diff options
author | Armin Kuster <akuster808@gmail.com> | 2019-08-11 09:29:27 -0700 |
---|---|---|
committer | Ricardo Salveti <ricardo@foundries.io> | 2019-09-16 19:07:23 -0300 |
commit | c84500fb377a44f1543dd0539869cd2c5b39754e (patch) | |
tree | f612030dc65e822c828683923c275449f0427ceb | |
parent | 1aae42fde0e6eae038bf488c472d3e6f5d36b201 (diff) |
kernel-cache: add ima fragments
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
-rw-r--r-- | features/ima/ima.cfg | 18 | ||||
-rw-r--r-- | features/ima/ima.scc | 4 | ||||
-rw-r--r-- | features/ima/ima_evm_root_ca.cfg | 3 | ||||
-rw-r--r-- | features/ima/modsign.cfg | 3 | ||||
-rw-r--r-- | features/ima/modsign.scc | 6 |
5 files changed, 34 insertions, 0 deletions
diff --git a/features/ima/ima.cfg b/features/ima/ima.cfg new file mode 100644 index 0000000..b3e47ba --- /dev/null +++ b/features/ima/ima.cfg @@ -0,0 +1,18 @@ +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/features/ima/ima.scc b/features/ima/ima.scc new file mode 100644 index 0000000..f2ccbd6 --- /dev/null +++ b/features/ima/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable/disable configurations for ima security" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware ima.cfg diff --git a/features/ima/ima_evm_root_ca.cfg b/features/ima/ima_evm_root_ca.cfg new file mode 100644 index 0000000..9a45425 --- /dev/null +++ b/features/ima/ima_evm_root_ca.cfg @@ -0,0 +1,3 @@ +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/features/ima/modsign.cfg b/features/ima/modsign.cfg new file mode 100644 index 0000000..24c402c --- /dev/null +++ b/features/ima/modsign.cfg @@ -0,0 +1,3 @@ +CONFIG_MODULE_SIG_SHA256=y +CONFIG_MODULE_SIG_HASH="sha256" +CONFIG_MODULE_SIG_KEY="modsign_key.pem" diff --git a/features/ima/modsign.scc b/features/ima/modsign.scc new file mode 100644 index 0000000..489fa5e --- /dev/null +++ b/features/ima/modsign.scc @@ -0,0 +1,6 @@ +define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware features/module-signing/signing.cfg +kconf non-hardware features/module-signing/force-signing.cfg +kconf non-hardware modsign.cfg |