[OS-BUILD PATCH] redhat/configs: disable {IMA,EVM}_LOAD_X509

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Bruno Meneguele <bmeneg@xxxxxxxxxx>

redhat/configs: disable {IMA,EVM}_LOAD_X509

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1977529

This option was enabled by mistake (from my own part): this is only used for
allowing the option {IMA,EVM}_X509_PATH to be set with a specific path in
the system pointing to a valid X509 certificate, specific built for the
integrity subsystem. It turns out that we don't have such certificate and am
not sure it's going to be used anytime soon. In RHEL-8 we've allowed trusted
certificates to the integrity subsystem using the secure boot CA and the
certs used for the kernel build.

With these options set we have the following two error lines in dmesg:

integrity: Unable to open file: /etc/keys/x509_ima.der (-2)
integrity: Unable to open file: /etc/keys/x509_evm.der (-2)

Signed-off-by: Bruno Meneguele <bmeneg@xxxxxxxxxx>

diff --git a/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509 b/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_EVM_LOAD_X509
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_EVM_LOAD_X509=y
diff --git a/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509 b/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IMA_LOAD_X509
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_IMA_LOAD_X509=y
diff --git a/redhat/configs/ark/generic/CONFIG_IMA_X509_PATH b/redhat/configs/ark/generic/CONFIG_IMA_X509_PATH
deleted file mode 100644
index blahblah..blahblah 0
--- a/redhat/configs/ark/generic/CONFIG_IMA_X509_PATH
+++ /dev/null
@@ -1 +0,0 @@
-CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"

--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/1234
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux