tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
ima: enable signing of modules with build time generated key
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
authored by
Nayna Jain
and committed by
Mimi Zohar
0165f4ca
b31f2a49
+12
-4
+1
-1
certs/Kconfig
+1
-1
certs/Kconfig
···
4
4
config MODULE_SIG_KEY
5
5
string "File name or PKCS#11 URI of module signing key"
6
6
default "certs/signing_key.pem"
7
-
depends on MODULE_SIG
7
+
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
8
8
help
9
9
Provide the file name of a private key/certificate in PEM format,
10
10
or a PKCS#11 URI according to RFC7512. The file should contain, or
+8
certs/Makefile
+8
certs/Makefile
···
32
32
clean-files := x509_certificate_list .x509.list
33
33
34
34
ifeq ($(CONFIG_MODULE_SIG),y)
35
+
SIGN_KEY = y
36
+
endif
37
+
38
+
ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
39
+
SIGN_KEY = y
40
+
endif
41
+
42
+
ifdef SIGN_KEY
35
43
###############################################################################
36
44
#
37
45
# If module signing is requested, say by allyesconfig, but a key has not been
+3
-3
init/Kconfig
+3
-3
init/Kconfig
···
2164
2164
config MODULE_SIG_ALL
2165
2165
bool "Automatically sign all modules"
2166
2166
default y
2167
-
depends on MODULE_SIG
2167
+
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
2168
2168
help
2169
2169
Sign all modules during make modules_install. Without this option,
2170
2170
modules must be signed manually, using the scripts/sign-file tool.
···
2174
2174
2175
2175
choice
2176
2176
prompt "Which hash algorithm should modules be signed with?"
2177
-
depends on MODULE_SIG
2177
+
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
2178
2178
help
2179
2179
This determines which sort of hashing algorithm will be used during
2180
2180
signature generation. This algorithm _must_ be built into the kernel
···
2206
2206
2207
2207
config MODULE_SIG_HASH
2208
2208
string
2209
-
depends on MODULE_SIG
2209
+
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
2210
2210
default "sha1" if MODULE_SIG_SHA1
2211
2211
default "sha224" if MODULE_SIG_SHA224
2212
2212
default "sha256" if MODULE_SIG_SHA256