ima: enable signing of modules with build time generated key
The kernel build process currently only signs kernel modules when MODULE_SIG is enabled. Also, sign the kernel modules at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Acked-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
b31f2a495d
commit
0165f4ca22
|
@ -4,7 +4,7 @@ menu "Certificates for signature checking"
|
|||
config MODULE_SIG_KEY
|
||||
string "File name or PKCS#11 URI of module signing key"
|
||||
default "certs/signing_key.pem"
|
||||
depends on MODULE_SIG
|
||||
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
|
||||
help
|
||||
Provide the file name of a private key/certificate in PEM format,
|
||||
or a PKCS#11 URI according to RFC7512. The file should contain, or
|
||||
|
|
|
@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
|
|||
clean-files := x509_certificate_list .x509.list
|
||||
|
||||
ifeq ($(CONFIG_MODULE_SIG),y)
|
||||
SIGN_KEY = y
|
||||
endif
|
||||
|
||||
ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
|
||||
SIGN_KEY = y
|
||||
endif
|
||||
|
||||
ifdef SIGN_KEY
|
||||
###############################################################################
|
||||
#
|
||||
# If module signing is requested, say by allyesconfig, but a key has not been
|
||||
|
|
|
@ -2164,7 +2164,7 @@ config MODULE_SIG_FORCE
|
|||
config MODULE_SIG_ALL
|
||||
bool "Automatically sign all modules"
|
||||
default y
|
||||
depends on MODULE_SIG
|
||||
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
|
||||
help
|
||||
Sign all modules during make modules_install. Without this option,
|
||||
modules must be signed manually, using the scripts/sign-file tool.
|
||||
|
@ -2174,7 +2174,7 @@ comment "Do not forget to sign required modules with scripts/sign-file"
|
|||
|
||||
choice
|
||||
prompt "Which hash algorithm should modules be signed with?"
|
||||
depends on MODULE_SIG
|
||||
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
|
||||
help
|
||||
This determines which sort of hashing algorithm will be used during
|
||||
signature generation. This algorithm _must_ be built into the kernel
|
||||
|
@ -2206,7 +2206,7 @@ endchoice
|
|||
|
||||
config MODULE_SIG_HASH
|
||||
string
|
||||
depends on MODULE_SIG
|
||||
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
|
||||
default "sha1" if MODULE_SIG_SHA1
|
||||
default "sha224" if MODULE_SIG_SHA224
|
||||
default "sha256" if MODULE_SIG_SHA256
|
||||
|
|
Loading…
Reference in New Issue