KEXEC_JUMP=y
|
CONFIG_KEXEC_JUMP=y
|
||||||
CONFIG_PHYSICAL_START=0x1000000
|
CONFIG_PHYSICAL_START=0x1000000
|
||||||
@ -4428,7 +4426,7 @@ CONFIG_IPMI_IPMB=m
|
|||||||
CONFIG_IPMI_WATCHDOG=m
|
CONFIG_IPMI_WATCHDOG=m
|
||||||
CONFIG_IPMI_POWEROFF=m
|
CONFIG_IPMI_POWEROFF=m
|
||||||
CONFIG_IPMB_DEVICE_INTERFACE=m
|
CONFIG_IPMB_DEVICE_INTERFACE=m
|
||||||
CONFIG_HW_RANDOM=y
|
CONFIG_HW_RANDOM=m
|
||||||
CONFIG_HW_RANDOM_TIMERIOMEM=m
|
CONFIG_HW_RANDOM_TIMERIOMEM=m
|
||||||
CONFIG_HW_RANDOM_INTEL=m
|
CONFIG_HW_RANDOM_INTEL=m
|
||||||
CONFIG_HW_RANDOM_AMD=m
|
CONFIG_HW_RANDOM_AMD=m
|
||||||
@ -4455,10 +4453,10 @@ CONFIG_DEVPORT=y
|
|||||||
CONFIG_HPET=y
|
CONFIG_HPET=y
|
||||||
# CONFIG_HPET_MMAP is not set
|
# CONFIG_HPET_MMAP is not set
|
||||||
CONFIG_HANGCHECK_TIMER=m
|
CONFIG_HANGCHECK_TIMER=m
|
||||||
CONFIG_TCG_TPM=y
|
CONFIG_TCG_TPM=m
|
||||||
CONFIG_HW_RANDOM_TPM=y
|
CONFIG_HW_RANDOM_TPM=y
|
||||||
CONFIG_TCG_TIS_CORE=y
|
CONFIG_TCG_TIS_CORE=m
|
||||||
CONFIG_TCG_TIS=y
|
CONFIG_TCG_TIS=m
|
||||||
CONFIG_TCG_TIS_SPI=m
|
CONFIG_TCG_TIS_SPI=m
|
||||||
CONFIG_TCG_TIS_SPI_CR50=y
|
CONFIG_TCG_TIS_SPI_CR50=y
|
||||||
CONFIG_TCG_TIS_I2C_CR50=m
|
CONFIG_TCG_TIS_I2C_CR50=m
|
||||||
@ -4469,7 +4467,7 @@ CONFIG_TCG_NSC=m
|
|||||||
CONFIG_TCG_ATMEL=m
|
CONFIG_TCG_ATMEL=m
|
||||||
CONFIG_TCG_INFINEON=m
|
CONFIG_TCG_INFINEON=m
|
||||||
CONFIG_TCG_XEN=m
|
CONFIG_TCG_XEN=m
|
||||||
CONFIG_TCG_CRB=y
|
CONFIG_TCG_CRB=m
|
||||||
CONFIG_TCG_VTPM_PROXY=m
|
CONFIG_TCG_VTPM_PROXY=m
|
||||||
CONFIG_TCG_TIS_ST33ZP24=m
|
CONFIG_TCG_TIS_ST33ZP24=m
|
||||||
CONFIG_TCG_TIS_ST33ZP24_I2C=m
|
CONFIG_TCG_TIS_ST33ZP24_I2C=m
|
||||||
@ -9657,7 +9655,6 @@ CONFIG_BTT=y
|
|||||||
CONFIG_ND_PFN=m
|
CONFIG_ND_PFN=m
|
||||||
CONFIG_NVDIMM_PFN=y
|
CONFIG_NVDIMM_PFN=y
|
||||||
CONFIG_NVDIMM_DAX=y
|
CONFIG_NVDIMM_DAX=y
|
||||||
CONFIG_NVDIMM_KEYS=y
|
|
||||||
CONFIG_DAX=y
|
CONFIG_DAX=y
|
||||||
CONFIG_DEV_DAX=m
|
CONFIG_DEV_DAX=m
|
||||||
CONFIG_DEV_DAX_PMEM=m
|
CONFIG_DEV_DAX_PMEM=m
|
||||||
@ -10154,7 +10151,7 @@ CONFIG_KEYS=y
|
|||||||
CONFIG_KEYS_REQUEST_CACHE=y
|
CONFIG_KEYS_REQUEST_CACHE=y
|
||||||
CONFIG_PERSISTENT_KEYRINGS=y
|
CONFIG_PERSISTENT_KEYRINGS=y
|
||||||
CONFIG_TRUSTED_KEYS=m
|
CONFIG_TRUSTED_KEYS=m
|
||||||
CONFIG_ENCRYPTED_KEYS=y
|
CONFIG_ENCRYPTED_KEYS=m
|
||||||
# CONFIG_USER_DECRYPTED_DATA is not set
|
# CONFIG_USER_DECRYPTED_DATA is not set
|
||||||
CONFIG_KEY_DH_OPERATIONS=y
|
CONFIG_KEY_DH_OPERATIONS=y
|
||||||
CONFIG_KEY_NOTIFICATIONS=y
|
CONFIG_KEY_NOTIFICATIONS=y
|
||||||
@ -10213,40 +10210,16 @@ CONFIG_INTEGRITY_PLATFORM_KEYRING=y
|
|||||||
CONFIG_INTEGRITY_MACHINE_KEYRING=y
|
CONFIG_INTEGRITY_MACHINE_KEYRING=y
|
||||||
CONFIG_LOAD_UEFI_KEYS=y
|
CONFIG_LOAD_UEFI_KEYS=y
|
||||||
CONFIG_INTEGRITY_AUDIT=y
|
CONFIG_INTEGRITY_AUDIT=y
|
||||||
CONFIG_IMA=y
|
# CONFIG_IMA is not set
|
||||||
CONFIG_IMA_MEASURE_PCR_IDX=10
|
|
||||||
CONFIG_IMA_LSM_RULES=y
|
|
||||||
CONFIG_IMA_NG_TEMPLATE=y
|
|
||||||
# CONFIG_IMA_SIG_TEMPLATE is not set
|
|
||||||
CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
|
|
||||||
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
|
|
||||||
# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
|
|
||||||
CONFIG_IMA_DEFAULT_HASH_SHA512=y
|
|
||||||
CONFIG_IMA_DEFAULT_HASH="sha512"
|
|
||||||
CONFIG_IMA_WRITE_POLICY=y
|
|
||||||
CONFIG_IMA_READ_POLICY=y
|
|
||||||
CONFIG_IMA_APPRAISE=y
|
|
||||||
CONFIG_IMA_ARCH_POLICY=y
|
|
||||||
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
|
|
||||||
CONFIG_IMA_APPRAISE_BOOTPARAM=y
|
|
||||||
CONFIG_IMA_APPRAISE_MODSIG=y
|
|
||||||
# CONFIG_IMA_TRUSTED_KEYRING is not set
|
|
||||||
# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
|
# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
|
||||||
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
|
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
|
||||||
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
|
# CONFIG_EVM is not set
|
||||||
CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
|
|
||||||
# CONFIG_IMA_DISABLE_HTABLE is not set
|
|
||||||
CONFIG_EVM=y
|
|
||||||
CONFIG_EVM_ATTR_FSUUID=y
|
|
||||||
CONFIG_EVM_EXTRA_SMACK_XATTRS=y
|
|
||||||
CONFIG_EVM_ADD_XATTRS=y
|
|
||||||
# CONFIG_EVM_LOAD_X509 is not set
|
|
||||||
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
|
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
|
||||||
# CONFIG_DEFAULT_SECURITY_SMACK is not set
|
# CONFIG_DEFAULT_SECURITY_SMACK is not set
|
||||||
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
|
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
|
||||||
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
|
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
|
||||||
CONFIG_DEFAULT_SECURITY_DAC=y
|
CONFIG_DEFAULT_SECURITY_DAC=y
|
||||||
CONFIG_LSM="landlock,lockdown,yama,integrity,bpf"
|
CONFIG_LSM="landlock,lockdown,yama,bpf"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Kernel hardening options
|
# Kernel hardening options
|
||||||
@ -10338,7 +10311,7 @@ CONFIG_CRYPTO_ECHAINIV=m
|
|||||||
#
|
#
|
||||||
# Block modes
|
# Block modes
|
||||||
#
|
#
|
||||||
CONFIG_CRYPTO_CBC=y
|
CONFIG_CRYPTO_CBC=m
|
||||||
CONFIG_CRYPTO_CFB=m
|
CONFIG_CRYPTO_CFB=m
|
||||||
CONFIG_CRYPTO_CTR=y
|
CONFIG_CRYPTO_CTR=y
|
||||||
CONFIG_CRYPTO_CTS=m
|
CONFIG_CRYPTO_CTS=m
|
||||||
|
Loading…
Reference in New Issue
Block a user