On Wed, 2013-09-04 at 21:37 -0400, Josh Boyer wrote: > > +config BINFMT_ELF_SIG > > + bool "ELF binary signature verification" > > + depends on BINFMT_ELF > > + select INTEGRITY > > + select INTEGRITY_SIGNATURE > > + select INTEGRITY_ASYMMETRIC_KEYS > > + select IMA > > + select IMA_APPRAISE > > + select SYSTEM_TRUSTED_KEYRING > > + default n > > + ---help--- > > + Check ELF binary signature verfication. > > Please don't do this. Yes, it's technically viable to select all the > things you need, but this turns on entire subsystems we don't have > enabled. In months when the maintainers have long forgotten about > this, we have to go figure out what turned on INTEGRITY and IMA > because they aren't explicitly set in the config-* fragments. It's > really frustrating. And it's just plain wrong. CONFIG_IMA requires CONFIG_TCG_TPM. But select is not recursive. So can end up with a config where IMA is on, but TPM is off... _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
