microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

ima: enable signing of modules with build time generated key 

The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
Nayna Jain 2021-04-09 10:35:06 -04:00 коммит произвёл Mimi Zohar
Родитель b31f2a495d
Коммит 0165f4ca22
3 изменённых файлов: 12 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
certs/Kconfig
Просмотреть файл

@ -4,7 +4,7 @@ menu "Certificates for signature checking"
config MODULE_SIG_KEY config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key" string "File name or PKCS#11 URI of module signing key"
default "certs/signing_key.pem" default "certs/signing_key.pem"
depends on MODULE_SIG depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help help
Provide the file name of a private key/certificate in PEM format, Provide the file name of a private key/certificate in PEM format,
or a PKCS#11 URI according to RFC7512. The file should contain, or or a PKCS#11 URI according to RFC7512. The file should contain, or

8
certs/Makefile
Просмотреть файл

@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
clean-files := x509_certificate_list .x509.list clean-files := x509_certificate_list .x509.list
ifeq ($(CONFIG_MODULE_SIG),y) ifeq ($(CONFIG_MODULE_SIG),y)
SIGN_KEY = y
endif
ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
SIGN_KEY = y
endif
ifdef SIGN_KEY
############################################################################### ###############################################################################
# #
# If module signing is requested, say by allyesconfig, but a key has not been # If module signing is requested, say by allyesconfig, but a key has not been

6
init/Kconfig
Просмотреть файл

@ -2164,7 +2164,7 @@ config MODULE_SIG_FORCE
config MODULE_SIG_ALL config MODULE_SIG_ALL
bool "Automatically sign all modules" bool "Automatically sign all modules"
default y default y
depends on MODULE_SIG depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help help
Sign all modules during make modules_install. Without this option, Sign all modules during make modules_install. Without this option,
modules must be signed manually, using the scripts/sign-file tool. modules must be signed manually, using the scripts/sign-file tool.
@ -2174,7 +2174,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
choice choice
prompt "Which hash algorithm should modules be signed with?" prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help help
This determines which sort of hashing algorithm will be used during This determines which sort of hashing algorithm will be used during
signature generation. This algorithm _must_ be built into the kernel signature generation. This algorithm _must_ be built into the kernel
@ -2206,7 +2206,7 @@ endchoice
config MODULE_SIG_HASH config MODULE_SIG_HASH
string string
depends on MODULE_SIG depends on MODULE_SIG || IMA_APPRAISE_MODSIG
default "sha1" if MODULE_SIG_SHA1 default "sha1" if MODULE_SIG_SHA1
default "sha224" if MODULE_SIG_SHA224 default "sha224" if MODULE_SIG_SHA224
default "sha256" if MODULE_SIG_SHA256 default "sha256" if MODULE_SIG_SHA256