summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Robinson <pbrobinson@gmail.com>2019-07-31 13:58:31 +0100
committerPeter Robinson <pbrobinson@gmail.com>2019-07-31 13:58:31 +0100
commitadfbac47b62c420b2438325283f3ca58d10094ec (patch)
treec63983d6c4c5dbadb4c572dc2987efed8cd4a8f9
parentffc1fce93e41c87f9f27fe1e6703a33011133064 (diff)
downloadkernel-adfbac47b62c420b2438325283f3ca58d10094ec.tar.gz
kernel-adfbac47b62c420b2438325283f3ca58d10094ec.tar.xz
kernel-adfbac47b62c420b2438325283f3ca58d10094ec.zip
Enable IMA Appraisal - related rhbz 790008 1554474
-rw-r--r--configs/fedora/generic/CONFIG_IMA_APPRAISE2
-rw-r--r--configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM1
-rw-r--r--configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY1
-rw-r--r--configs/fedora/generic/CONFIG_IMA_ARCH_POLICY (renamed from configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY)0
-rw-r--r--configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING1
-rw-r--r--configs/fedora/generic/CONFIG_IMA_LOAD_X5091
-rw-r--r--configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING1
-rw-r--r--configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING1
-rw-r--r--configs/fedora/generic/CONFIG_TCG_TIS_SPI2
-rw-r--r--kernel-aarch64-debug.config11
-rw-r--r--kernel-aarch64.config11
-rw-r--r--kernel-armv7hl-debug.config11
-rw-r--r--kernel-armv7hl-lpae-debug.config11
-rw-r--r--kernel-armv7hl-lpae.config11
-rw-r--r--kernel-armv7hl.config11
-rw-r--r--kernel-i686-debug.config10
-rw-r--r--kernel-i686.config10
-rw-r--r--kernel-ppc64le-debug.config11
-rw-r--r--kernel-ppc64le.config11
-rw-r--r--kernel-s390x-debug.config11
-rw-r--r--kernel-s390x.config11
-rw-r--r--kernel-x86_64-debug.config10
-rw-r--r--kernel-x86_64.config10
-rw-r--r--kernel.spec5
24 files changed, 134 insertions, 31 deletions
diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE b/configs/fedora/generic/CONFIG_IMA_APPRAISE
index acbe2fe3c..da04fd67d 100644
--- a/configs/fedora/generic/CONFIG_IMA_APPRAISE
+++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE
@@ -1 +1 @@
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE=y
diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM
new file mode 100644
index 000000000..000a58fb6
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM
@@ -0,0 +1 @@
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY
new file mode 100644
index 000000000..d2ff45ca3
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BUILD_POLICY
@@ -0,0 +1 @@
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
diff --git a/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY b/configs/fedora/generic/CONFIG_IMA_ARCH_POLICY
index 7187ae0dc..7187ae0dc 100644
--- a/configs/fedora/generic/x86/CONFIG_IMA_ARCH_POLICY
+++ b/configs/fedora/generic/CONFIG_IMA_ARCH_POLICY
diff --git a/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING b/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING
new file mode 100644
index 000000000..5329626fb
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING
@@ -0,0 +1 @@
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
diff --git a/configs/fedora/generic/CONFIG_IMA_LOAD_X509 b/configs/fedora/generic/CONFIG_IMA_LOAD_X509
new file mode 100644
index 000000000..00d39701b
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_IMA_LOAD_X509
@@ -0,0 +1 @@
+# CONFIG_IMA_LOAD_X509 is not set
diff --git a/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING b/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING
new file mode 100644
index 000000000..36ee7371a
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING
@@ -0,0 +1 @@
+# CONFIG_IMA_TRUSTED_KEYRING is not set
diff --git a/configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING b/configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING
new file mode 100644
index 000000000..cfb23d479
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_INTEGRITY_TRUSTED_KEYRING
@@ -0,0 +1 @@
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
diff --git a/configs/fedora/generic/CONFIG_TCG_TIS_SPI b/configs/fedora/generic/CONFIG_TCG_TIS_SPI
index 3b6623798..bfd1ff673 100644
--- a/configs/fedora/generic/CONFIG_TCG_TIS_SPI
+++ b/configs/fedora/generic/CONFIG_TCG_TIS_SPI
@@ -1 +1 @@
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 488cc5d09..b948b2cc5 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -2412,17 +2412,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2557,6 +2563,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -6210,7 +6217,7 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index 8a52c7533..583898069 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -2396,17 +2396,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2541,6 +2547,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -6188,7 +6195,7 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index 8e3eee74f..30139328b 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -2442,17 +2442,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2595,6 +2601,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -6462,7 +6469,7 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index a97205cfa..0493b53be 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -2359,17 +2359,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2500,6 +2506,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -6139,7 +6146,7 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 4901957e6..3c18d7dff 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -2344,17 +2344,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2485,6 +2491,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -6118,7 +6125,7 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index c9b0a7acd..62e006001 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -2427,17 +2427,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2580,6 +2586,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -6441,7 +6448,7 @@ CONFIG_TCG_NSC=m
CONFIG_TCG_TIS_I2C_ATMEL=m
CONFIG_TCG_TIS_I2C_INFINEON=m
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index cac5c943c..40bc50d84 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -2158,18 +2158,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2287,6 +2292,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
CONFIG_INTEL_BXT_PMIC_THERMAL=m
@@ -5649,7 +5655,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-i686.config b/kernel-i686.config
index 1f70c1655..dba4785f4 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -2141,18 +2141,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2270,6 +2275,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
CONFIG_INTEL_BXT_PMIC_THERMAL=m
@@ -5628,7 +5634,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config
index 42f230f64..f0c986d85 100644
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@@ -1965,17 +1965,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2089,6 +2095,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -5271,7 +5278,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config
index 4d6ef9154..f2f7209f2 100644
--- a/kernel-ppc64le.config
+++ b/kernel-ppc64le.config
@@ -1948,17 +1948,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2072,6 +2078,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -5248,7 +5255,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config
index 684936b2e..38030f7d9 100644
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@@ -1943,17 +1943,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2067,6 +2073,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -5206,7 +5213,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-s390x.config b/kernel-s390x.config
index bd9891b81..e8625dd5d 100644
--- a/kernel-s390x.config
+++ b/kernel-s390x.config
@@ -1926,17 +1926,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
+# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2050,6 +2056,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
# CONFIG_INTEL_IDMA64 is not set
CONFIG_INTEL_SOC_PMIC_CHTDC_TI=m
@@ -5183,7 +5190,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index d7bca3950..084e94924 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -2201,18 +2201,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2333,6 +2338,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
CONFIG_INTEL_BXT_PMIC_THERMAL=m
@@ -5707,7 +5713,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 87172823e..60a54e35a 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -2184,18 +2184,23 @@ CONFIG_IIO_TRIGGERED_BUFFER=m
CONFIG_IIO_TRIGGER=y
# CONFIG_IKCONFIG is not set
CONFIG_IKHEADERS=m
-# CONFIG_IMA_APPRAISE is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE=y
# CONFIG_IMA_ARCH_POLICY is not set
+# CONFIG_IMA_BLACKLIST_KEYRING is not set
# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
CONFIG_IMA_DEFAULT_HASH_SHA256=y
CONFIG_IMA_KEXEC=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+# CONFIG_IMA_LOAD_X509 is not set
CONFIG_IMA_LSM_RULES=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_NG_TEMPLATE=y
CONFIG_IMA_READ_POLICY=y
# CONFIG_IMA_SIG_TEMPLATE is not set
# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_TRUSTED_KEYRING is not set
CONFIG_IMA_WRITE_POLICY=y
CONFIG_IMA=y
# CONFIG_IMG_ASCII_LCD is not set
@@ -2316,6 +2321,7 @@ CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
CONFIG_INTEGRITY_AUDIT=y
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
CONFIG_INTEGRITY=y
CONFIG_INTEL_ATOMISP2_PM=m
CONFIG_INTEL_BXT_PMIC_THERMAL=m
@@ -5686,7 +5692,7 @@ CONFIG_TCG_NSC=m
# CONFIG_TCG_TIS_I2C_ATMEL is not set
# CONFIG_TCG_TIS_I2C_INFINEON is not set
# CONFIG_TCG_TIS_I2C_NUVOTON is not set
-# CONFIG_TCG_TIS_SPI is not set
+CONFIG_TCG_TIS_SPI=m
# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
CONFIG_TCG_TIS=y
diff --git a/kernel.spec b/kernel.spec
index 79182ded0..aa29c144b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -44,7 +44,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 1
+%global baserelease 2
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -1820,6 +1820,9 @@ fi
#
#
%changelog
+* Wed Jul 31 2019 Peter Robinson <pbrobinson@fedoraproject.org> 5.3.0-0.rc2.git2.2
+- Enable IMA Appraisal
+
* Wed Jul 31 2019 Laura Abbott <labbott@redhat.com> - 5.3.0-0.rc2.git2.1
- Linux v5.3-rc2-51-g4010b622f1d2