Signed-off-by: Armin Kuster <[email protected]> --- features/ima/ima.cfg | 18 ++++++++++++++++++ features/ima/ima.scc | 4 ++++ features/ima/ima_evm_root_ca.cfg | 3 +++ features/ima/modsign.cfg | 3 +++ features/ima/modsign.scc | 6 ++++++ 5 files changed, 34 insertions(+) create mode 100644 features/ima/ima.cfg create mode 100644 features/ima/ima.scc create mode 100644 features/ima/ima_evm_root_ca.cfg create mode 100644 features/ima/modsign.cfg create mode 100644 features/ima/modsign.scc
diff --git a/features/ima/ima.cfg b/features/ima/ima.cfg new file mode 100644 index 00000000..b3e47ba3 --- /dev/null +++ b/features/ima/ima.cfg @@ -0,0 +1,18 @@ +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/features/ima/ima.scc b/features/ima/ima.scc new file mode 100644 index 00000000..f2ccbd6a --- /dev/null +++ b/features/ima/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable/disable configurations for ima security" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware ima.cfg diff --git a/features/ima/ima_evm_root_ca.cfg b/features/ima/ima_evm_root_ca.cfg new file mode 100644 index 00000000..9a454257 --- /dev/null +++ b/features/ima/ima_evm_root_ca.cfg @@ -0,0 +1,3 @@ +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" diff --git a/features/ima/modsign.cfg b/features/ima/modsign.cfg new file mode 100644 index 00000000..24c402c8 --- /dev/null +++ b/features/ima/modsign.cfg @@ -0,0 +1,3 @@ +CONFIG_MODULE_SIG_SHA256=y +CONFIG_MODULE_SIG_HASH="sha256" +CONFIG_MODULE_SIG_KEY="modsign_key.pem" diff --git a/features/ima/modsign.scc b/features/ima/modsign.scc new file mode 100644 index 00000000..489fa5e5 --- /dev/null +++ b/features/ima/modsign.scc @@ -0,0 +1,6 @@ +define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement" +define KFEATURE_COMPATIBILITY all + +kconf non-hardware features/module-signing/signing.cfg +kconf non-hardware features/module-signing/force-signing.cfg +kconf non-hardware modsign.cfg -- 2.17.1 -- _______________________________________________ linux-yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/linux-yocto
