aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2019-05-19 09:51:08 -0700
committerArmin Kuster <akuster808@gmail.com>2019-05-26 21:58:11 -0700
commit40788be7b24c45f04fcf237998597e6cb3a159b8 (patch)
tree27673fefda563c83a1bd4f785564a2ff1f659492
parent8ccf6cafba538b79aed3e5ce7837a77a2ac08e11 (diff)
downloadmeta-security-40788be7b24c45f04fcf237998597e6cb3a159b8.tar.gz
meta-security-40788be7b24c45f04fcf237998597e6cb3a159b8.tar.bz2
meta-security-40788be7b24c45f04fcf237998597e6cb3a159b8.zip
ima.cfg: update to 5.0 kernel
Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta-integrity/recipes-kernel/linux/linux/ima.cfg28
-rw-r--r--meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg6
2 files changed, 18 insertions, 16 deletions
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
index 02381aa..b3e47ba 100644
--- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg
@@ -1,16 +1,18 @@
-# Enable bare minimum IMA measurement and appraisal as needed by this layer.
-
-CONFIG_SECURITY=y
-CONFIG_INTEGRITY=y
-
-# measurement
CONFIG_IMA=y
-
-# appraisal
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_NG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_HASH_SHA1=y
+CONFIG_IMA_DEFAULT_HASH="sha1"
CONFIG_IMA_APPRAISE=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-
-# Kernel will get built with embedded X.509 root CA key and all keys
-# need to be signed with that.
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_SIGNATURE=y
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+
+#CONFIG_INTEGRITY_SIGNATURE=y
+#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+#CONFIG_INTEGRITY_TRUSTED_KEYRING=y
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
index 7338232..9a45425 100644
--- a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
+++ b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg
@@ -1,3 +1,3 @@
-CONFIG_KEYS=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"