diff options
| author | Nayna Jain <nayna@linux.ibm.com> | 2021-04-09 10:35:06 -0400 |
|---|---|---|
| committer | Mimi Zohar <zohar@linux.ibm.com> | 2021-04-09 10:40:20 -0400 |
| commit | 0165f4ca223b04bb032095753fadd28816dc435f (patch) | |
| tree | 549d478f843b542512926f73f19b6656005753b5 /certs | |
| parent | b31f2a495debc71bdfefefea8056ade429f79c4b (diff) | |
ima: enable signing of modules with build time generated key
The kernel build process currently only signs kernel modules when
MODULE_SIG is enabled. Also, sign the kernel modules at build time when
IMA_APPRAISE_MODSIG is enabled.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'certs')
| -rw-r--r-- | certs/Kconfig | 2 | ||||
| -rw-r--r-- | certs/Makefile | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bccf..48675ad319db 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -4,7 +4,7 @@ menu "Certificates for signature checking" config MODULE_SIG_KEY string "File name or PKCS#11 URI of module signing key" default "certs/signing_key.pem" - depends on MODULE_SIG + depends on MODULE_SIG || IMA_APPRAISE_MODSIG help Provide the file name of a private key/certificate in PEM format, or a PKCS#11 URI according to RFC7512. The file should contain, or diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..e3185c57fbd8 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING clean-files := x509_certificate_list .x509.list ifeq ($(CONFIG_MODULE_SIG),y) + SIGN_KEY = y +endif + +ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y) + SIGN_KEY = y +endif + +ifdef SIGN_KEY ############################################################################### # # If module signing is requested, say by allyesconfig, but a key has not been |