kernel_5.10 no rt

hc

2023-12-11 6778948f9de86c3cfaf36725a7c87dcff9ba247f

 kernel/security/integrity/ima/Kconfig
..
..
@@ -1,3 +1,4 @@
1
+# SPDX-License-Identifier: GPL-2.0-only
1
2
 # IBM Integrity Measurement Architecture
2
3
 #
3
4
 config IMA
..
..
@@ -24,7 +25,7 @@
24
25
 	  an aggregate integrity value over this list inside the
25
26
 	  TPM hardware, so that the TPM can prove to a third party
26
27
 	  whether or not critical system files have been modified.
27
-	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
28
+	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
28
29
 	  to learn more about IMA.
29
30
 	  If unsure, say N.
30
31
 
..
..
@@ -52,7 +53,7 @@
52
53
 
53
54
 config IMA_LSM_RULES
54
55
 	bool
55
-	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
56
+	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
56
57
 	default y
57
58
 	help
58
59
 	  Disabling this option will disregard LSM based policy rules.
..
..
@@ -68,10 +69,9 @@
68
69
 	  hash, defined as 20 bytes, and a null terminated pathname,
69
70
 	  limited to 255 characters.  The 'ima-ng' measurement list
70
71
 	  template permits both larger hash digests and longer
71
-	  pathnames.
72
+	  pathnames. The configured default template can be replaced
73
+	  by specifying "ima_template=" on the boot command line.
72
74
 
73
-	config IMA_TEMPLATE
74
-		bool "ima"
75
75
 	config IMA_NG_TEMPLATE
76
76
 		bool "ima-ng (default)"
77
77
 	config IMA_SIG_TEMPLATE
..
..
@@ -81,7 +81,6 @@
81
81
 config IMA_DEFAULT_TEMPLATE
82
82
 	string
83
83
 	depends on IMA
84
-	default "ima" if IMA_TEMPLATE
85
84
 	default "ima-ng" if IMA_NG_TEMPLATE
86
85
 	default "ima-sig" if IMA_SIG_TEMPLATE
87
86
 
..
..
@@ -101,15 +100,19 @@
101
100
 
102
101
 	config IMA_DEFAULT_HASH_SHA256
103
102
 		bool "SHA256"
104
-		depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
103
+		depends on CRYPTO_SHA256=y
105
104
 
106
105
 	config IMA_DEFAULT_HASH_SHA512
107
106
 		bool "SHA512"
108
-		depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
107
+		depends on CRYPTO_SHA512=y
109
108
 
110
109
 	config IMA_DEFAULT_HASH_WP512
111
110
 		bool "WP512"
112
-		depends on CRYPTO_WP512=y && !IMA_TEMPLATE
111
+		depends on CRYPTO_WP512=y
112
+
113
+	config IMA_DEFAULT_HASH_SM3
114
+		bool "SM3"
115
+		depends on CRYPTO_SM3=y
113
116
 endchoice
114
117
 
115
118
 config IMA_DEFAULT_HASH
..
..
@@ -119,6 +122,7 @@
119
122
 	default "sha256" if IMA_DEFAULT_HASH_SHA256
120
123
 	default "sha512" if IMA_DEFAULT_HASH_SHA512
121
124
 	default "wp512" if IMA_DEFAULT_HASH_WP512
125
+	default "sm3" if IMA_DEFAULT_HASH_SM3
122
126
 
123
127
 config IMA_WRITE_POLICY
124
128
 	bool "Enable multiple writes to the IMA policy"
..
..
@@ -155,6 +159,15 @@
155
159
 	  For more information on integrity appraisal refer to:
156
160
 	  <http://linux-ima.sourceforge.net>
157
161
 	  If unsure, say N.
162
+
163
+config IMA_ARCH_POLICY
164
+        bool "Enable loading an IMA architecture specific policy"
165
+        depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
166
+		   && INTEGRITY_ASYMMETRIC_KEYS
167
+        default n
168
+        help
169
+          This option enables loading an IMA architecture specific policy
170
+          based on run time secure boot flags.
158
171
 
159
172
 config IMA_APPRAISE_BUILD_POLICY
160
173
 	bool "IMA build time configured policy rules"
..
..
@@ -222,6 +235,19 @@
222
235
 	  This option enables the different "ima_appraise=" modes
223
236
 	  (eg. fix, log) from the boot command line.
224
237
 
238
+config IMA_APPRAISE_MODSIG
239
+	bool "Support module-style signatures for appraisal"
240
+	depends on IMA_APPRAISE
241
+	depends on INTEGRITY_ASYMMETRIC_KEYS
242
+	select PKCS7_MESSAGE_PARSER
243
+	select MODULE_SIG_FORMAT
244
+	default n
245
+	help
246
+	   Adds support for signatures appended to files. The format of the
247
+	   appended signature is the same used for signed kernel modules.
248
+	   The modsig keyword can be used in the IMA policy to allow a hook
249
+	   to accept such signatures.
250
+
225
251
 config IMA_TRUSTED_KEYRING
226
252
 	bool "Require all keys on the .ima keyring be signed (deprecated)"
227
253
 	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
..
..
@@ -286,3 +312,22 @@
286
312
 	default n
287
313
 	help
288
314
 	   This option requires user-space init to be signed.
315
+
316
+config IMA_MEASURE_ASYMMETRIC_KEYS
317
+	bool
318
+	depends on IMA
319
+	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
320
+	default y
321
+
322
+config IMA_QUEUE_EARLY_BOOT_KEYS
323
+	bool
324
+	depends on IMA_MEASURE_ASYMMETRIC_KEYS
325
+	depends on SYSTEM_TRUSTED_KEYRING
326
+	default y
327
+
328
+config IMA_SECURE_AND_OR_TRUSTED_BOOT
329
+       bool
330
+       depends on IMA_ARCH_POLICY
331
+       help
332
+          This option is selected by architectures to enable secure and/or
333
+          trusted boot based on IMA runtime policies.