[linux-yocto] [PATCH 3/4] kernel-cache: add ima fragments

Armin Kuster akuster808 at gmail.com
Sun Aug 11 09:29:27 PDT 2019 

Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 features/ima/ima.cfg             | 18 ++++++++++++++++++
 features/ima/ima.scc             |  4 ++++
 features/ima/ima_evm_root_ca.cfg |  3 +++
 features/ima/modsign.cfg         |  3 +++
 features/ima/modsign.scc         |  6 ++++++
 5 files changed, 34 insertions(+)
 create mode 100644 features/ima/ima.cfg
 create mode 100644 features/ima/ima.scc
 create mode 100644 features/ima/ima_evm_root_ca.cfg
 create mode 100644 features/ima/modsign.cfg
 create mode 100644 features/ima/modsign.scc

diff --git a/features/ima/ima.cfg b/features/ima/ima.cfg
new file mode 100644
index 00000000..b3e47ba3
--- /dev/null
+++ b/features/ima/ima.cfg
@@ -0,0 +1,18 @@
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_NG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_HASH_SHA1=y
+CONFIG_IMA_DEFAULT_HASH="sha1"
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_SIGNATURE=y
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+
+#CONFIG_INTEGRITY_SIGNATURE=y
+#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+#CONFIG_INTEGRITY_TRUSTED_KEYRING=y
diff --git a/features/ima/ima.scc b/features/ima/ima.scc
new file mode 100644
index 00000000..f2ccbd6a
--- /dev/null
+++ b/features/ima/ima.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable/disable configurations for ima security"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware ima.cfg
diff --git a/features/ima/ima_evm_root_ca.cfg b/features/ima/ima_evm_root_ca.cfg
new file mode 100644
index 00000000..9a454257
--- /dev/null
+++ b/features/ima/ima_evm_root_ca.cfg
@@ -0,0 +1,3 @@
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
diff --git a/features/ima/modsign.cfg b/features/ima/modsign.cfg
new file mode 100644
index 00000000..24c402c8
--- /dev/null
+++ b/features/ima/modsign.cfg
@@ -0,0 +1,3 @@
+CONFIG_MODULE_SIG_SHA256=y
+CONFIG_MODULE_SIG_HASH="sha256"
+CONFIG_MODULE_SIG_KEY="modsign_key.pem"
diff --git a/features/ima/modsign.scc b/features/ima/modsign.scc
new file mode 100644
index 00000000..489fa5e5
--- /dev/null
+++ b/features/ima/modsign.scc
@@ -0,0 +1,6 @@
+define KFEATURE_DESCRIPTION "Kernel Module Signing (modsign) enablement"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware features/module-signing/signing.cfg
+kconf non-hardware features/module-signing/force-signing.cfg
+kconf non-hardware modsign.cfg
-- 
2.17.1

More information about the linux-yocto mailing list