From: Bruno Meneguele <bmeneg@xxxxxxxxxx>
Both CONFIG_EVM_LOAD_X509 and CONFIG_EVM_X509_PATH are complementary and
should be enabled. It behaves in the same way as the x509 certificates on
IMA, which can be added to '.evm' keyring once they are signed with a
trusted key placed in the '.platform_keyring'.
And, as dependency, CONFIG_ENCRYPTED_KEYS must be also set to =y in all
arches.
Signed-off-by: Bruno Meneguele <bmeneg@xxxxxxxxxx>
---
redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS | 2 +-
redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 | 1 +
redhat/configs/ark/generic/{powerpc => }/CONFIG_EVM_X509_PATH | 0
redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS | 1 -
redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS | 1 -
redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509 | 1 -
.../generic/powerpc => common/generic}/CONFIG_EVM_LOAD_X509 | 0
7 files changed, 2 insertions(+), 4 deletions(-)
create mode 100644 redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509
rename redhat/configs/ark/generic/{powerpc => }/CONFIG_EVM_X509_PATH (100%)
delete mode 100644 redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS
delete mode 100644 redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS
delete mode 100644 redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509
rename redhat/configs/{ark/generic/powerpc => common/generic}/CONFIG_EVM_LOAD_X509 (100%)
diff --git a/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS b/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS
index 076a46253e78..09d264daff2b 100644
--- a/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS
+++ b/redhat/configs/ark/generic/CONFIG_ENCRYPTED_KEYS
@@ -1 +1 @@
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
diff --git a/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 b/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509
new file mode 100644
index 000000000000..0dd95a176560
--- /dev/null
+++ b/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509
@@ -0,0 +1 @@
+CONFIG_EVM_LOAD_X509=y
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_EVM_X509_PATH b/redhat/configs/ark/generic/CONFIG_EVM_X509_PATH
similarity index 100%
rename from redhat/configs/ark/generic/powerpc/CONFIG_EVM_X509_PATH
rename to redhat/configs/ark/generic/CONFIG_EVM_X509_PATH
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS b/redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS
deleted file mode 100644
index 09d264daff2b..000000000000
--- a/redhat/configs/ark/generic/powerpc/CONFIG_ENCRYPTED_KEYS
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_ENCRYPTED_KEYS=y
diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS b/redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS
deleted file mode 100644
index 09d264daff2b..000000000000
--- a/redhat/configs/ark/generic/x86/x86_64/CONFIG_ENCRYPTED_KEYS
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_ENCRYPTED_KEYS=y
diff --git a/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509 b/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509
deleted file mode 100644
index 92252682e182..000000000000
--- a/redhat/configs/ark/generic/x86/x86_64/CONFIG_EVM_LOAD_X509
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_EVM_LOAD_X509 is not set
diff --git a/redhat/configs/ark/generic/powerpc/CONFIG_EVM_LOAD_X509 b/redhat/configs/common/generic/CONFIG_EVM_LOAD_X509
similarity index 100%
rename from redhat/configs/ark/generic/powerpc/CONFIG_EVM_LOAD_X509
rename to redhat/configs/common/generic/CONFIG_EVM_LOAD_X509
--
GitLab
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
