Commit 0165f4ca authored by Nayna Jain's avatar Nayna Jain Committed by Mimi Zohar
Browse files

ima: enable signing of modules with build time generated key 



The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.

Signed-off-by: default avatarNayna Jain <nayna@linux.ibm.com>
Acked-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent b31f2a49

certs/Kconfig

+1 −1
Original line number Diff line number Diff line
@@ -4,7 +4,7 @@ menu "Certificates for signature checking" 
config MODULE_SIG_KEY

	string "File name or PKCS#11 URI of module signing key"

	default "certs/signing_key.pem"

	depends on MODULE_SIG

	depends on MODULE_SIG || IMA_APPRAISE_MODSIG

	help

         Provide the file name of a private key/certificate in PEM format,

         or a PKCS#11 URI according to RFC7512. The file should contain, or

certs/Makefile

+8 −0
Original line number Diff line number Diff line
@@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING 
clean-files := x509_certificate_list .x509.list



ifeq ($(CONFIG_MODULE_SIG),y)

	SIGN_KEY = y

endif



ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)

	SIGN_KEY = y

endif



ifdef SIGN_KEY

###############################################################################

#

# If module signing is requested, say by allyesconfig, but a key has not been

init/Kconfig

+3 −3
Original line number Diff line number Diff line
@@ -2164,7 +2164,7 @@ config MODULE_SIG_FORCE 
config MODULE_SIG_ALL

	bool "Automatically sign all modules"

	default y

	depends on MODULE_SIG

	depends on MODULE_SIG || IMA_APPRAISE_MODSIG

	help

	  Sign all modules during make modules_install. Without this option,

	  modules must be signed manually, using the scripts/sign-file tool.
@@ -2174,7 +2174,7 @@ comment "Do not forget to sign required modules with scripts/sign-file" 


choice

	prompt "Which hash algorithm should modules be signed with?"

	depends on MODULE_SIG

	depends on MODULE_SIG || IMA_APPRAISE_MODSIG

	help

	  This determines which sort of hashing algorithm will be used during

	  signature generation.  This algorithm _must_ be built into the kernel
@@ -2206,7 +2206,7 @@ endchoice 


config MODULE_SIG_HASH

	string

	depends on MODULE_SIG

	depends on MODULE_SIG || IMA_APPRAISE_MODSIG

	default "sha1" if MODULE_SIG_SHA1

	default "sha224" if MODULE_SIG_SHA224

	default "sha256" if MODULE_SIG_SHA256