diff options
| author | Jeremy Cline <jcline@redhat.com> | 2019-04-15 11:10:59 -0400 |
|---|---|---|
| committer | Jeremy Cline <jcline@redhat.com> | 2019-04-15 12:15:16 -0400 |
| commit | 4b5e4234be6539e237a2eaf36decf1b4b41fdc22 (patch) | |
| tree | 8ba72fb6d4ddd5378b105c67f1ac3c98cab75cce /kernel-x86_64.config | |
| parent | 8495ba147ba20dc6887c9ec33285166c9a5915f7 (diff) | |
| download | kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.tar.gz kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.tar.xz kernel-4b5e4234be6539e237a2eaf36decf1b4b41fdc22.zip | |
Rebase the kernel lockdown patch set
Use the latest version of the kernel lockdown patch set. This includes a
few configuration renames:
CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and
CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the
"kexec_file: Restrict at runtime if the kernel is locked down" patch
enforces the signature requirement when the kernel is locked down.
CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE
and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for
EFI Secure Boot users.
Finally, the SysRq patches got dropped for the present.
Diffstat (limited to 'kernel-x86_64.config')
| -rw-r--r-- | kernel-x86_64.config | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/kernel-x86_64.config b/kernel-x86_64.config index fad3cde3f..7fc7762a6 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2682,7 +2682,8 @@ CONFIG_KERNEL_GZIP=y CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y CONFIG_KEXEC_FILE=y CONFIG_KEXEC_JUMP=y -CONFIG_KEXEC_VERIFY_SIG=y +# CONFIG_KEXEC_SIG_FORCE is not set +CONFIG_KEXEC_SIG=y CONFIG_KEXEC=y # CONFIG_KEYBOARD_ADC is not set # CONFIG_KEYBOARD_ADP5588 is not set @@ -2865,8 +2866,8 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y +# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set CONFIG_LOCK_DOWN_KERNEL=y -# CONFIG_LOCK_DOWN_MANDATORY is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_STAT is not set # CONFIG_LOCK_TORTURE_TEST is not set |