diff options
author | Armin Kuster <akuster808@gmail.com> | 2023-07-19 20:26:09 -0400 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2023-07-31 06:18:52 -0400 |
commit | d47553303c77002c8a55a68d05a5bdf9ed7eb4d1 (patch) | |
tree | cce70c46d33dfccf6caeb81aa25dc5478fa6e181 | |
parent | 686c7c0b8a97543580ca6ffa9e5b13c327d76766 (diff) | |
download | meta-security-d47553303c77002c8a55a68d05a5bdf9ed7eb4d1.tar.gz |
meta-integrity: drop ima.cfg in favor of new k-cache
The upstream ima.cfg kernel-cache has been updated.
Use it instead.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r-- | meta-integrity/recipes-kernel/linux/linux/ima.cfg | 45 | ||||
-rw-r--r-- | meta-integrity/recipes-kernel/linux/linux/ima.scc | 4 | ||||
-rw-r--r-- | meta-integrity/recipes-kernel/linux/linux_ima.inc | 6 |
3 files changed, 1 insertions, 54 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index d7d80a6..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | CONFIG_KEYS=y | ||
2 | CONFIG_ASYMMETRIC_KEY_TYPE=y | ||
3 | CONFIG_SYSTEM_TRUSTED_KEYRING=y | ||
4 | CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}" | ||
5 | CONFIG_SECONDARY_TRUSTED_KEYRING=y | ||
6 | CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y | ||
7 | CONFIG_X509_CERTIFICATE_PARSER=y | ||
8 | CONFIG_PKCS8_PRIVATE_KEY_PARSER=y | ||
9 | CONFIG_CRYPTO_ECDSA=y | ||
10 | CONFIG_SECURITY=y | ||
11 | CONFIG_SECURITYFS=y | ||
12 | CONFIG_INTEGRITY=y | ||
13 | CONFIG_INTEGRITY_SIGNATURE=y | ||
14 | CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y | ||
15 | CONFIG_INTEGRITY_TRUSTED_KEYRING=y | ||
16 | CONFIG_IMA=y | ||
17 | CONFIG_IMA_MEASURE_PCR_IDX=10 | ||
18 | CONFIG_IMA_LSM_RULES=y | ||
19 | # CONFIG_IMA_TEMPLATE is not set | ||
20 | # CONFIG_IMA_NG_TEMPLATE is not set | ||
21 | CONFIG_IMA_SIG_TEMPLATE=y | ||
22 | CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" | ||
23 | # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set | ||
24 | CONFIG_IMA_DEFAULT_HASH_SHA256=y | ||
25 | # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set | ||
26 | CONFIG_IMA_DEFAULT_HASH="sha256" | ||
27 | CONFIG_IMA_WRITE_POLICY=y | ||
28 | CONFIG_IMA_READ_POLICY=y | ||
29 | CONFIG_IMA_APPRAISE=y | ||
30 | CONFIG_IMA_ARCH_POLICY=y | ||
31 | CONFIG_IMA_APPRAISE_BUILD_POLICY=y | ||
32 | CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y | ||
33 | # CONFIG_IMA_APPRAISE_BOOTPARAM is not set | ||
34 | # CONFIG_IMA_APPRAISE_MODSIG is not set | ||
35 | CONFIG_IMA_TRUSTED_KEYRING=y | ||
36 | CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y | ||
37 | # CONFIG_IMA_BLACKLIST_KEYRING is not set | ||
38 | # CONFIG_IMA_LOAD_X509 is not set | ||
39 | CONFIG_IMA_APPRAISE_SIGNED_INIT=y | ||
40 | CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y | ||
41 | CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y | ||
42 | CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y | ||
43 | # CONFIG_IMA_DISABLE_HTABLE is not set | ||
44 | CONFIG_EVM=y | ||
45 | # CONFIG_EVM_LOAD_X509 is not set | ||
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc deleted file mode 100644 index 6eb84b0..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.scc +++ /dev/null | |||
@@ -1,4 +0,0 @@ | |||
1 | define KFEATURE_DESCRIPTION "Enable IMA" | ||
2 | |||
3 | kconf non-hardware ima.cfg | ||
4 | |||
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 7016800..415476a 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc | |||
@@ -1,8 +1,3 @@ | |||
1 | FILESEXTRAPATHS:append := "${THISDIR}/linux:" | ||
2 | |||
3 | SRC_URI += " \ | ||
4 | ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ | ||
5 | " | ||
6 | 1 | ||
7 | do_configure:append() { | 2 | do_configure:append() { |
8 | if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then | 3 | if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then |
@@ -11,5 +6,6 @@ do_configure:append() { | |||
11 | } | 6 | } |
12 | 7 | ||
13 | KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" | 8 | KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" |
9 | KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' features/ima/ima.scc', '', d)}" | ||
14 | 10 | ||
15 | inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} | 11 | inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} |