Signed-off-by: Armin Kuster <akuster...@gmail.com> --- .../recipes-kernel/linux/linux/ima.cfg | 28 ++++++++++--------- .../linux/linux/ima_evm_root_ca.cfg | 6 ++-- 2 files changed, 18 insertions(+), 16 deletions(-)
diff --git a/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-integrity/recipes-kernel/linux/linux/ima.cfg index 02381aa..b3e47ba 100644 --- a/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ b/meta-integrity/recipes-kernel/linux/linux/ima.cfg @@ -1,16 +1,18 @@ -# Enable bare minimum IMA measurement and appraisal as needed by this layer. - -CONFIG_SECURITY=y -CONFIG_INTEGRITY=y - -# measurement CONFIG_IMA=y - -# appraisal +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" CONFIG_IMA_APPRAISE=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y - -# Kernel will get built with embedded X.509 root CA key and all keys -# need to be signed with that. +CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_TRUSTED_KEYRING=y +CONFIG_SIGNATURE=y +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_LOAD_X509=y +CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der" + +#CONFIG_INTEGRITY_SIGNATURE=y +#CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +#CONFIG_INTEGRITY_TRUSTED_KEYRING=y diff --git a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg index 7338232..9a45425 100644 --- a/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg +++ b/meta-integrity/recipes-kernel/linux/linux/ima_evm_root_ca.cfg @@ -1,3 +1,3 @@ -CONFIG_KEYS=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set +CONFIG_EVM_LOAD_X509=y +CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der" -- 2.17.1 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
