integrity: Enable IMA and related kconfig symbols (except on armel/marvell)

Closes: #788290 Based on advice from Matthew Garrett.

integrity: Enable IMA and related kconfig symbols (except on armel/marvell)
f3c3de0f · Ben Hutchings · 6771be11 · f3c3de0f · f3c3de0f · f3c3de0f
Commit f3c3de0f authored 8 years ago by Ben Hutchings
--- a/debian/changelog
+++ b/debian/changelog
@@ -343,6 +343,9 @@ linux (4.9.24-1) UNRELEASED; urgency=medium
  * [x86] gpio: Enable GPIO_AMDPT as module
  * [x86] thermal: Enable INT3406_THERMAL as module
  * watchdog: Enable WATCHDOG_SYSFS
+  * integrity: Enable IMA, IMA_DEFAULT_HASH_SHA256, IMA_APPRAISE,
+    IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY, IMA_BLACKLIST_KEYRING
+    (except on armel/marvell) (Closes: #788290)
  
  [ Salvatore Bonaccorso ]
  * ping: implement proper locking (CVE-2017-2671)
--- a/debian/config/armel/config.marvell
+++ b/debian/config/armel/config.marvell
@@ -762,6 +762,11 @@ CONFIG_IPV6=m
 ##
 # CONFIG_NET_MPLS_GSO is not set

+##
+## file: security/integrity/ima/Kconfig
+##
+# CONFIG_IMA is not set
+
 ##
 ## file: sound/soc/Kconfig
 ##

--- a/debian/config/config
+++ b/debian/config/config
@@ -6909,6 +6909,7 @@ CONFIG_SECURITY_APPARMOR_HASH=y
 ##
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
 CONFIG_INTEGRITY_AUDIT=y

 ##
@@ -6919,7 +6920,20 @@ CONFIG_INTEGRITY_AUDIT=y
 ##
 ## file: security/integrity/ima/Kconfig
 ##
-# CONFIG_IMA is not set
+CONFIG_IMA=y
+## choice: Default integrity hash algorithm
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+# CONFIG_IMA_DEFAULT_HASH_WP512 is not set
+## end choice
+# CONFIG_IMA_WRITE_POLICY is not set
+# CONFIG_IMA_READ_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+CONFIG_IMA_BLACKLIST_KEYRING=y
+# CONFIG_IMA_LOAD_X509 is not set
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set

 ##
 ## file: security/keys/Kconfig