diff options
| author | Jan Alexander Steffens | 2022-06-19 20:12:31 +0000 |
|---|---|---|
| committer | Jan Alexander Steffens | 2022-06-19 20:12:31 +0000 |
| commit | 1eaae5d53fe05417e109993d751d977b992ba231 (patch) | |
| tree | b8c08eb7677e02b646701ce124f8f25dce482f21 /config | |
| parent | 0724b8895c823ce8942a9534ff82588c3625b722 (diff) | |
| download | aur-1eaae5d53fe05417e109993d751d977b992ba231.tar.gz | |
FS#75102: Revert "Enable KEXEC_SIG and IMA"
Enabling IMA makes it impossible to load unsigned kernel modules when
secure boot is in use, and without shim in the boot you can't get the
kernel to trust a local key for module signing.
This reverts commit 6a241232a3275ef3e314b5b7167e13fffff71282.
Diffstat (limited to 'config')
| -rw-r--r-- | config | 51 |
1 files changed, 12 insertions, 39 deletions
@@ -497,9 +497,7 @@ CONFIG_SCHED_HRTICK=y CONFIG_KEXEC=y CONFIG_KEXEC_FILE=y CONFIG_ARCH_HAS_KEXEC_PURGATORY=y -CONFIG_KEXEC_SIG=y -# CONFIG_KEXEC_SIG_FORCE is not set -CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y +# CONFIG_KEXEC_SIG is not set CONFIG_CRASH_DUMP=y CONFIG_KEXEC_JUMP=y CONFIG_PHYSICAL_START=0x1000000 @@ -4428,7 +4426,7 @@ CONFIG_IPMI_IPMB=m CONFIG_IPMI_WATCHDOG=m CONFIG_IPMI_POWEROFF=m CONFIG_IPMB_DEVICE_INTERFACE=m -CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM=m CONFIG_HW_RANDOM_TIMERIOMEM=m CONFIG_HW_RANDOM_INTEL=m CONFIG_HW_RANDOM_AMD=m @@ -4455,10 +4453,10 @@ CONFIG_DEVPORT=y CONFIG_HPET=y # CONFIG_HPET_MMAP is not set CONFIG_HANGCHECK_TIMER=m -CONFIG_TCG_TPM=y +CONFIG_TCG_TPM=m CONFIG_HW_RANDOM_TPM=y -CONFIG_TCG_TIS_CORE=y -CONFIG_TCG_TIS=y +CONFIG_TCG_TIS_CORE=m +CONFIG_TCG_TIS=m CONFIG_TCG_TIS_SPI=m CONFIG_TCG_TIS_SPI_CR50=y CONFIG_TCG_TIS_I2C_CR50=m @@ -4469,7 +4467,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_ATMEL=m CONFIG_TCG_INFINEON=m CONFIG_TCG_XEN=m -CONFIG_TCG_CRB=y +CONFIG_TCG_CRB=m CONFIG_TCG_VTPM_PROXY=m CONFIG_TCG_TIS_ST33ZP24=m CONFIG_TCG_TIS_ST33ZP24_I2C=m @@ -9657,7 +9655,6 @@ CONFIG_BTT=y CONFIG_ND_PFN=m CONFIG_NVDIMM_PFN=y CONFIG_NVDIMM_DAX=y -CONFIG_NVDIMM_KEYS=y CONFIG_DAX=y CONFIG_DEV_DAX=m CONFIG_DEV_DAX_PMEM=m @@ -10154,7 +10151,7 @@ CONFIG_KEYS=y CONFIG_KEYS_REQUEST_CACHE=y CONFIG_PERSISTENT_KEYRINGS=y CONFIG_TRUSTED_KEYS=m -CONFIG_ENCRYPTED_KEYS=y +CONFIG_ENCRYPTED_KEYS=m # CONFIG_USER_DECRYPTED_DATA is not set CONFIG_KEY_DH_OPERATIONS=y CONFIG_KEY_NOTIFICATIONS=y @@ -10213,40 +10210,16 @@ CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_MACHINE_KEYRING=y CONFIG_LOAD_UEFI_KEYS=y CONFIG_INTEGRITY_AUDIT=y -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_LSM_RULES=y -CONFIG_IMA_NG_TEMPLATE=y -# CONFIG_IMA_SIG_TEMPLATE is not set -CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" -# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set -CONFIG_IMA_DEFAULT_HASH_SHA512=y -CONFIG_IMA_DEFAULT_HASH="sha512" -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_ARCH_POLICY=y -# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set -CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE_MODSIG=y -# CONFIG_IMA_TRUSTED_KEYRING is not set +# CONFIG_IMA is not set # CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set -CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y -CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y -CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y -# CONFIG_IMA_DISABLE_HTABLE is not set -CONFIG_EVM=y -CONFIG_EVM_ATTR_FSUUID=y -CONFIG_EVM_EXTRA_SMACK_XATTRS=y -CONFIG_EVM_ADD_XATTRS=y -# CONFIG_EVM_LOAD_X509 is not set +# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set +# CONFIG_EVM is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set # CONFIG_DEFAULT_SECURITY_SMACK is not set # CONFIG_DEFAULT_SECURITY_TOMOYO is not set # CONFIG_DEFAULT_SECURITY_APPARMOR is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="landlock,lockdown,yama,integrity,bpf" +CONFIG_LSM="landlock,lockdown,yama,bpf" # # Kernel hardening options @@ -10338,7 +10311,7 @@ CONFIG_CRYPTO_ECHAINIV=m # # Block modes # -CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CBC=m CONFIG_CRYPTO_CFB=m CONFIG_CRYPTO_CTR=y CONFIG_CRYPTO_CTS=m |