[d-kernel] [PATCH 1/1] config: Enable platform and machine keyrings
Vitaly Chikunov
vt на altlinux.org
Пн Май 4 18:46:07 MSK 2026
Egor,
On Mon, May 04, 2026 at 06:17:59PM +0300, Egor Ignatov wrote:
> Enable platform and machine keyrings so that X.509 certificates kept
> in UEFI Secure Boot variables (db, MokListRT) are loaded and become
> usable by IMA and by in-kernel signature verification.
>
> Also enable CONFIG_IMA_ARCH_POLICY: under UEFI Secure Boot,
> arch_get_ima_policy() in security/integrity/ima/ima_efi.c installs
> the arch-specific IMA appraisal policy and calls
> set_module_sig_enforced() / set_kexec_sig_enforced(), making kernel
> module and kexec kernel image signature verification mandatory.
>
> Enable CONFIG_SYSTEM_BLACKLIST_KEYRING so that revoked certificates
> from the dbx UEFI variable are honored.
Applied, thanks
0fd3f8e4d161..910085a45b32 6.12/sisyphus -> 6.12/sisyphus
0b3d78bf60b4..dfd15912ea9b 6.18/sisyphus -> 6.18/sisyphus
18ab684f140c..dbea8851cb26 7.0/sisyphus -> 7.0/sisyphus
7f1a54785a55..80803c86d1e0 7.1/sisyphus -> 7.1/sisyphus
>
> Signed-off-by: Egor Ignatov <egori at altlinux.org>
> ---
> config | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/config b/config
> index aa036d440..bdc4f6b73 100644
> --- a/config
> +++ b/config
> @@ -3017,6 +3017,8 @@ CONFIG_DM_UEVENT=y
> CONFIG_DM_FLAKEY=m
> CONFIG_DM_VERITY=m
> CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
> +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is not set
> +# CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_PLATFORM_KEYRING is not set
> # CONFIG_DM_VERITY_FEC is not set
> CONFIG_DM_SWITCH=m
> CONFIG_DM_LOG_WRITES=m
> @@ -10150,6 +10152,10 @@ CONFIG_INTEGRITY=y
> CONFIG_INTEGRITY_SIGNATURE=y
> CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
> # CONFIG_INTEGRITY_TRUSTED_KEYRING is not set
> +CONFIG_INTEGRITY_PLATFORM_KEYRING=y
> +CONFIG_INTEGRITY_MACHINE_KEYRING=y
> +# CONFIG_INTEGRITY_CA_MACHINE_KEYRING is not set
> +CONFIG_LOAD_UEFI_KEYS=y
> CONFIG_INTEGRITY_AUDIT=y
> CONFIG_IMA=y
> CONFIG_IMA_MEASURE_PCR_IDX=10
> @@ -10165,14 +10171,14 @@ CONFIG_IMA_DEFAULT_HASH="sha512"
> CONFIG_IMA_WRITE_POLICY=y
> CONFIG_IMA_READ_POLICY=y
> CONFIG_IMA_APPRAISE=y
> -# CONFIG_IMA_ARCH_POLICY is not set
> +CONFIG_IMA_ARCH_POLICY=y
> # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
> CONFIG_IMA_APPRAISE_BOOTPARAM=y
> # CONFIG_IMA_APPRAISE_MODSIG is not set
> # CONFIG_IMA_TRUSTED_KEYRING is not set
> CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
> CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
> -# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
> +CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
> # CONFIG_IMA_DISABLE_HTABLE is not set
> CONFIG_EVM=y
> CONFIG_EVM_ATTR_FSUUID=y
> @@ -10467,7 +10473,11 @@ CONFIG_SYSTEM_TRUSTED_KEYRING=y
> CONFIG_SYSTEM_TRUSTED_KEYS="certs/trusted.pem"
> # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
> CONFIG_SECONDARY_TRUSTED_KEYRING=y
> -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
> +# CONFIG_SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN is not set
> +CONFIG_SYSTEM_BLACKLIST_KEYRING=y
> +CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
> +# CONFIG_SYSTEM_REVOCATION_LIST is not set
> +# CONFIG_SYSTEM_BLACKLIST_AUTH_UPDATE is not set
> # end of Certificates for signature checking
>
> CONFIG_BINARY_PRINTF=y
> --
> 2.50.1
>
> _______________________________________________
> devel-kernel mailing list
> devel-kernel at lists.altlinux.org
> https://lists.altlinux.org/mailman/listinfo/devel-kernel
Подробная информация о списке рассылки devel-kernel