* [d-kernel] [PATCH 0/1] [6.12-7.1] Enable platform and machine keyrings @ 2026-05-04 15:17 Egor Ignatov 2026-05-04 15:17 ` [d-kernel] [PATCH 1/1] config: " Egor Ignatov 0 siblings, 1 reply; 4+ messages in thread From: Egor Ignatov @ 2026-05-04 15:17 UTC (permalink / raw) To: devel-kernel Прошу применить данный патч ко всем ядрам, для которых подписываются Out-of-Tree модули. Egor Ignatov (1): config: Enable platform and machine keyrings config | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) -- 2.50.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings 2026-05-04 15:17 [d-kernel] [PATCH 0/1] [6.12-7.1] Enable platform and machine keyrings Egor Ignatov @ 2026-05-04 15:17 ` Egor Ignatov 2026-05-04 15:46 ` Vitaly Chikunov 2026-05-04 20:43 ` Alexey V. Vissarionov 0 siblings, 2 replies; 4+ messages in thread From: Egor Ignatov @ 2026-05-04 15:17 UTC (permalink / raw) To: devel-kernel Enable platform and machine keyrings so that X.509 certificates kept in UEFI Secure Boot variables (db, MokListRT) are loaded and become usable by IMA and by in-kernel signature verification. Also enable CONFIG_IMA_ARCH_POLICY: under UEFI Secure Boot, arch_get_ima_policy() in security/integrity/ima/ima_efi.c installs the arch-specific IMA appraisal policy and calls set_module_sig_enforced() / set_kexec_sig_enforced(), making kernel module and kexec kernel image signature verification mandatory. Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked certificates from the dbx UEFI variable are honored. Signed-off-by: Egor Ignatov <egori@altlinux.org> --- config | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/config b/config index aa036d440..bdc4f6b73 100644 --- a/config +++ b/config @@ -3017,6 +3017,8 @@ CONFIG_DM_UEVENT=y CONFIG_DM_FLAKEY=m CONFIG_DM_VERITY=m CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING is not set # CONFIG_DM_VERITY_FEC is not set CONFIG_DM_SWITCH=m CONFIG_DM_LOG_WRITES=m @@ -10150,6 +10152,10 @@ CONFIG_INTEGRITY=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y # CONFIG_INTEGRITY_TRUSTED_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_INTEGRITY_MACHINE_KEYRING=y +# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set +CONFIG_LOAD_UEFI_KEYS=y CONFIG_INTEGRITY_AUDIT=y CONFIG_IMA=y CONFIG_IMA_MEASURE_PCR_IDX=10 @@ -10165,14 +10171,14 @@ CONFIG_IMA_DEFAULT_HASH="sha512" CONFIG_IMA_WRITE_POLICY=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y -# CONFIG_IMA_ARCH_POLICY is not set +CONFIG_IMA_ARCH_POLICY=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_MODSIG is not set # CONFIG_IMA_TRUSTED_KEYRING is not set CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y -# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y # CONFIG_IMA_DISABLE_HTABLE is not set CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y @@ -10467,7 +10473,11 @@ CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="certs/trusted.pem" # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set CONFIG_SECONDARY_TRUSTED_KEYRING=y -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not set +CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +# CONFIG_SYSTEM_REVOCATION_LIST is not set +# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set # end of Certificates for signature checking CONFIG_BINARY_PRINTF=y -- 2.50.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings 2026-05-04 15:17 ` [d-kernel] [PATCH 1/1] config: " Egor Ignatov @ 2026-05-04 15:46 ` Vitaly Chikunov 2026-05-04 20:43 ` Alexey V. Vissarionov 1 sibling, 0 replies; 4+ messages in thread From: Vitaly Chikunov @ 2026-05-04 15:46 UTC (permalink / raw) To: ALT Linux kernel packages development Egor, On Mon, May 04, 2026 at 06:17:59PM +0300, Egor Ignatov wrote: > Enable platform and machine keyrings so that X.509 certificates kept > in UEFI Secure Boot variables (db, MokListRT) are loaded and become > usable by IMA and by in-kernel signature verification. > > Also enable CONFIG_IMA_ARCH_POLICY: under UEFI Secure Boot, > arch_get_ima_policy() in security/integrity/ima/ima_efi.c installs > the arch-specific IMA appraisal policy and calls > set_module_sig_enforced() / set_kexec_sig_enforced(), making kernel > module and kexec kernel image signature verification mandatory. > > Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked certificates > from the dbx UEFI variable are honored. Applied, thanks 0fd3f8e4d161..910085a45b32 6.12/sisyphus -> 6.12/sisyphus 0b3d78bf60b4..dfd15912ea9b 6.18/sisyphus -> 6.18/sisyphus 18ab684f140c..dbea8851cb26 7.0/sisyphus -> 7.0/sisyphus 7f1a54785a55..80803c86d1e0 7.1/sisyphus -> 7.1/sisyphus > > Signed-off-by: Egor Ignatov <egori@altlinux.org> > --- > config | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/config b/config > index aa036d440..bdc4f6b73 100644 > --- a/config > +++ b/config > @@ -3017,6 +3017,8 @@ CONFIG_DM_UEVENT=y > CONFIG_DM_FLAKEY=m > CONFIG_DM_VERITY=m > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y > +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set > +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING is not set > # CONFIG_DM_VERITY_FEC is not set > CONFIG_DM_SWITCH=m > CONFIG_DM_LOG_WRITES=m > @@ -10150,6 +10152,10 @@ CONFIG_INTEGRITY=y > CONFIG_INTEGRITY_SIGNATURE=y > CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y > # CONFIG_INTEGRITY_TRUSTED_KEYRING is not set > +CONFIG_INTEGRITY_PLATFORM_KEYRING=y > +CONFIG_INTEGRITY_MACHINE_KEYRING=y > +# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set > +CONFIG_LOAD_UEFI_KEYS=y > CONFIG_INTEGRITY_AUDIT=y > CONFIG_IMA=y > CONFIG_IMA_MEASURE_PCR_IDX=10 > @@ -10165,14 +10171,14 @@ CONFIG_IMA_DEFAULT_HASH="sha512" > CONFIG_IMA_WRITE_POLICY=y > CONFIG_IMA_READ_POLICY=y > CONFIG_IMA_APPRAISE=y > -# CONFIG_IMA_ARCH_POLICY is not set > +CONFIG_IMA_ARCH_POLICY=y > # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set > CONFIG_IMA_APPRAISE_BOOTPARAM=y > # CONFIG_IMA_APPRAISE_MODSIG is not set > # CONFIG_IMA_TRUSTED_KEYRING is not set > CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y > CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y > -# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set > +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y > # CONFIG_IMA_DISABLE_HTABLE is not set > CONFIG_EVM=y > CONFIG_EVM_ATTR_FSUUID=y > @@ -10467,7 +10473,11 @@ CONFIG_SYSTEM_TRUSTED_KEYRING=y > CONFIG_SYSTEM_TRUSTED_KEYS="certs/trusted.pem" > # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set > CONFIG_SECONDARY_TRUSTED_KEYRING=y > -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set > +# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not set > +CONFIG_SYSTEM_BLACKLIST_KEYRING=y > +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" > +# CONFIG_SYSTEM_REVOCATION_LIST is not set > +# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set > # end of Certificates for signature checking > > CONFIG_BINARY_PRINTF=y > -- > 2.50.1 > > _______________________________________________ > devel-kernel mailing list > devel-kernel@lists.altlinux.org > https://lists.altlinux.org/mailman/listinfo/devel-kernel ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings 2026-05-04 15:17 ` [d-kernel] [PATCH 1/1] config: " Egor Ignatov 2026-05-04 15:46 ` Vitaly Chikunov @ 2026-05-04 20:43 ` Alexey V. Vissarionov 1 sibling, 0 replies; 4+ messages in thread From: Alexey V. Vissarionov @ 2026-05-04 20:43 UTC (permalink / raw) To: ALT Linux kernel packages development Good ${greeting_time}! On 2026-05-04 18:17:59 +0300, Egor Ignatov wrote: > Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked > certificates from the dbx UEFI variable are honored. Мы правда настолько доверяем другим системам, которые могли засунуть туда какой-то неочевидный CRL, что хотим разрешить "окирпичивание" компутера до невозможности загрузки? -- Alexey V. Vissarionov gremlin ПРИ altlinux ТЧК org; +vii-cmiii-ccxxix-lxxix-xlii GPG: 0D92F19E1C0DC36E27F61A29CD17E2B43D879005 @ hkp://keys.gnupg.net ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-04 20:43 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-05-04 15:17 [d-kernel] [PATCH 0/1] [6.12-7.1] Enable platform and machine keyrings Egor Ignatov 2026-05-04 15:17 ` [d-kernel] [PATCH 1/1] config: " Egor Ignatov 2026-05-04 15:46 ` Vitaly Chikunov 2026-05-04 20:43 ` Alexey V. Vissarionov
ALT Linux kernel packages development This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \ devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com public-inbox-index devel-kernel Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel AGPL code for this site: git clone https://public-inbox.org/public-inbox.git