From d47553303c77002c8a55a68d05a5bdf9ed7eb4d1 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 19 Jul 2023 20:26:09 -0400 Subject: meta-integrity: drop ima.cfg in favor of new k-cache The upstream ima.cfg kernel-cache has been updated. Use it instead. Signed-off-by: Armin Kuster --- meta-integrity/recipes-kernel/linux/linux/ima.cfg | 45 ----------------------- meta-integrity/recipes-kernel/linux/linux/ima.scc | 4 -- meta-integrity/recipes-kernel/linux/linux_ima.inc | 6 +-- 3 files changed, 1 insertion(+), 54 deletions(-) delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.cfg delete mode 100644 meta-integrity/recipes-kernel/linux/linux/ima.scc diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index d7d80a6..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null @@ -1,45 +0,0 @@ -CONFIG_KEYS=y -CONFIG_ASYMMETRIC_KEY_TYPE=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}" -CONFIG_SECONDARY_TRUSTED_KEYRING=y -CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y -CONFIG_X509_CERTIFICATE_PARSER=y -CONFIG_PKCS8_PRIVATE_KEY_PARSER=y -CONFIG_CRYPTO_ECDSA=y -CONFIG_SECURITY=y -CONFIG_SECURITYFS=y -CONFIG_INTEGRITY=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -CONFIG_INTEGRITY_TRUSTED_KEYRING=y -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_LSM_RULES=y -# CONFIG_IMA_TEMPLATE is not set -# CONFIG_IMA_NG_TEMPLATE is not set -CONFIG_IMA_SIG_TEMPLATE=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" -# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -CONFIG_IMA_DEFAULT_HASH_SHA256=y -# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set -CONFIG_IMA_DEFAULT_HASH="sha256" -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_ARCH_POLICY=y -CONFIG_IMA_APPRAISE_BUILD_POLICY=y -CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y -# CONFIG_IMA_APPRAISE_BOOTPARAM is not set -# CONFIG_IMA_APPRAISE_MODSIG is not set -CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y -# CONFIG_IMA_BLACKLIST_KEYRING is not set -# CONFIG_IMA_LOAD_X509 is not set -CONFIG_IMA_APPRAISE_SIGNED_INIT=y -CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y -CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y -CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y -# CONFIG_IMA_DISABLE_HTABLE is not set -CONFIG_EVM=y -# CONFIG_EVM_LOAD_X509 is not set diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc deleted file mode 100644 index 6eb84b0..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.scc +++ /dev/null @@ -1,4 +0,0 @@ -define KFEATURE_DESCRIPTION "Enable IMA" - -kconf non-hardware ima.cfg - diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 7016800..415476a 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,8 +1,3 @@ -FILESEXTRAPATHS:append := "${THISDIR}/linux:" - -SRC_URI += " \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ -" do_configure:append() { if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then @@ -11,5 +6,6 @@ do_configure:append() { } KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' features/ima/ima.scc', '', d)}" inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} -- cgit v1.2.3-54-g00ecf