meta-integrity: drop ima.cfg in favor of new k-cache

The upstream ima.cfg kernel-cache has been updated. Use it instead. Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2023-07-19 20:26:09 -0400
committer: Armin Kuster <akuster808@gmail.com> 2023-07-31 06:18:52 -0400
commit: d47553303c77002c8a55a68d05a5bdf9ed7eb4d1 (patch)
tree: cce70c46d33dfccf6caeb81aa25dc5478fa6e181
parent: 686c7c0b8a97543580ca6ffa9e5b13c327d76766 (diff)
download: meta-security-d47553303c77002c8a55a68d05a5bdf9ed7eb4d1.tar.gz
3 files changed, 1 insertions, 54 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
deleted file mode 100644
index d7d80a6..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg
+++ /dev/null
@@ -1,45 +0,0 @@
-CONFIG_KEYS=y
-CONFIG_ASYMMETRIC_KEY_TYPE=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
-CONFIG_SECONDARY_TRUSTED_KEYRING=y
-CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
-CONFIG_X509_CERTIFICATE_PARSER=y
-CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
-CONFIG_CRYPTO_ECDSA=y
-CONFIG_SECURITY=y
-CONFIG_SECURITYFS=y
-CONFIG_INTEGRITY=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_TRUSTED_KEYRING=y
-CONFIG_IMA=y
-CONFIG_IMA_MEASURE_PCR_IDX=10
-CONFIG_IMA_LSM_RULES=y
-# CONFIG_IMA_TEMPLATE is not set
-# CONFIG_IMA_NG_TEMPLATE is not set
-CONFIG_IMA_SIG_TEMPLATE=y
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
-# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
-CONFIG_IMA_DEFAULT_HASH_SHA256=y
-# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
-CONFIG_IMA_DEFAULT_HASH="sha256"
-CONFIG_IMA_WRITE_POLICY=y
-CONFIG_IMA_READ_POLICY=y
-CONFIG_IMA_APPRAISE=y
-CONFIG_IMA_ARCH_POLICY=y
-CONFIG_IMA_APPRAISE_BUILD_POLICY=y
-CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
-# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
-# CONFIG_IMA_APPRAISE_MODSIG is not set
-CONFIG_IMA_TRUSTED_KEYRING=y
-CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
-# CONFIG_IMA_BLACKLIST_KEYRING is not set
-# CONFIG_IMA_LOAD_X509 is not set
-CONFIG_IMA_APPRAISE_SIGNED_INIT=y
-CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
-CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
-# CONFIG_IMA_DISABLE_HTABLE is not set
-CONFIG_EVM=y
-# CONFIG_EVM_LOAD_X509 is not set
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc
deleted file mode 100644
index 6eb84b0..0000000
--- a/meta-integrity/recipes-kernel/linux/linux/ima.scc
+++ /dev/null
@@ -1,4 +0,0 @@
-define KFEATURE_DESCRIPTION "Enable IMA"
-kconf non-hardware ima.cfg
diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc
index 7016800..415476a 100644
--- a/meta-integrity/recipes-kernel/linux/linux_ima.inc
+++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,8 +1,3 @@
-FILESEXTRAPATHS:append := "${THISDIR}/linux:"
-SRC_URI += " \
-    ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
-"
 do_configure:append() {
    if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
@@ -11,5 +6,6 @@ do_configure:append() {
 }
 KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
+KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' features/ima/ima.scc', '', d)}"
 inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}
author	Armin Kuster <akuster808@gmail.com>	2023-07-19 20:26:09 -0400
committer	Armin Kuster <akuster808@gmail.com>	2023-07-31 06:18:52 -0400
commit	d47553303c77002c8a55a68d05a5bdf9ed7eb4d1 (patch)
tree	cce70c46d33dfccf6caeb81aa25dc5478fa6e181
parent	686c7c0b8a97543580ca6ffa9e5b13c327d76766 (diff)
download	meta-security-d47553303c77002c8a55a68d05a5bdf9ed7eb4d1.tar.gz

diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index d7d80a6..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null
@@ -1,45 +0,0 @@
1	CONFIG_KEYS=y
2	CONFIG_ASYMMETRIC_KEY_TYPE=y
3	CONFIG_SYSTEM_TRUSTED_KEYRING=y
4	CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}"
5	CONFIG_SECONDARY_TRUSTED_KEYRING=y
6	CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
7	CONFIG_X509_CERTIFICATE_PARSER=y
8	CONFIG_PKCS8_PRIVATE_KEY_PARSER=y
9	CONFIG_CRYPTO_ECDSA=y
10	CONFIG_SECURITY=y
11	CONFIG_SECURITYFS=y
12	CONFIG_INTEGRITY=y
13	CONFIG_INTEGRITY_SIGNATURE=y
14	CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
15	CONFIG_INTEGRITY_TRUSTED_KEYRING=y
16	CONFIG_IMA=y
17	CONFIG_IMA_MEASURE_PCR_IDX=10
18	CONFIG_IMA_LSM_RULES=y
19	# CONFIG_IMA_TEMPLATE is not set
20	# CONFIG_IMA_NG_TEMPLATE is not set
21	CONFIG_IMA_SIG_TEMPLATE=y
22	CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
23	# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
24	CONFIG_IMA_DEFAULT_HASH_SHA256=y
25	# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
26	CONFIG_IMA_DEFAULT_HASH="sha256"
27	CONFIG_IMA_WRITE_POLICY=y
28	CONFIG_IMA_READ_POLICY=y
29	CONFIG_IMA_APPRAISE=y
30	CONFIG_IMA_ARCH_POLICY=y
31	CONFIG_IMA_APPRAISE_BUILD_POLICY=y
32	CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y
33	# CONFIG_IMA_APPRAISE_BOOTPARAM is not set
34	# CONFIG_IMA_APPRAISE_MODSIG is not set
35	CONFIG_IMA_TRUSTED_KEYRING=y
36	CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
37	# CONFIG_IMA_BLACKLIST_KEYRING is not set
38	# CONFIG_IMA_LOAD_X509 is not set
39	CONFIG_IMA_APPRAISE_SIGNED_INIT=y
40	CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
41	CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
42	CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
43	# CONFIG_IMA_DISABLE_HTABLE is not set
44	CONFIG_EVM=y
45	# CONFIG_EVM_LOAD_X509 is not set


diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-integrity/recipes-kernel/linux/linux/ima.scc deleted file mode 100644 index 6eb84b0..0000000 --- a/meta-integrity/recipes-kernel/linux/linux/ima.scc +++ /dev/null
@@ -1,4 +0,0 @@
1	define KFEATURE_DESCRIPTION "Enable IMA"
2
3	kconf non-hardware ima.cfg
4


diff --git a/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-integrity/recipes-kernel/linux/linux_ima.inc index 7016800..415476a 100644 --- a/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-integrity/recipes-kernel/linux/linux_ima.inc
@@ -1,8 +1,3 @@
1	FILESEXTRAPATHS:append := "${THISDIR}/linux:"
2
3	SRC_URI += " \
4	${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \
5	"
6		1
7	do_configure:append() {	2	do_configure:append() {
8	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then	3	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then
@@ -11,5 +6,6 @@ do_configure:append() {
11	}	6	}
12		7
13	KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"	8	KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}"
		9	KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' features/ima/ima.scc', '', d)}"
14		10
15	inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}	11	inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)}