[arch-commits] Commit in linux-hardened/trunk (PKGBUILD config.x86_64)

Levente Polyak anthraxx at archlinux.org
Sun Sep 9 18:59:07 UTC 2018 

    Date: Sunday, September 9, 2018 @ 18:59:06
  Author: anthraxx
Revision: 334296

upgpkg: linux-hardened 4.18.7.a-1 (enable module signature check)

Signing kernel modules[0] with autogenerated key during build will open
possibility to boot with "module.sig_enforce=1" kernel option which provides
strong security enhancement. As it will be incompatible with dkms and
out-of-tree modules like nvidia drivers the default behaviour without boot
parameter stays the same and this change will be invisible for users who don't
enable it manually.

This is exactly same approach used by Ubuntu distro[[1]:

[0] https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html
[1] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/debian.master/config/config.common.ubuntu#n5409

Modified:
  linux-hardened/trunk/PKGBUILD
  linux-hardened/trunk/config.x86_64

---------------+
 PKGBUILD      |    8 ++++----
 config.x86_64 |   15 ++++++++++++---
 2 files changed, 16 insertions(+), 7 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2018-09-09 17:05:17 UTC (rev 334295)
+++ PKGBUILD	2018-09-09 18:59:06 UTC (rev 334296)
@@ -4,7 +4,7 @@
 # Contributor: Thomas Baechler <thomas at archlinux.org>
 
 pkgbase=linux-hardened
-_pkgver=4.18.6
+_pkgver=4.18.7
 _hardenedver=a
 _srcname=linux-${_pkgver}
 pkgver=${_pkgver}.${_hardenedver}
@@ -26,11 +26,11 @@
         HID-core-fix-grouping-by-application.patch
 )
 replaces=('linux-grsec')
-sha256sums=('05db97fd6891217af6d4203bdc442ef2af78d7902b6a8e9bd348682704c22894'
+sha256sums=('f03b425e262a71e5079736706233a4e9afaf77c8462b552b4d6db2d33f5af731'
             'SKIP'
-            'd3a244e228a566d536a26fcfe57252bb6e9b61c0f070ef4bb9eaad868196bef3'
+            '7d716cdb26f3437660b807d68acc0406a2ba9dba59c62388d65373a19477f7ac'
             'SKIP'
-            '397aa929fbc57aeedfbf95b6313509ebb56cb8f246dfe2b3f967af8738860f62'
+            '48ac32d2fa684add651b3172e9499a39081191d9bda31e9ff9cc7a959b88b13f'
             'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
             '75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
             'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'

Modified: config.x86_64
===================================================================
--- config.x86_64	2018-09-09 17:05:17 UTC (rev 334295)
+++ config.x86_64	2018-09-09 18:59:06 UTC (rev 334296)
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.18.6 Kernel Configuration
+# Linux/x86 4.18.7 Kernel Configuration
 #
 
 #
@@ -384,7 +384,15 @@
 CONFIG_MODULE_FORCE_UNLOAD=y
 CONFIG_MODVERSIONS=y
 CONFIG_MODULE_SRCVERSION_ALL=y
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+# CONFIG_MODULE_SIG_SHA224 is not set
+# CONFIG_MODULE_SIG_SHA256 is not set
+# CONFIG_MODULE_SIG_SHA384 is not set
+CONFIG_MODULE_SIG_SHA512=y
+CONFIG_MODULE_SIG_HASH="sha512"
 CONFIG_MODULE_COMPRESS=y
 # CONFIG_MODULE_COMPRESS_GZIP is not set
 CONFIG_MODULE_COMPRESS_XZ=y
@@ -9395,7 +9403,7 @@
 CONFIG_CRYPTO_SHA256_MB=m
 CONFIG_CRYPTO_SHA512_MB=m
 CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
 CONFIG_CRYPTO_SHA3=m
 CONFIG_CRYPTO_SM3=m
 CONFIG_CRYPTO_TGR192=m
@@ -9503,6 +9511,7 @@
 #
 # Certificates for signature checking
 #
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set

More information about the arch-commits mailing list