From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Egor Ignatov To: devel-kernel@lists.altlinux.org Date: Mon, 4 May 2026 18:17:59 +0300 Message-ID: <20260504151759.313524-2-egori@altlinux.org> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260504151759.313524-1-egori@altlinux.org> References: <20260504151759.313524-1-egori@altlinux.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 May 2026 15:18:14 -0000 Archived-At: List-Archive: List-Post: Enable platform and machine keyrings so that X.509 certificates kept in UEFI Secure Boot variables (db, MokListRT) are loaded and become usable by IMA and by in-kernel signature verification. Also enable CONFIG_IMA_ARCH_POLICY: under UEFI Secure Boot, arch_get_ima_policy() in security/integrity/ima/ima_efi.c installs the arch-specific IMA appraisal policy and calls set_module_sig_enforced() / set_kexec_sig_enforced(), making kernel module and kexec kernel image signature verification mandatory. Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked certificates from the dbx UEFI variable are honored. Signed-off-by: Egor Ignatov --- config | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/config b/config index aa036d440..bdc4f6b73 100644 --- a/config +++ b/config @@ -3017,6 +3017,8 @@ CONFIG_DM_UEVENT=y CONFIG_DM_FLAKEY=m CONFIG_DM_VERITY=m CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING is not set # CONFIG_DM_VERITY_FEC is not set CONFIG_DM_SWITCH=m CONFIG_DM_LOG_WRITES=m @@ -10150,6 +10152,10 @@ CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y # CONFIG_INTEGRITY_TRUSTED_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_INTEGRITY_MACHINE_KEYRING=y +# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set +CONFIG_LOAD_UEFI_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 @@ -10165,14 +10171,14 @@ CONFIG_IMA_DEFAULT_HASH="sha512" CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y -# CONFIG_IMA_ARCH_POLICY is not set +CONFIG_IMA_ARCH_POLICY=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_MODSIG is not set # CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y -# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y # CONFIG_IMA_DISABLE_HTABLE is not set CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y @@ -10467,7 +10473,11 @@ CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="certs/trusted.pem" # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set CONFIG_SECONDARY_TRUSTED_KEYRING=y -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +# CONFIG_SYSTEM_REVOCATION_LIST is not set +# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set # end of Certificates for signature checking CONFIG_BINARY_PRINTF=y -- 2.50.1