hulk inclusion category: feature feature: digest-lists
---------------------------
Enable digest lists and PGP keys preload.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com --- arch/x86/configs/openeuler_defconfig | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 37c7c8893e3b..9cc2ec703fb4 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -164,6 +164,7 @@ CONFIG_RD_LZMA=y CONFIG_RD_XZ=y CONFIG_RD_LZO=y CONFIG_RD_LZ4=y +CONFIG_INITRAMFS_FILE_METADATA="" CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set CONFIG_SYSCTL=y @@ -6927,21 +6928,27 @@ CONFIG_IMA_LSM_RULES=y CONFIG_IMA_NG_TEMPLATE=y # CONFIG_IMA_SIG_TEMPLATE is not set CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set -CONFIG_IMA_DEFAULT_HASH="sha1" +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y +CONFIG_IMA_DEFAULT_HASH="sha256" # CONFIG_IMA_WRITE_POLICY is not set -# CONFIG_IMA_READ_POLICY is not set +CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_TRUSTED_KEYRING=y # CONFIG_IMA_BLACKLIST_KEYRING is not set -# CONFIG_IMA_LOAD_X509 is not set +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_IMA_DIGEST_LIST=y +CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists" +CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists" CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y # CONFIG_EVM_ADD_XATTRS is not set -# CONFIG_EVM_LOAD_X509 is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" CONFIG_DEFAULT_SECURITY_SELINUX=y # CONFIG_DEFAULT_SECURITY_APPARMOR is not set # CONFIG_DEFAULT_SECURITY_DAC is not set @@ -7159,6 +7166,9 @@ CONFIG_X509_CERTIFICATE_PARSER=y CONFIG_PKCS7_MESSAGE_PARSER=y # CONFIG_PKCS7_TEST_KEY is not set CONFIG_SIGNED_PE_FILE_VERIFICATION=y +CONFIG_PGP_LIBRARY=y +CONFIG_PGP_KEY_PARSER=y +CONFIG_PGP_PRELOAD=y
# # Certificates for signature checking @@ -7170,6 +7180,7 @@ CONFIG_SYSTEM_TRUSTED_KEYS="" # CONFIG_SECONDARY_TRUSTED_KEYRING is not set CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +CONFIG_PGP_PRELOAD_PUBLIC_KEYS=y CONFIG_BINARY_PRINTF=y
#