Commit 3b5fec2a authored by Roberto Sassu's avatar Roberto Sassu Committed by zgzxx
Browse files

config: add digest list options for arm64 and x86 

euleros inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I91FSN


CVE: NA

---------------------------

Enable digest lists and PGP keys preload.

v4:
 - context adapt arch/x86/configs/openeuler_defconfig for 6.6 kernel

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: default avatarJason Yan <yanaijie@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
Signed-off-by: default avatarzhoushuiqing <zhoushuiqing2@huawei.com>
Signed-off-by: default avatarzhangguangzhi <zhangguangzhi3@huawei.com>
parent 69089399

arch/arm64/configs/openeuler_defconfig

+7 −0
Original line number Diff line number Diff line
@@ -7248,6 +7248,9 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y 
CONFIG_IMA_LOAD_X509=y

CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"

# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set

CONFIG_IMA_DIGEST_LIST=y

CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"

CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"

CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y

CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
@@ -7548,6 +7551,9 @@ CONFIG_PKCS7_MESSAGE_PARSER=y 
# CONFIG_PKCS7_TEST_KEY is not set

CONFIG_SIGNED_PE_FILE_VERIFICATION=y

# CONFIG_FIPS_SIGNATURE_SELFTEST is not set

CONFIG_PGP_LIBRARY=y

CONFIG_PGP_KEY_PARSER=y

CONFIG_PGP_PRELOAD=y



#

# Certificates for signature checking
@@ -7564,6 +7570,7 @@ CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" 
CONFIG_SYSTEM_REVOCATION_LIST=y

CONFIG_SYSTEM_REVOCATION_KEYS=""

# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set

CONFIG_PGP_PRELOAD_PUBLIC_KEYS=y

# end of Certificates for signature checking



CONFIG_BINARY_PRINTF=y

arch/x86/configs/openeuler_defconfig

+7 −0
Original line number Diff line number Diff line
@@ -8439,6 +8439,9 @@ CONFIG_IMA_APPRAISE_BOOTPARAM=y 
CONFIG_IMA_LOAD_X509=y

CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"

# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set

CONFIG_IMA_DIGEST_LIST=y

CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"

CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"

CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y

CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y

# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
@@ -8746,6 +8749,9 @@ CONFIG_PKCS7_MESSAGE_PARSER=y 
# CONFIG_PKCS7_TEST_KEY is not set

CONFIG_SIGNED_PE_FILE_VERIFICATION=y

# CONFIG_FIPS_SIGNATURE_SELFTEST is not set

CONFIG_PGP_LIBRARY=y

CONFIG_PGP_KEY_PARSER=y

CONFIG_PGP_PRELOAD=y



#

# Certificates for signature checking
@@ -8762,6 +8768,7 @@ CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" 
CONFIG_SYSTEM_REVOCATION_LIST=y

CONFIG_SYSTEM_REVOCATION_KEYS=""

# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set

CONFIG_PGP_PRELOAD_PUBLIC_KEYS=y

# end of Certificates for signature checking



CONFIG_BINARY_PRINTF=y