[arch-commits] Commit in linux/trunk (PKGBUILD config)

Jan Steffens heftig at gemini.archlinux.org
Sun Jun 19 20:12:31 UTC 2022 

    Date: Sunday, June 19, 2022 @ 20:12:31
  Author: heftig
Revision: 449141

FS#75102: Revert "Enable KEXEC_SIG and IMA"

Enabling IMA makes it impossible to load unsigned kernel modules when
secure boot is in use, and without shim in the boot you can't get the
kernel to trust a local key for module signing.

This reverts commit 6a241232a3275ef3e314b5b7167e13fffff71282.

Modified:
  linux/trunk/PKGBUILD
  linux/trunk/config

----------+
 PKGBUILD |    2 +-
 config   |   51 ++++++++++++---------------------------------------
 2 files changed, 13 insertions(+), 40 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2022-06-19 19:23:48 UTC (rev 449140)
+++ PKGBUILD	2022-06-19 20:12:31 UTC (rev 449141)
@@ -26,7 +26,7 @@
   'C7E7849466FE2358343588377258734B41C31549'  # David Runge <dvzrv at archlinux.org>
 )
 sha256sums=('SKIP'
-            '74d99c4a5aaf75b9a8bc62af3cae6500759575aded4fd5625b22dd8c2c2686b5')
+            'ee1f138da9c39bc2510f25cd7bfc00edaa6e418b35e52ce7f8392135e51068b9')
 
 export KBUILD_BUILD_HOST=archlinux
 export KBUILD_BUILD_USER=$pkgbase

Modified: config
===================================================================
--- config	2022-06-19 19:23:48 UTC (rev 449140)
+++ config	2022-06-19 20:12:31 UTC (rev 449141)
@@ -497,9 +497,7 @@
 CONFIG_KEXEC=y
 CONFIG_KEXEC_FILE=y
 CONFIG_ARCH_HAS_KEXEC_PURGATORY=y
-CONFIG_KEXEC_SIG=y
-# CONFIG_KEXEC_SIG_FORCE is not set
-CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
+# CONFIG_KEXEC_SIG is not set
 CONFIG_CRASH_DUMP=y
 CONFIG_KEXEC_JUMP=y
 CONFIG_PHYSICAL_START=0x1000000
@@ -4428,7 +4426,7 @@
 CONFIG_IPMI_WATCHDOG=m
 CONFIG_IPMI_POWEROFF=m
 CONFIG_IPMB_DEVICE_INTERFACE=m
-CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM=m
 CONFIG_HW_RANDOM_TIMERIOMEM=m
 CONFIG_HW_RANDOM_INTEL=m
 CONFIG_HW_RANDOM_AMD=m
@@ -4455,10 +4453,10 @@
 CONFIG_HPET=y
 # CONFIG_HPET_MMAP is not set
 CONFIG_HANGCHECK_TIMER=m
-CONFIG_TCG_TPM=y
+CONFIG_TCG_TPM=m
 CONFIG_HW_RANDOM_TPM=y
-CONFIG_TCG_TIS_CORE=y
-CONFIG_TCG_TIS=y
+CONFIG_TCG_TIS_CORE=m
+CONFIG_TCG_TIS=m
 CONFIG_TCG_TIS_SPI=m
 CONFIG_TCG_TIS_SPI_CR50=y
 CONFIG_TCG_TIS_I2C_CR50=m
@@ -4469,7 +4467,7 @@
 CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
-CONFIG_TCG_CRB=y
+CONFIG_TCG_CRB=m
 CONFIG_TCG_VTPM_PROXY=m
 CONFIG_TCG_TIS_ST33ZP24=m
 CONFIG_TCG_TIS_ST33ZP24_I2C=m
@@ -9657,7 +9655,6 @@
 CONFIG_ND_PFN=m
 CONFIG_NVDIMM_PFN=y
 CONFIG_NVDIMM_DAX=y
-CONFIG_NVDIMM_KEYS=y
 CONFIG_DAX=y
 CONFIG_DEV_DAX=m
 CONFIG_DEV_DAX_PMEM=m
@@ -10154,7 +10151,7 @@
 CONFIG_KEYS_REQUEST_CACHE=y
 CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_TRUSTED_KEYS=m
-CONFIG_ENCRYPTED_KEYS=y
+CONFIG_ENCRYPTED_KEYS=m
 # CONFIG_USER_DECRYPTED_DATA is not set
 CONFIG_KEY_DH_OPERATIONS=y
 CONFIG_KEY_NOTIFICATIONS=y
@@ -10213,40 +10210,16 @@
 CONFIG_INTEGRITY_MACHINE_KEYRING=y
 CONFIG_LOAD_UEFI_KEYS=y
 CONFIG_INTEGRITY_AUDIT=y
-CONFIG_IMA=y
-CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_LSM_RULES=y
-CONFIG_IMA_NG_TEMPLATE=y
-# CONFIG_IMA_SIG_TEMPLATE is not set
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
-# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
-CONFIG_IMA_DEFAULT_HASH_SHA512=y
-CONFIG_IMA_DEFAULT_HASH="sha512"
-CONFIG_IMA_WRITE_POLICY=y
-CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_APPRAISE=y
-CONFIG_IMA_ARCH_POLICY=y
-# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
-CONFIG_IMA_APPRAISE_BOOTPARAM=y
-CONFIG_IMA_APPRAISE_MODSIG=y
-# CONFIG_IMA_TRUSTED_KEYRING is not set
+# CONFIG_IMA is not set
 # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
-CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
-CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
-# CONFIG_IMA_DISABLE_HTABLE is not set
-CONFIG_EVM=y
-CONFIG_EVM_ATTR_FSUUID=y
-CONFIG_EVM_EXTRA_SMACK_XATTRS=y
-CONFIG_EVM_ADD_XATTRS=y
-# CONFIG_EVM_LOAD_X509 is not set
+# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
+# CONFIG_EVM is not set
 # CONFIG_DEFAULT_SECURITY_SELINUX is not set
 # CONFIG_DEFAULT_SECURITY_SMACK is not set
 # CONFIG_DEFAULT_SECURITY_TOMOYO is not set
 # CONFIG_DEFAULT_SECURITY_APPARMOR is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="landlock,lockdown,yama,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,bpf"
 
 #
 # Kernel hardening options
@@ -10338,7 +10311,7 @@
 #
 # Block modes
 #
-CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CBC=m
 CONFIG_CRYPTO_CFB=m
 CONFIG_CRYPTO_CTR=y
 CONFIG_CRYPTO_CTS=m

More information about the arch-commits mailing list