From adfbac47b62c420b2438325283f3ca58d10094ec Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 31 Jul 2019 13:58:31 +0100 Subject: [PATCH] Enable IMA Appraisal - related rhbz 790008 1554474 --- configs/fedora/generic/CONFIG_IMA_APPRAISE | 2 +- configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM | 1 + .../fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY | 1 + .../fedora/generic/{x86 => }/CONFIG_IMA_ARCH_POLICY | 0 configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING | 1 + configs/fedora/generic/CONFIG_IMA_LOAD_X509 | 1 + configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING | 1 + .../fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING | 1 + configs/fedora/generic/CONFIG_TCG_TIS_SPI | 2 +- kernel-aarch64-debug.config | 11 +++++++++-- kernel-aarch64.config | 11 +++++++++-- kernel-armv7hl-debug.config | 11 +++++++++-- kernel-armv7hl-lpae-debug.config | 11 +++++++++-- kernel-armv7hl-lpae.config | 11 +++++++++-- kernel-armv7hl.config | 11 +++++++++-- kernel-i686-debug.config | 10 ++++++++-- kernel-i686.config | 10 ++++++++-- kernel-ppc64le-debug.config | 11 +++++++++-- kernel-ppc64le.config | 11 +++++++++-- kernel-s390x-debug.config | 11 +++++++++-- kernel-s390x.config | 11 +++++++++-- kernel-x86_64-debug.config | 10 ++++++++-- kernel-x86_64.config | 10 ++++++++-- kernel.spec | 5 ++++- 24 files changed, 134 insertions(+), 31 deletions(-) create mode 100644 configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM create mode 100644 configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY rename configs/fedora/generic/{x86 => }/CONFIG_IMA_ARCH_POLICY (100%) create mode 100644 configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING create mode 100644 configs/fedora/generic/CONFIG_IMA_LOAD_X509 create mode 100644 configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING create mode 100644 configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE b/configs/fedora/generic/CONFIG_IMA_APPRAISE index acbe2fe3c..da04fd67d 100644 --- a/configs/fedora/generic/CONFIG_IMA_APPRAISE +++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE @@ -1 +1 @@ -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE=y diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM new file mode 100644 index 000000000..000a58fb6 --- /dev/null +++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM @@ -0,0 +1 @@ +CONFIG_IMA_APPRAISE_BOOTPARAM=y diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY new file mode 100644 index 000000000..d2ff45ca3 --- /dev/null +++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY @@ -0,0 +1 @@ +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set diff --git a/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY b/configs/fedora/generic/CONFIG_IMA_ARCH_POLICY similarity index 100% rename from configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY rename to configs/fedora/generic/CONFIG_IMA_ARCH_POLICY diff --git a/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING b/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING new file mode 100644 index 000000000..5329626fb --- /dev/null +++ b/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING @@ -0,0 +1 @@ +# CONFIG_IMA_BLACKLIST_KEYRING is not set diff --git a/configs/fedora/generic/CONFIG_IMA_LOAD_X509 b/configs/fedora/generic/CONFIG_IMA_LOAD_X509 new file mode 100644 index 000000000..00d39701b --- /dev/null +++ b/configs/fedora/generic/CONFIG_IMA_LOAD_X509 @@ -0,0 +1 @@ +# CONFIG_IMA_LOAD_X509 is not set diff --git a/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING b/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING new file mode 100644 index 000000000..36ee7371a --- /dev/null +++ b/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING @@ -0,0 +1 @@ +# CONFIG_IMA_TRUSTED_KEYRING is not set diff --git a/configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING b/configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING new file mode 100644 index 000000000..cfb23d479 --- /dev/null +++ b/configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING @@ -0,0 +1 @@ +CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/configs/fedora/generic/CONFIG_TCG_TIS_SPI b/configs/fedora/generic/CONFIG_TCG_TIS_SPI index 3b6623798..bfd1ff673 100644 --- a/configs/fedora/generic/CONFIG_TCG_TIS_SPI +++ b/configs/fedora/generic/CONFIG_TCG_TIS_SPI @@ -1 +1 @@ -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index 488cc5d09..b948b2cc5 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -2412,17 +2412,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2557,6 +2563,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -6210,7 +6217,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 8a52c7533..583898069 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -2396,17 +2396,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2541,6 +2547,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -6188,7 +6195,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 8e3eee74f..30139328b 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -2442,17 +2442,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2595,6 +2601,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -6462,7 +6469,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index a97205cfa..0493b53be 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -2359,17 +2359,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2500,6 +2506,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -6139,7 +6146,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 4901957e6..3c18d7dff 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -2344,17 +2344,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2485,6 +2491,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -6118,7 +6125,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index c9b0a7acd..62e006001 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -2427,17 +2427,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2580,6 +2586,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -6441,7 +6448,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index cac5c943c..40bc50d84 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -2158,18 +2158,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2287,6 +2292,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m CONFIG_INTEL_BXT_PMIC_THERMAL=m @@ -5649,7 +5655,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-i686.config b/kernel-i686.config index 1f70c1655..dba4785f4 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2141,18 +2141,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2270,6 +2275,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m CONFIG_INTEL_BXT_PMIC_THERMAL=m @@ -5628,7 +5634,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 42f230f64..f0c986d85 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -1965,17 +1965,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2089,6 +2095,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -5271,7 +5278,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index 4d6ef9154..f2f7209f2 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -1948,17 +1948,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2072,6 +2078,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -5248,7 +5255,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index 684936b2e..38030f7d9 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -1943,17 +1943,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2067,6 +2073,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -5206,7 +5213,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-s390x.config b/kernel-s390x.config index bd9891b81..e8625dd5d 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -1926,17 +1926,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2050,6 +2056,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y # CONFIG_INTEGRITY_PLATFORM_KEYRING is not set CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y # CONFIG_INTEL_IDMA64 is not set CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m @@ -5183,7 +5190,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index d7bca3950..084e94924 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -2201,18 +2201,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2333,6 +2338,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m CONFIG_INTEL_BXT_PMIC_THERMAL=m @@ -5707,7 +5713,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 87172823e..60a54e35a 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2184,18 +2184,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE_BOOTPARAM=y +# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set +# CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA_DEFAULT_HASH_SHA1 is not set CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEXEC=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y +# CONFIG_IMA_LOAD_X509 is not set CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_READ_POLICY=y # CONFIG_IMA_SIG_TEMPLATE is not set # CONFIG_IMA_TEMPLATE is not set +# CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set @@ -2316,6 +2321,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m CONFIG_INTEL_BXT_PMIC_THERMAL=m @@ -5686,7 +5692,7 @@ CONFIG_TCG_NSC=m # CONFIG_TCG_TIS_I2C_ATMEL is not set # CONFIG_TCG_TIS_I2C_INFINEON is not set # CONFIG_TCG_TIS_I2C_NUVOTON is not set -# CONFIG_TCG_TIS_SPI is not set +CONFIG_TCG_TIS_SPI=m # CONFIG_TCG_TIS_ST33ZP24_I2C is not set # CONFIG_TCG_TIS_ST33ZP24_SPI is not set CONFIG_TCG_TIS=y diff --git a/kernel.spec b/kernel.spec index 79182ded0..aa29c144b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -44,7 +44,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -1820,6 +1820,9 @@ fi # # %changelog +* Wed Jul 31 2019 Peter Robinson 5.3.0-0.rc2.git2.2 +- Enable IMA Appraisal + * Wed Jul 31 2019 Laura Abbott - 5.3.0-0.rc2.git2.1 - Linux v5.3-rc2-51-g4010b622f1d2