[arch-commits] Commit in linux-hardened/trunk (PKGBUILD config.x86_64)
Levente Polyak
anthraxx at archlinux.org
Sun Sep 9 18:59:07 UTC 2018
Date: Sunday, September 9, 2018 @ 18:59:06
Author: anthraxx
Revision: 334296
upgpkg: linux-hardened 4.18.7.a-1 (enable module signature check)
Signing kernel modules[0] with autogenerated key during build will open
possibility to boot with "module.sig_enforce=1" kernel option which provides
strong security enhancement. As it will be incompatible with dkms and
out-of-tree modules like nvidia drivers the default behaviour without boot
parameter stays the same and this change will be invisible for users who don't
enable it manually.
This is exactly same approach used by Ubuntu distro[[1]:
[0] https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html
[1] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/bionic/tree/debian.master/config/config.common.ubuntu#n5409
Modified:
linux-hardened/trunk/PKGBUILD
linux-hardened/trunk/config.x86_64
---------------+
PKGBUILD | 8 ++++----
config.x86_64 | 15 ++++++++++++---
2 files changed, 16 insertions(+), 7 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2018-09-09 17:05:17 UTC (rev 334295)
+++ PKGBUILD 2018-09-09 18:59:06 UTC (rev 334296)
@@ -4,7 +4,7 @@
# Contributor: Thomas Baechler <thomas at archlinux.org>
pkgbase=linux-hardened
-_pkgver=4.18.6
+_pkgver=4.18.7
_hardenedver=a
_srcname=linux-${_pkgver}
pkgver=${_pkgver}.${_hardenedver}
@@ -26,11 +26,11 @@
HID-core-fix-grouping-by-application.patch
)
replaces=('linux-grsec')
-sha256sums=('05db97fd6891217af6d4203bdc442ef2af78d7902b6a8e9bd348682704c22894'
+sha256sums=('f03b425e262a71e5079736706233a4e9afaf77c8462b552b4d6db2d33f5af731'
'SKIP'
- 'd3a244e228a566d536a26fcfe57252bb6e9b61c0f070ef4bb9eaad868196bef3'
+ '7d716cdb26f3437660b807d68acc0406a2ba9dba59c62388d65373a19477f7ac'
'SKIP'
- '397aa929fbc57aeedfbf95b6313509ebb56cb8f246dfe2b3f967af8738860f62'
+ '48ac32d2fa684add651b3172e9499a39081191d9bda31e9ff9cc7a959b88b13f'
'ae2e95db94ef7176207c690224169594d49445e04249d2499e9d2fbc117a0b21'
'75f99f5239e03238f88d1a834c50043ec32b1dc568f2cc291b07d04718483919'
'ad6344badc91ad0630caacde83f7f9b97276f80d26a20619a87952be65492c65'
Modified: config.x86_64
===================================================================
--- config.x86_64 2018-09-09 17:05:17 UTC (rev 334295)
+++ config.x86_64 2018-09-09 18:59:06 UTC (rev 334296)
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.18.6 Kernel Configuration
+# Linux/x86 4.18.7 Kernel Configuration
#
#
@@ -384,7 +384,15 @@
CONFIG_MODULE_FORCE_UNLOAD=y
CONFIG_MODVERSIONS=y
CONFIG_MODULE_SRCVERSION_ALL=y
-# CONFIG_MODULE_SIG is not set
+CONFIG_MODULE_SIG=y
+# CONFIG_MODULE_SIG_FORCE is not set
+CONFIG_MODULE_SIG_ALL=y
+# CONFIG_MODULE_SIG_SHA1 is not set
+# CONFIG_MODULE_SIG_SHA224 is not set
+# CONFIG_MODULE_SIG_SHA256 is not set
+# CONFIG_MODULE_SIG_SHA384 is not set
+CONFIG_MODULE_SIG_SHA512=y
+CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_COMPRESS=y
# CONFIG_MODULE_COMPRESS_GZIP is not set
CONFIG_MODULE_COMPRESS_XZ=y
@@ -9395,7 +9403,7 @@
CONFIG_CRYPTO_SHA256_MB=m
CONFIG_CRYPTO_SHA512_MB=m
CONFIG_CRYPTO_SHA256=y
-CONFIG_CRYPTO_SHA512=m
+CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_SHA3=m
CONFIG_CRYPTO_SM3=m
CONFIG_CRYPTO_TGR192=m
@@ -9503,6 +9511,7 @@
#
# Certificates for signature checking
#
+CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
More information about the arch-commits
mailing list