From: bmeneg on gitlab.com
IMA/EVM has been quite forgotten in the past few releases. This patchset sync all options (where possible) on ARK supported arches, following closely what is enabled in RHEL today and also enable/sync some of the Fedora options to better match what is being enabled in ARK.
Bruno Meneguele (16): redhat: enable CONFIG_INTEGRITY for aarch64 redhat: enable CONFIG_IMA_APPRAISE redhat: enable CONFIG_IMA_APPRAISE_BOOTPARAM redhat: enable CONFIG_IMA_APPRAISE_MODSIG redhat: enable CONFIG_IMA_ARCH_POLICY for ppc and x86 redhat: disable CONFIG_IMA_DEFAULT_HASH_SHA1 redhat: enable CONFIG_IMA_DEFAULT_HASH_SHA256 for all flavors redhat: set default IMA template for all ARK arches redhat: enable CONFIG_IMA_READ_POLICY on ARK redhat: enable CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT redhat: set CONFIG_IMA_DEFAULT_HASH to SHA256 redhat: enable CONFIG_IMA_LOAD_X509 on ARK redhat: enable CONFIG_EVM in all arches and flavors redhat: enable CONFIG_EVM_ATTR_FSUUID on ARK redhat: enable CONFIG_EVM_LOAD_X509 on ARK redhat: explicitly disable CONFIG_IMA_APPRAISE_SIGNED_INIT
From: Bruno Meneguele bmeneg@redhat.com
It was disabled when RHEL was experimenting AARCH64 and was left in that way since then. There is no good reason for keep it disabled on aarch64 architecture today.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/arm/aarch64/CONFIG_INTEGRITY | 1 - 1 file changed, 1 deletion(-) delete mode 100644 redhat/configs/ark/generic/arm/aarch64/CONFIG_INTEGRITY
diff --git a/redhat/configs/ark/generic/arm/aarch64/CONFIG_INTEGRITY b/redhat/configs/ark/generic/arm/aarch64/CONFIG_INTEGRITY deleted file mode 100644 index 5dd074057c5b..000000000000 --- a/redhat/configs/ark/generic/arm/aarch64/CONFIG_INTEGRITY +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_INTEGRITY is not set
From: Bruno Meneguele bmeneg@redhat.com
It's one of the basic operations offered by IMA, there isn't any reason to keep it disabled. Make it enabled by default in all flavors and arches.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE | 1 - redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE | 1 - redhat/configs/common/generic/CONFIG_IMA_APPRAISE | 2 +- redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) delete mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE delete mode 100644 redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE delete mode 100644 redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE b/redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE deleted file mode 100644 index da04fd67d6a6..000000000000 --- a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_APPRAISE=y diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE b/redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE deleted file mode 100644 index da04fd67d6a6..000000000000 --- a/redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_APPRAISE=y diff --git a/redhat/configs/common/generic/CONFIG_IMA_APPRAISE b/redhat/configs/common/generic/CONFIG_IMA_APPRAISE index acbe2fe3cb99..da04fd67d6a6 100644 --- a/redhat/configs/common/generic/CONFIG_IMA_APPRAISE +++ b/redhat/configs/common/generic/CONFIG_IMA_APPRAISE @@ -1 +1 @@ -# CONFIG_IMA_APPRAISE is not set +CONFIG_IMA_APPRAISE=y diff --git a/redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE b/redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE deleted file mode 100644 index da04fd67d6a6..000000000000 --- a/redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_APPRAISE=y
From: Bruno Meneguele bmeneg@redhat.com
CONFIG_IMA_APPRAISE_BOOTPARAM was enabled for all Fedora flavor arches. It's now also being enabled for all ARK supported arches, with that, enable it by default in all arches and flavors.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/CONFIG_IMA_APPRAISE_BOOTPARAM | 1 - .../configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE_BOOTPARAM | 1 - .../powerpc => common/generic}/CONFIG_IMA_APPRAISE_BOOTPARAM | 0 redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM | 1 - 4 files changed, 3 deletions(-) delete mode 100644 redhat/configs/ark/generic/CONFIG_IMA_APPRAISE_BOOTPARAM delete mode 100644 redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE_BOOTPARAM rename redhat/configs/{ark/generic/powerpc => common/generic}/CONFIG_IMA_APPRAISE_BOOTPARAM (100%) delete mode 100644 redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM
diff --git a/redhat/configs/ark/generic/CONFIG_IMA_APPRAISE_BOOTPARAM b/redhat/configs/ark/generic/CONFIG_IMA_APPRAISE_BOOTPARAM deleted file mode 100644 index 158c04d50c10..000000000000 --- a/redhat/configs/ark/generic/CONFIG_IMA_APPRAISE_BOOTPARAM +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IMA_APPRAISE_BOOTPARAM is not set diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE_BOOTPARAM b/redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE_BOOTPARAM deleted file mode 100644 index 000a58fb65a3..000000000000 --- a/redhat/configs/ark/generic/x86/x86_64/CONFIG_IMA_APPRAISE_BOOTPARAM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_APPRAISE_BOOTPARAM=y diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE_BOOTPARAM b/redhat/configs/common/generic/CONFIG_IMA_APPRAISE_BOOTPARAM similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE_BOOTPARAM rename to redhat/configs/common/generic/CONFIG_IMA_APPRAISE_BOOTPARAM diff --git a/redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM b/redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM deleted file mode 100644 index 000a58fb65a3..000000000000 --- a/redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_APPRAISE_BOOTPARAM=y
From: Bruno Meneguele bmeneg@redhat.com
IMA default hash was already defaulted to SHA256 on Fedora. It's time to make it the default for all arches in ARK too.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- .../configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA256 | 1 - redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 | 2 +- redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA256 delete mode 100644 redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA256 b/redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA256 deleted file mode 100644 index e627fd9e9a2f..000000000000 --- a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA256 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_DEFAULT_HASH_SHA256=y diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 index 29bd8f86d740..e627fd9e9a2f 100644 --- a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 +++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 @@ -1 +1 @@ -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y diff --git a/redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 b/redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 deleted file mode 100644 index e627fd9e9a2f..000000000000 --- a/redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_DEFAULT_HASH_SHA256=y
From: Bruno Meneguele bmeneg@redhat.com
Fedora and ARK uses different IMA templates, and that's fine, but the templates should be kept the same across arches in the same flavor (ARK in this case).
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/{powerpc => }/CONFIG_IMA_NG_TEMPLATE | 0 redhat/configs/ark/generic/{powerpc => }/CONFIG_IMA_SIG_TEMPLATE | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename redhat/configs/ark/generic/{powerpc => }/CONFIG_IMA_NG_TEMPLATE (100%) rename redhat/configs/ark/generic/{powerpc => }/CONFIG_IMA_SIG_TEMPLATE (100%)
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_NG_TEMPLATE b/redhat/configs/ark/generic/CONFIG_IMA_NG_TEMPLATE similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_IMA_NG_TEMPLATE rename to redhat/configs/ark/generic/CONFIG_IMA_NG_TEMPLATE diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_SIG_TEMPLATE b/redhat/configs/ark/generic/CONFIG_IMA_SIG_TEMPLATE similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_IMA_SIG_TEMPLATE rename to redhat/configs/ark/generic/CONFIG_IMA_SIG_TEMPLATE
From: Bruno Meneguele bmeneg@redhat.com
CONFIG_IMA_DEFAULT_HASH_SHA1 is already disabled for all Fedora arches and ARK should also drop it and use SHA256 instead.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA1 | 1 - redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 | 2 +- redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA1 delete mode 100644 redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA1 b/redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA1 deleted file mode 100644 index b51889849965..000000000000 --- a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_DEFAULT_HASH_SHA1 +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 index f1f433af9450..b51889849965 100644 --- a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 +++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 @@ -1 +1 @@ -CONFIG_IMA_DEFAULT_HASH_SHA1=y +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set diff --git a/redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 b/redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 deleted file mode 100644 index b51889849965..000000000000 --- a/redhat/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
From: Bruno Meneguele bmeneg@redhat.com
Upstream kernel supports specific architecture IMA policies and has been requested by IBM on RHEL. With that, enable it on ARK and Fedora too.
Two another options: PPC_SECURE_BOOT and PPC_SECVAR_SYSFS, are brought as dependency for IMA_ARCH_POLICY on PPC.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/powerpc/CONFIG_IMA_ARCH_POLICY | 1 + redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECURE_BOOT | 1 + redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS | 1 + redhat/configs/ark/generic/x86/CONFIG_IMA_ARCH_POLICY | 1 + redhat/configs/fedora/generic/powerpc/CONFIG_IMA_ARCH_POLICY | 1 + redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECURE_BOOT | 1 + redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS | 1 + redhat/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY | 1 + 8 files changed, 8 insertions(+) create mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_IMA_ARCH_POLICY create mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECURE_BOOT create mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS create mode 100644 redhat/configs/ark/generic/x86/CONFIG_IMA_ARCH_POLICY create mode 100644 redhat/configs/fedora/generic/powerpc/CONFIG_IMA_ARCH_POLICY create mode 100644 redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECURE_BOOT create mode 100644 redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS create mode 100644 redhat/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_ARCH_POLICY b/redhat/configs/ark/generic/powerpc/CONFIG_IMA_ARCH_POLICY new file mode 100644 index 000000000000..e0230b86d3d1 --- /dev/null +++ b/redhat/configs/ark/generic/powerpc/CONFIG_IMA_ARCH_POLICY @@ -0,0 +1 @@ +CONFIG_IMA_ARCH_POLICY=y diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECURE_BOOT b/redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECURE_BOOT new file mode 100644 index 000000000000..2ed7b7fa69a7 --- /dev/null +++ b/redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECURE_BOOT @@ -0,0 +1 @@ +CONFIG_PPC_SECURE_BOOT=y diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS b/redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS new file mode 100644 index 000000000000..fea2a70fa63b --- /dev/null +++ b/redhat/configs/ark/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS @@ -0,0 +1 @@ +CONFIG_PPC_SECVAR_SYSFS=y diff --git a/redhat/configs/ark/generic/x86/CONFIG_IMA_ARCH_POLICY b/redhat/configs/ark/generic/x86/CONFIG_IMA_ARCH_POLICY new file mode 100644 index 000000000000..e0230b86d3d1 --- /dev/null +++ b/redhat/configs/ark/generic/x86/CONFIG_IMA_ARCH_POLICY @@ -0,0 +1 @@ +CONFIG_IMA_ARCH_POLICY=y diff --git a/redhat/configs/fedora/generic/powerpc/CONFIG_IMA_ARCH_POLICY b/redhat/configs/fedora/generic/powerpc/CONFIG_IMA_ARCH_POLICY new file mode 100644 index 000000000000..e0230b86d3d1 --- /dev/null +++ b/redhat/configs/fedora/generic/powerpc/CONFIG_IMA_ARCH_POLICY @@ -0,0 +1 @@ +CONFIG_IMA_ARCH_POLICY=y diff --git a/redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECURE_BOOT b/redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECURE_BOOT new file mode 100644 index 000000000000..2ed7b7fa69a7 --- /dev/null +++ b/redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECURE_BOOT @@ -0,0 +1 @@ +CONFIG_PPC_SECURE_BOOT=y diff --git a/redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS b/redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS new file mode 100644 index 000000000000..fea2a70fa63b --- /dev/null +++ b/redhat/configs/fedora/generic/powerpc/CONFIG_PPC_SECVAR_SYSFS @@ -0,0 +1 @@ +CONFIG_PPC_SECVAR_SYSFS=y diff --git a/redhat/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY b/redhat/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY new file mode 100644 index 000000000000..e0230b86d3d1 --- /dev/null +++ b/redhat/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY @@ -0,0 +1 @@ +CONFIG_IMA_ARCH_POLICY=y
From: Bruno Meneguele bmeneg@redhat.com
Fedora was already enabling it to all arches. ARK had it only disabled for aarch64 because this arch hand't INTEGRITY subsystem enabled. This patch only make it enabled for all arches and flavors and remove the pending-common/ referent file.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- .../{fedora => common}/generic/CONFIG_IMA_APPRAISE_MODSIG | 0 redhat/configs/pending-common/generic/CONFIG_IMA_APPRAISE_MODSIG | 1 - 2 files changed, 1 deletion(-) rename redhat/configs/{fedora => common}/generic/CONFIG_IMA_APPRAISE_MODSIG (100%) delete mode 100644 redhat/configs/pending-common/generic/CONFIG_IMA_APPRAISE_MODSIG
diff --git a/redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG b/redhat/configs/common/generic/CONFIG_IMA_APPRAISE_MODSIG similarity index 100% rename from redhat/configs/fedora/generic/CONFIG_IMA_APPRAISE_MODSIG rename to redhat/configs/common/generic/CONFIG_IMA_APPRAISE_MODSIG diff --git a/redhat/configs/pending-common/generic/CONFIG_IMA_APPRAISE_MODSIG b/redhat/configs/pending-common/generic/CONFIG_IMA_APPRAISE_MODSIG deleted file mode 100644 index 2718d45137c7..000000000000 --- a/redhat/configs/pending-common/generic/CONFIG_IMA_APPRAISE_MODSIG +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IMA_APPRAISE_MODSIG is not set
From: Bruno Meneguele bmeneg@redhat.com
The same way IMA should be enabled in all arches, EVM also should be. EVM is independent, but also complementary, from IMA.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/powerpc/CONFIG_EVM | 1 - redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM | 1 - redhat/configs/common/generic/CONFIG_EVM | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_EVM delete mode 100644 redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_EVM b/redhat/configs/ark/generic/powerpc/CONFIG_EVM deleted file mode 100644 index 5e5b1549882a..000000000000 --- a/redhat/configs/ark/generic/powerpc/CONFIG_EVM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_EVM=y diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM b/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM deleted file mode 100644 index 5e5b1549882a..000000000000 --- a/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_EVM=y diff --git a/redhat/configs/common/generic/CONFIG_EVM b/redhat/configs/common/generic/CONFIG_EVM index c9e172e397a9..5e5b1549882a 100644 --- a/redhat/configs/common/generic/CONFIG_EVM +++ b/redhat/configs/common/generic/CONFIG_EVM @@ -1 +1 @@ -# CONFIG_EVM is not set +CONFIG_EVM=y
From: Bruno Meneguele bmeneg@redhat.com
It's already enabled for all Fedora arches and has no reason for not be enabled on ARK.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/CONFIG_IMA_READ_POLICY | 1 - redhat/configs/{fedora => common}/generic/CONFIG_IMA_READ_POLICY | 0 2 files changed, 1 deletion(-) delete mode 100644 redhat/configs/ark/generic/CONFIG_IMA_READ_POLICY rename redhat/configs/{fedora => common}/generic/CONFIG_IMA_READ_POLICY (100%)
diff --git a/redhat/configs/ark/generic/CONFIG_IMA_READ_POLICY b/redhat/configs/ark/generic/CONFIG_IMA_READ_POLICY deleted file mode 100644 index 78cacab88938..000000000000 --- a/redhat/configs/ark/generic/CONFIG_IMA_READ_POLICY +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IMA_READ_POLICY is not set diff --git a/redhat/configs/fedora/generic/CONFIG_IMA_READ_POLICY b/redhat/configs/common/generic/CONFIG_IMA_READ_POLICY similarity index 100% rename from redhat/configs/fedora/generic/CONFIG_IMA_READ_POLICY rename to redhat/configs/common/generic/CONFIG_IMA_READ_POLICY
From: Bruno Meneguele bmeneg@redhat.com
x86 and powerpc have this config to let IMA know it can check for secure and/or trusted boot state during runtime, allowing other features to be initialized.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- .../ark/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT | 1 + .../ark/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT | 1 + .../fedora/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT | 1 + .../fedora/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT | 1 + 4 files changed, 4 insertions(+) create mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT create mode 100644 redhat/configs/ark/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT create mode 100644 redhat/configs/fedora/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT create mode 100644 redhat/configs/fedora/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT b/redhat/configs/ark/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT new file mode 100644 index 000000000000..7275983391f3 --- /dev/null +++ b/redhat/configs/ark/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT @@ -0,0 +1 @@ +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y diff --git a/redhat/configs/ark/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT b/redhat/configs/ark/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT new file mode 100644 index 000000000000..7275983391f3 --- /dev/null +++ b/redhat/configs/ark/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT @@ -0,0 +1 @@ +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y diff --git a/redhat/configs/fedora/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT b/redhat/configs/fedora/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT new file mode 100644 index 000000000000..7275983391f3 --- /dev/null +++ b/redhat/configs/fedora/generic/powerpc/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT @@ -0,0 +1 @@ +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y diff --git a/redhat/configs/fedora/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT b/redhat/configs/fedora/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT new file mode 100644 index 000000000000..7275983391f3 --- /dev/null +++ b/redhat/configs/fedora/generic/x86/CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT @@ -0,0 +1 @@ +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
From: Bruno Meneguele bmeneg@redhat.com
Set SHA256 as the default IMA hash on all arches and flavors.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH | 1 + 1 file changed, 1 insertion(+) create mode 100644 redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH
diff --git a/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH new file mode 100644 index 000000000000..35a36af692ea --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_IMA_DEFAULT_HASH @@ -0,0 +1 @@ +CONFIG_IMA_DEFAULT_HASH="sha256"
From: Bruno Meneguele bmeneg@redhat.com
Both options CONFIG_IMA_LOAD_X509 and CONFIG_IMA_X509_PATH are complementary and should be enabled for all ARK flavors: IBM requested it for powerpc some time ago on RHEL and others arches should be in sync.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509 | 1 + redhat/configs/ark/generic/{powerpc => }/CONFIG_IMA_X509_PATH | 0 2 files changed, 1 insertion(+) create mode 100644 redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509 rename redhat/configs/ark/generic/{powerpc => }/CONFIG_IMA_X509_PATH (100%)
diff --git a/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509 b/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509 new file mode 100644 index 000000000000..37c785db29b3 --- /dev/null +++ b/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509 @@ -0,0 +1 @@ +CONFIG_IMA_LOAD_X509=y diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_X509_PATH b/redhat/configs/ark/generic/CONFIG_IMA_X509_PATH similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_IMA_X509_PATH rename to redhat/configs/ark/generic/CONFIG_IMA_X509_PATH
From: Bruno Meneguele bmeneg@redhat.com
To avoid warnings during dist-configs we need to explicitly set a value for this options, which should be disabled.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- .../ark/generic/{powerpc => }/CONFIG_IMA_APPRAISE_SIGNED_INIT | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename redhat/configs/ark/generic/{powerpc => }/CONFIG_IMA_APPRAISE_SIGNED_INIT (100%)
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE_SIGNED_INIT b/redhat/configs/ark/generic/CONFIG_IMA_APPRAISE_SIGNED_INIT similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_IMA_APPRAISE_SIGNED_INIT rename to redhat/configs/ark/generic/CONFIG_IMA_APPRAISE_SIGNED_INIT
From: Bruno Meneguele bmeneg@redhat.com
Both CONFIG_EVM_LOAD_X509 and CONFIG_EVM_X509_PATH are complementary and should be enabled. It behaves in the same way as the x509 certificates on IMA, which can be added to '.evm' keyring once they are signed with a trusted key placed in the '.platform_keyring'.
And, as dependency, CONFIG_ENCRYPTED_KEYS must be also set to =y in all arches.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS | 2 +- redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 | 1 + redhat/configs/ark/generic/{powerpc => }/CONFIG_EVM_X509_PATH | 0 redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS | 1 - redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS | 1 - redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509 | 1 - .../generic/powerpc => common/generic}/CONFIG_EVM_LOAD_X509 | 0 7 files changed, 2 insertions(+), 4 deletions(-) create mode 100644 redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 rename redhat/configs/ark/generic/{powerpc => }/CONFIG_EVM_X509_PATH (100%) delete mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS delete mode 100644 redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS delete mode 100644 redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509 rename redhat/configs/{ark/generic/powerpc => common/generic}/CONFIG_EVM_LOAD_X509 (100%)
diff --git a/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS b/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS index 076a46253e78..09d264daff2b 100644 --- a/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS +++ b/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS @@ -1 +1 @@ -CONFIG_ENCRYPTED_KEYS=m +CONFIG_ENCRYPTED_KEYS=y diff --git a/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 b/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 new file mode 100644 index 000000000000..0dd95a176560 --- /dev/null +++ b/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 @@ -0,0 +1 @@ +CONFIG_EVM_LOAD_X509=y diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_EVM_X509_PATH b/redhat/configs/ark/generic/CONFIG_EVM_X509_PATH similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_EVM_X509_PATH rename to redhat/configs/ark/generic/CONFIG_EVM_X509_PATH diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS b/redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS deleted file mode 100644 index 09d264daff2b..000000000000 --- a/redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS +++ /dev/null @@ -1 +0,0 @@ -CONFIG_ENCRYPTED_KEYS=y diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS b/redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS deleted file mode 100644 index 09d264daff2b..000000000000 --- a/redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS +++ /dev/null @@ -1 +0,0 @@ -CONFIG_ENCRYPTED_KEYS=y diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509 b/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509 deleted file mode 100644 index 92252682e182..000000000000 --- a/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509 +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_EVM_LOAD_X509 is not set diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_EVM_LOAD_X509 b/redhat/configs/common/generic/CONFIG_EVM_LOAD_X509 similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_EVM_LOAD_X509 rename to redhat/configs/common/generic/CONFIG_EVM_LOAD_X509
From: Bruno Meneguele bmeneg@redhat.com
Make it default to all arches on ARK. x86_64 and powerpc already had it enabled, and keep it disabled elsewhere.
Signed-off-by: Bruno Meneguele bmeneg@redhat.com --- redhat/configs/ark/generic/{powerpc => }/CONFIG_EVM_ATTR_FSUUID | 0 redhat/configs/common/generic/CONFIG_EVM_ADD_XATTRS | 1 + .../generic/x86/x86_64 => common/generic}/CONFIG_EVM_ATTR_FSUUID | 0 3 files changed, 1 insertion(+) rename redhat/configs/ark/generic/{powerpc => }/CONFIG_EVM_ATTR_FSUUID (100%) create mode 100644 redhat/configs/common/generic/CONFIG_EVM_ADD_XATTRS rename redhat/configs/{ark/generic/x86/x86_64 => common/generic}/CONFIG_EVM_ATTR_FSUUID (100%)
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_EVM_ATTR_FSUUID b/redhat/configs/ark/generic/CONFIG_EVM_ATTR_FSUUID similarity index 100% rename from redhat/configs/ark/generic/powerpc/CONFIG_EVM_ATTR_FSUUID rename to redhat/configs/ark/generic/CONFIG_EVM_ATTR_FSUUID diff --git a/redhat/configs/common/generic/CONFIG_EVM_ADD_XATTRS b/redhat/configs/common/generic/CONFIG_EVM_ADD_XATTRS new file mode 100644 index 000000000000..687632a21f2b --- /dev/null +++ b/redhat/configs/common/generic/CONFIG_EVM_ADD_XATTRS @@ -0,0 +1 @@ +# CONFIG_EVM_ADD_XATTRS is not set diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_ATTR_FSUUID b/redhat/configs/common/generic/CONFIG_EVM_ATTR_FSUUID similarity index 100% rename from redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_ATTR_FSUUID rename to redhat/configs/common/generic/CONFIG_EVM_ATTR_FSUUID
GitLab Bridge on behalf of bmeneg @ 2020-12-02 17:07 MST:
From: bmeneg on gitlab.com
IMA/EVM has been quite forgotten in the past few releases. This patchset sync all options (where possible) on ARK supported arches, following closely what is enabled in RHEL today and also enable/sync some of the Fedora options to better match what is being enabled in ARK.
Bruno Meneguele (16): redhat: enable CONFIG_INTEGRITY for aarch64 redhat: enable CONFIG_IMA_APPRAISE redhat: enable CONFIG_IMA_APPRAISE_BOOTPARAM redhat: enable CONFIG_IMA_APPRAISE_MODSIG redhat: enable CONFIG_IMA_ARCH_POLICY for ppc and x86 redhat: disable CONFIG_IMA_DEFAULT_HASH_SHA1 redhat: enable CONFIG_IMA_DEFAULT_HASH_SHA256 for all flavors redhat: set default IMA template for all ARK arches redhat: enable CONFIG_IMA_READ_POLICY on ARK redhat: enable CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT redhat: set CONFIG_IMA_DEFAULT_HASH to SHA256 redhat: enable CONFIG_IMA_LOAD_X509 on ARK redhat: enable CONFIG_EVM in all arches and flavors redhat: enable CONFIG_EVM_ATTR_FSUUID on ARK redhat: enable CONFIG_EVM_LOAD_X509 on ARK redhat: explicitly disable CONFIG_IMA_APPRAISE_SIGNED_INIT _______________________________________________ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org
Acked-by: Jerry Snitselaar jsnitsel@redhat.com
On Thu, Dec 03, 2020 at 12:07:26AM -0000, GitLab Bridge on behalf of bmeneg wrote:
From: bmeneg on gitlab.com
IMA/EVM has been quite forgotten in the past few releases. This patchset sync all options (where possible) on ARK supported arches, following closely what is enabled in RHEL today and also enable/sync some of the Fedora options to better match what is being enabled in ARK.
Bruno Meneguele (16): redhat: enable CONFIG_INTEGRITY for aarch64 redhat: enable CONFIG_IMA_APPRAISE redhat: enable CONFIG_IMA_APPRAISE_BOOTPARAM redhat: enable CONFIG_IMA_APPRAISE_MODSIG redhat: enable CONFIG_IMA_ARCH_POLICY for ppc and x86 redhat: disable CONFIG_IMA_DEFAULT_HASH_SHA1 redhat: enable CONFIG_IMA_DEFAULT_HASH_SHA256 for all flavors redhat: set default IMA template for all ARK arches redhat: enable CONFIG_IMA_READ_POLICY on ARK redhat: enable CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT redhat: set CONFIG_IMA_DEFAULT_HASH to SHA256 redhat: enable CONFIG_IMA_LOAD_X509 on ARK redhat: enable CONFIG_EVM in all arches and flavors redhat: enable CONFIG_EVM_ATTR_FSUUID on ARK redhat: enable CONFIG_EVM_LOAD_X509 on ARK redhat: explicitly disable CONFIG_IMA_APPRAISE_SIGNED_INIT
Acked-by: Herton R. Krzesinski herton@redhat.com
kernel@lists.fedoraproject.org