[d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings

Пн Май 4 18:17:59 MSK 2026

Enable platform and machine keyrings so that X.509 certificates kept
in UEFI Secure Boot variables (db, MokListRT) are loaded and become
usable by IMA and by in-kernel signature verification.

Also enable CONFIG_IMA_ARCH_POLICY: under UEFI Secure Boot,
arch_get_ima_policy() in security/integrity/ima/ima_efi.c installs
the arch-specific IMA appraisal policy and calls
set_module_sig_enforced() / set_kexec_sig_enforced(), making kernel
module and kexec kernel image signature verification mandatory.

Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked certificates
from the dbx UEFI variable are honored.

Signed-off-by: Egor Ignatov <egori at altlinux.org>
---
 config | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/config b/config
index aa036d440..bdc4f6b73 100644
--- a/config
+++ b/config
@@ -3017,6 +3017,8 @@ CONFIG_DM_UEVENT=y
 CONFIG_DM_FLAKEY=m
 CONFIG_DM_VERITY=m
 CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
+# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set
+# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING is not set
 # CONFIG_DM_VERITY_FEC is not set
 CONFIG_DM_SWITCH=m
 CONFIG_DM_LOG_WRITES=m
@@ -10150,6 +10152,10 @@ CONFIG_INTEGRITY=y
 CONFIG_INTEGRITY_SIGNATURE=y
 CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
 # CONFIG_INTEGRITY_TRUSTED_KEYRING is not set
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_INTEGRITY_MACHINE_KEYRING=y
+# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set
+CONFIG_LOAD_UEFI_KEYS=y
 CONFIG_INTEGRITY_AUDIT=y
 CONFIG_IMA=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
@@ -10165,14 +10171,14 @@ CONFIG_IMA_DEFAULT_HASH="sha512"
 CONFIG_IMA_WRITE_POLICY=y
 CONFIG_IMA_READ_POLICY=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_ARCH_POLICY is not set
+CONFIG_IMA_ARCH_POLICY=y
 # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 # CONFIG_IMA_APPRAISE_MODSIG is not set
 # CONFIG_IMA_TRUSTED_KEYRING is not set
 CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
 CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
-# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
+CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
 # CONFIG_IMA_DISABLE_HTABLE is not set
 CONFIG_EVM=y
 CONFIG_EVM_ATTR_FSUUID=y
@@ -10467,7 +10473,11 @@ CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="certs/trusted.pem"
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
 CONFIG_SECONDARY_TRUSTED_KEYRING=y
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+# CONFIG_SYSTEM_REVOCATION_LIST is not set
+# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set
 # end of Certificates for signature checking
 
 CONFIG_BINARY_PRINTF=y
-- 
2.50.1

