[arch-commits] Commit in linux/trunk (PKGBUILD config)
Jan Steffens
heftig at gemini.archlinux.org
Sun Jun 19 19:23:49 UTC 2022
Date: Sunday, June 19, 2022 @ 19:23:48
Author: heftig
Revision: 449140
FS#75102: Enable KEXEC_SIG and IMA
Modified:
linux/trunk/PKGBUILD
linux/trunk/config
----------+
PKGBUILD | 2 +-
config | 51 +++++++++++++++++++++++++++++++++++++++------------
2 files changed, 40 insertions(+), 13 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-06-19 19:23:47 UTC (rev 449139)
+++ PKGBUILD 2022-06-19 19:23:48 UTC (rev 449140)
@@ -26,7 +26,7 @@
'C7E7849466FE2358343588377258734B41C31549' # David Runge <dvzrv at archlinux.org>
)
sha256sums=('SKIP'
- 'ee1f138da9c39bc2510f25cd7bfc00edaa6e418b35e52ce7f8392135e51068b9')
+ '74d99c4a5aaf75b9a8bc62af3cae6500759575aded4fd5625b22dd8c2c2686b5')
export KBUILD_BUILD_HOST=archlinux
export KBUILD_BUILD_USER=$pkgbase
Modified: config
===================================================================
--- config 2022-06-19 19:23:47 UTC (rev 449139)
+++ config 2022-06-19 19:23:48 UTC (rev 449140)
@@ -497,7 +497,9 @@
CONFIG_KEXEC=y
CONFIG_KEXEC_FILE=y
CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
-# CONFIG_KEXEC_SIG is not set
+CONFIG_KEXEC_SIG=y
+# CONFIG_KEXEC_SIG_FORCE is not set
+CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
CONFIG_CRASH_DUMP=y
CONFIG_KEXEC_JUMP=y
CONFIG_PHYSICAL_START=0x1000000
@@ -4426,7 +4428,7 @@
CONFIG_IPMI_WATCHDOG=m
CONFIG_IPMI_POWEROFF=m
CONFIG_IPMB_DEVICE_INTERFACE=m
-CONFIG_HW_RANDOM=m
+CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_TIMERIOMEM=m
CONFIG_HW_RANDOM_INTEL=m
CONFIG_HW_RANDOM_AMD=m
@@ -4453,10 +4455,10 @@
CONFIG_HPET=y
# CONFIG_HPET_MMAP is not set
CONFIG_HANGCHECK_TIMER=m
-CONFIG_TCG_TPM=m
+CONFIG_TCG_TPM=y
CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TIS_CORE=m
-CONFIG_TCG_TIS=m
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
CONFIG_TCG_TIS_SPI=m
CONFIG_TCG_TIS_SPI_CR50=y
CONFIG_TCG_TIS_I2C_CR50=m
@@ -4467,7 +4469,7 @@
CONFIG_TCG_ATMEL=m
CONFIG_TCG_INFINEON=m
CONFIG_TCG_XEN=m
-CONFIG_TCG_CRB=m
+CONFIG_TCG_CRB=y
CONFIG_TCG_VTPM_PROXY=m
CONFIG_TCG_TIS_ST33ZP24=m
CONFIG_TCG_TIS_ST33ZP24_I2C=m
@@ -9655,6 +9657,7 @@
CONFIG_ND_PFN=m
CONFIG_NVDIMM_PFN=y
CONFIG_NVDIMM_DAX=y
+CONFIG_NVDIMM_KEYS=y
CONFIG_DAX=y
CONFIG_DEV_DAX=m
CONFIG_DEV_DAX_PMEM=m
@@ -10151,7 +10154,7 @@
CONFIG_KEYS_REQUEST_CACHE=y
CONFIG_PERSISTENT_KEYRINGS=y
CONFIG_TRUSTED_KEYS=m
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
# CONFIG_USER_DECRYPTED_DATA is not set
CONFIG_KEY_DH_OPERATIONS=y
CONFIG_KEY_NOTIFICATIONS=y
@@ -10210,16 +10213,40 @@
CONFIG_INTEGRITY_MACHINE_KEYRING=y
CONFIG_LOAD_UEFI_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_IMA is not set
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+CONFIG_IMA_NG_TEMPLATE=y
+# CONFIG_IMA_SIG_TEMPLATE is not set
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA512=y
+CONFIG_IMA_DEFAULT_HASH="sha512"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_APPRAISE_MODSIG=y
+# CONFIG_IMA_TRUSTED_KEYRING is not set
# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
-# CONFIG_EVM is not set
+CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
+CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
+# CONFIG_IMA_DISABLE_HTABLE is not set
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
+CONFIG_EVM_ADD_XATTRS=y
+# CONFIG_EVM_LOAD_X509 is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_SMACK is not set
# CONFIG_DEFAULT_SECURITY_TOMOYO is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="landlock,lockdown,yama,bpf"
+CONFIG_LSM="landlock,lockdown,yama,integrity,bpf"
#
# Kernel hardening options
@@ -10311,7 +10338,7 @@
#
# Block modes
#
-CONFIG_CRYPTO_CBC=m
+CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CFB=m
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=m
More information about the arch-commits
mailing list