diff options
author | Jeremy Cline <jcline@redhat.com> | 2019-04-15 11:10:59 -0400 |
---|---|---|
committer | Jeremy Cline <jcline@redhat.com> | 2019-04-15 12:15:16 -0400 |
commit | 4b5e4234be6539e237a2eaf36decf1b4b41fdc22 (patch) | |
tree | 8ba72fb6d4ddd5378b105c67f1ac3c98cab75cce /kernel-i686.config | |
parent | 8495ba147ba20dc6887c9ec33285166c9a5915f7 (diff) | |
download | kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.tar.gz kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.tar.xz kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.zip |
Rebase the kernel lockdown patch set
Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:
CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.
CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.
Finally, the SysRq patches got dropped for the present.
Diffstat (limited to 'kernel-i686.config')
-rw-r--r-- | kernel-i686.config | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/kernel-i686.config b/kernel-i686.config index ae761ca96..a06009607 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2625,7 +2625,8 @@ CONFIG_KERNEL_GZIP=y # CONFIG_KERNEL_XZ is not set # CONFIG_KEXEC_FILE is not set # CONFIG_KEXEC_JUMP is not set -CONFIG_KEXEC_VERIFY_SIG=y +# CONFIG_KEXEC_SIG_FORCE is not set +CONFIG_KEXEC_SIG=y CONFIG_KEXEC=y # CONFIG_KEYBOARD_ADC is not set # CONFIG_KEYBOARD_ADP5588 is not set @@ -2808,8 +2809,8 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set CONFIG_LOCK_DOWN_KERNEL=y -# CONFIG_LOCK_DOWN_MANDATORY is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_STAT is not set # CONFIG_LOCK_TORTURE_TEST is not set |