* [d-kernel] [PATCH 0/1] [6.12-7.1] Enable platform and machine keyrings
@ 2026-05-04 15:17 Egor Ignatov
2026-05-04 15:17 ` [d-kernel] [PATCH 1/1] config: " Egor Ignatov
0 siblings, 1 reply; 3+ messages in thread
From: Egor Ignatov @ 2026-05-04 15:17 UTC (permalink / raw)
To: devel-kernel
Прошу применить данный патч ко всем ядрам, для которых подписываются
Out-of-Tree модули.
Egor Ignatov (1):
config: Enable platform and machine keyrings
config | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
--
2.50.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* [d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings
2026-05-04 15:17 [d-kernel] [PATCH 0/1] [6.12-7.1] Enable platform and machine keyrings Egor Ignatov
@ 2026-05-04 15:17 ` Egor Ignatov
2026-05-04 15:46 ` Vitaly Chikunov
0 siblings, 1 reply; 3+ messages in thread
From: Egor Ignatov @ 2026-05-04 15:17 UTC (permalink / raw)
To: devel-kernel
Enable platform and machine keyrings so that X.509 certificates kept
in UEFI Secure Boot variables (db, MokListRT) are loaded and become
usable by IMA and by in-kernel signature verification.
Also enable CONFIG_IMA_ARCH_POLICY: under UEFI Secure Boot,
arch_get_ima_policy() in security/integrity/ima/ima_efi.c installs
the arch-specific IMA appraisal policy and calls
set_module_sig_enforced() / set_kexec_sig_enforced(), making kernel
module and kexec kernel image signature verification mandatory.
Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked certificates
from the dbx UEFI variable are honored.
Signed-off-by: Egor Ignatov <egori@altlinux.org>
---
config | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/config b/config
index aa036d440..bdc4f6b73 100644
--- a/config
+++ b/config
@@ -3017,6 +3017,8 @@ CONFIG_DM_UEVENT=y
CONFIG_DM_FLAKEY=m
CONFIG_DM_VERITY=m
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
+# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set
+# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING is not set
# CONFIG_DM_VERITY_FEC is not set
CONFIG_DM_SWITCH=m
CONFIG_DM_LOG_WRITES=m
@@ -10150,6 +10152,10 @@ CONFIG_INTEGRITY=y
CONFIG_INTEGRITY_SIGNATURE=y
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
# CONFIG_INTEGRITY_TRUSTED_KEYRING is not set
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_INTEGRITY_MACHINE_KEYRING=y
+# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set
+CONFIG_LOAD_UEFI_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
@@ -10165,14 +10171,14 @@ CONFIG_IMA_DEFAULT_HASH="sha512"
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA_READ_POLICY=y
CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
CONFIG_IMA_APPRAISE_BOOTPARAM=y
# CONFIG_IMA_APPRAISE_MODSIG is not set
# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
# CONFIG_IMA_DISABLE_HTABLE is not set
CONFIG_EVM=y
CONFIG_EVM_ATTR_FSUUID=y
@@ -10467,7 +10473,11 @@ CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="certs/trusted.pem"
# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
CONFIG_SECONDARY_TRUSTED_KEYRING=y
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+# CONFIG_SYSTEM_REVOCATION_LIST is not set
+# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set
# end of Certificates for signature checking
CONFIG_BINARY_PRINTF=y
--
2.50.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings
2026-05-04 15:17 ` [d-kernel] [PATCH 1/1] config: " Egor Ignatov
@ 2026-05-04 15:46 ` Vitaly Chikunov
0 siblings, 0 replies; 3+ messages in thread
From: Vitaly Chikunov @ 2026-05-04 15:46 UTC (permalink / raw)
To: ALT Linux kernel packages development
Egor,
On Mon, May 04, 2026 at 06:17:59PM +0300, Egor Ignatov wrote:
> Enable platform and machine keyrings so that X.509 certificates kept
> in UEFI Secure Boot variables (db, MokListRT) are loaded and become
> usable by IMA and by in-kernel signature verification.
>
> Also enable CONFIG_IMA_ARCH_POLICY: under UEFI Secure Boot,
> arch_get_ima_policy() in security/integrity/ima/ima_efi.c installs
> the arch-specific IMA appraisal policy and calls
> set_module_sig_enforced() / set_kexec_sig_enforced(), making kernel
> module and kexec kernel image signature verification mandatory.
>
> Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked certificates
> from the dbx UEFI variable are honored.
Applied, thanks
0fd3f8e4d161..910085a45b32 6.12/sisyphus -> 6.12/sisyphus
0b3d78bf60b4..dfd15912ea9b 6.18/sisyphus -> 6.18/sisyphus
18ab684f140c..dbea8851cb26 7.0/sisyphus -> 7.0/sisyphus
7f1a54785a55..80803c86d1e0 7.1/sisyphus -> 7.1/sisyphus
>
> Signed-off-by: Egor Ignatov <egori@altlinux.org>
> ---
> config | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/config b/config
> index aa036d440..bdc4f6b73 100644
> --- a/config
> +++ b/config
> @@ -3017,6 +3017,8 @@ CONFIG_DM_UEVENT=y
> CONFIG_DM_FLAKEY=m
> CONFIG_DM_VERITY=m
> CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
> +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set
> +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING is not set
> # CONFIG_DM_VERITY_FEC is not set
> CONFIG_DM_SWITCH=m
> CONFIG_DM_LOG_WRITES=m
> @@ -10150,6 +10152,10 @@ CONFIG_INTEGRITY=y
> CONFIG_INTEGRITY_SIGNATURE=y
> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
> # CONFIG_INTEGRITY_TRUSTED_KEYRING is not set
> +CONFIG_INTEGRITY_PLATFORM_KEYRING=y
> +CONFIG_INTEGRITY_MACHINE_KEYRING=y
> +# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set
> +CONFIG_LOAD_UEFI_KEYS=y
> CONFIG_INTEGRITY_AUDIT=y
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> @@ -10165,14 +10171,14 @@ CONFIG_IMA_DEFAULT_HASH="sha512"
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_APPRAISE=y
> -# CONFIG_IMA_ARCH_POLICY is not set
> +CONFIG_IMA_ARCH_POLICY=y
> # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> # CONFIG_IMA_APPRAISE_MODSIG is not set
> # CONFIG_IMA_TRUSTED_KEYRING is not set
> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> -# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
> +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> # CONFIG_IMA_DISABLE_HTABLE is not set
> CONFIG_EVM=y
> CONFIG_EVM_ATTR_FSUUID=y
> @@ -10467,7 +10473,11 @@ CONFIG_SYSTEM_TRUSTED_KEYRING=y
> CONFIG_SYSTEM_TRUSTED_KEYS="certs/trusted.pem"
> # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
> CONFIG_SECONDARY_TRUSTED_KEYRING=y
> -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
> +# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not set
> +CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> +CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
> +# CONFIG_SYSTEM_REVOCATION_LIST is not set
> +# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set
> # end of Certificates for signature checking
>
> CONFIG_BINARY_PRINTF=y
> --
> 2.50.1
>
> _______________________________________________
> devel-kernel mailing list
> devel-kernel@lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-04 15:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-04 15:17 [d-kernel] [PATCH 0/1] [6.12-7.1] Enable platform and machine keyrings Egor Ignatov
2026-05-04 15:17 ` [d-kernel] [PATCH 1/1] config: " Egor Ignatov
2026-05-04 15:46 ` Vitaly Chikunov
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git