From 8e01c0a442d468db8621f9ab921cfbfe838f4baf Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Mon, 26 Jun 2017 11:33:39 +0800 Subject: IMA: refresh kernel cfg Signed-off-by: Lans Zhang --- .../recipes-kernel/linux/linux-yocto-integrity.inc | 2 +- .../linux/linux-yocto-rt_4.%.bbappend | 2 +- .../recipes-kernel/linux/linux-yocto/ima.cfg | 25 ++++++---------------- .../recipes-kernel/linux/linux-yocto/ima.scc | 3 ++- .../recipes-kernel/linux/linux-yocto/integrity.cfg | 7 ++++++ .../recipes-kernel/linux/linux-yocto/integrity.scc | 4 ++++ .../recipes-kernel/linux/linux-yocto_4.%.bbappend | 2 +- 7 files changed, 22 insertions(+), 23 deletions(-) create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg create mode 100644 meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc (limited to 'meta-integrity') diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc index 8c08a45..34259de 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc @@ -7,7 +7,7 @@ DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1 # in initramfs only. So we don't add it to RDEPENDS_${PN} here. SRC_URI += " \ - ${@'file://ima.scc file://ima.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \ + ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \ " do_configure_append() { diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend index 685d15c..c59d66c 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend @@ -1 +1 @@ -include linux-yocto-integrity.inc +require linux-yocto-integrity.inc diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg index 073197a..5918392 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg @@ -1,17 +1,8 @@ -.......................................................................... -. WARNING -. -. This file is a kernel configuration fragment, and not a full kernel -. configuration file. The final kernel configuration is made up of -. an assembly of processed fragments, each of which is designed to -. capture a specific part of the final configuration (e.g. platform -. configuration, feature configuration, and board specific hardware -. configuration). For more information on kernel configuration, please -. consult the product documentation. -. -.......................................................................... - CONFIG_IMA=y +# CONFIG_IMA_KEXEC is not set +# CONFIG_IMA_LSM_RULES is not set +# CONFIG_IMA_WRITE_POLICY is not set +# CONFIG_IMA_READ_POLICY is not set CONFIG_IMA_MEASURE_PCR_IDX=10 # CONFIG_IMA_TEMPLATE is not set # CONFIG_IMA_NG_TEMPLATE=y is not set @@ -23,13 +14,9 @@ CONFIG_IMA_DEFAULT_HASH_SHA256=y # CONFIG_IMA_DEFAULT_HASH_WP512 is not set CONFIG_IMA_DEFAULT_HASH="sha256" CONFIG_IMA_APPRAISE=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -CONFIG_INTEGRITY_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_IMA_LOAD_X509=y CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +CONFIG_IMA_BLACKLIST_KEYRING=y CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der" # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set -CONFIG_AUDIT=y -CONFIG_INTEGRITY_AUDIT=y diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc index c43e1c4..866ea24 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc @@ -1,4 +1,5 @@ define KFEATURE_DESCRIPTION "Integrity Measurement Architecture (IMA) enablement" -define KFEATURE_COMPATIBILITY board +define KFEATURE_COMPATIBILITY all +include integrity.scc kconf non-hardware ima.cfg diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg new file mode 100644 index 0000000..4706515 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg @@ -0,0 +1,7 @@ +CONFIG_SECURITYFS=y +CONFIG_AUDIT=y +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_AUDIT=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc new file mode 100644 index 0000000..a007b08 --- /dev/null +++ b/meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Integrity subsystem enablement" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware integrity.cfg diff --git a/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend index 685d15c..c59d66c 100644 --- a/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend +++ b/meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend @@ -1 +1 @@ -include linux-yocto-integrity.inc +require linux-yocto-integrity.inc -- cgit v1.2.3-54-g00ecf