IMA: refresh kernel cfg

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-06-26 11:33:39 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-06-26 11:33:39 +0800
commit: 8e01c0a442d468db8621f9ab921cfbfe838f4baf (patch)
tree: 429420d7d1dc7c318866b37c9dd28b2105bb4e15 /meta-integrity
parent: dcc933df6e9ab127e19a77c2322a1816c04b03c4 (diff)
download: meta-secure-core-8e01c0a442d468db8621f9ab921cfbfe838f4baf.tar.gz
7 files changed, 22 insertions, 23 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
index 8c08a45..34259de 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc
@@ -7,7 +7,7 @@ DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1
 # in initramfs only. So we don't add it to RDEPENDS_${PN} here.
 SRC_URI += " \
-    ${@'file://ima.scc file://ima.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
+    ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
 "
 do_configure_append() {
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend
index 685d15c..c59d66c 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend
@@ -1 +1 @@
-include linux-yocto-integrity.inc
+require linux-yocto-integrity.inc
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
index 073197a..5918392 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg
@@ -1,17 +1,8 @@
-..........................................................................
-.                                WARNING
-.
-. This file is a kernel configuration fragment, and not a full kernel
-. configuration file.  The final kernel configuration is made up of
-. an assembly of processed fragments, each of which is designed to
-. capture a specific part of the final configuration (e.g. platform
-. configuration, feature configuration, and board specific hardware
-. configuration).  For more information on kernel configuration, please
-. consult the product documentation.
-.
-..........................................................................
 CONFIG_IMA=y
+# CONFIG_IMA_KEXEC is not set
+# CONFIG_IMA_LSM_RULES is not set
+# CONFIG_IMA_WRITE_POLICY is not set
+# CONFIG_IMA_READ_POLICY is not set
 CONFIG_IMA_MEASURE_PCR_IDX=10
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_NG_TEMPLATE=y is not set
@@ -23,13 +14,9 @@ CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
 CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_APPRAISE=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+CONFIG_IMA_BLACKLIST_KEYRING=y
 CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der"
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
-CONFIG_AUDIT=y
-CONFIG_INTEGRITY_AUDIT=y
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc
index c43e1c4..866ea24 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc
@@ -1,4 +1,5 @@
 define KFEATURE_DESCRIPTION "Integrity Measurement Architecture (IMA) enablement"
-define KFEATURE_COMPATIBILITY board
+define KFEATURE_COMPATIBILITY all
+include integrity.scc
 kconf non-hardware ima.cfg
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg
new file mode 100644
index 0000000..4706515
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg
@@ -0,0 +1,7 @@
+CONFIG_SECURITYFS=y
+CONFIG_AUDIT=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc
new file mode 100644
index 0000000..a007b08
--- /dev/null
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Integrity subsystem enablement"
+define KFEATURE_COMPATIBILITY all
+kconf non-hardware integrity.cfg
diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend
index 685d15c..c59d66c 100644
--- a/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend
+++ b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -1 +1 @@
-include linux-yocto-integrity.inc
+require linux-yocto-integrity.inc
author	Lans Zhang <jia.zhang@windriver.com>	2017-06-26 11:33:39 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-06-26 11:33:39 +0800
commit	8e01c0a442d468db8621f9ab921cfbfe838f4baf (patch)
tree	429420d7d1dc7c318866b37c9dd28b2105bb4e15 /meta-integrity
parent	dcc933df6e9ab127e19a77c2322a1816c04b03c4 (diff)
download	meta-secure-core-8e01c0a442d468db8621f9ab921cfbfe838f4baf.tar.gz