From 4acc5bbea900934e5b4bc8835a62b5dcc5c57cab Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 12 Mar 2018 12:12:50 -0700 Subject: Disable IMA appraise (rhbz 1554474) A recent change to the EFI lockdown patch forces IMA policy to be loaded when secureboot is used. Unfortunately, we don't have all the pieces in place to have all components fully signed. Disable appraisal for now until that gets fixed. --- configs/fedora/generic/CONFIG_IMA_APPRAISE | 2 +- kernel-aarch64-debug.config | 2 +- kernel-aarch64.config | 2 +- kernel-armv7hl-debug.config | 2 +- kernel-armv7hl-lpae-debug.config | 2 +- kernel-armv7hl-lpae.config | 2 +- kernel-armv7hl.config | 2 +- kernel-i686-PAE.config | 2 +- kernel-i686-PAEdebug.config | 2 +- kernel-i686-debug.config | 2 +- kernel-i686.config | 2 +- kernel-ppc64-debug.config | 2 +- kernel-ppc64.config | 2 +- kernel-ppc64le-debug.config | 2 +- kernel-ppc64le.config | 2 +- kernel-s390x-debug.config | 2 +- kernel-s390x.config | 2 +- kernel-x86_64-debug.config | 2 +- kernel-x86_64.config | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE b/configs/fedora/generic/CONFIG_IMA_APPRAISE index da04fd67d..acbe2fe3c 100644 --- a/configs/fedora/generic/CONFIG_IMA_APPRAISE +++ b/configs/fedora/generic/CONFIG_IMA_APPRAISE @@ -1 +1 @@ -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index e2c0ad429..9edb05112 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -2206,7 +2206,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-aarch64.config b/kernel-aarch64.config index f241c8b02..572d9975b 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -2188,7 +2188,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 06be2a125..88f319adf 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -2330,7 +2330,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 62269a667..7e24f66e0 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -2216,7 +2216,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index e3af01fce..c585c17e6 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -2198,7 +2198,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 105731a57..ffa53449b 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -2312,7 +2312,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-i686-PAE.config b/kernel-i686-PAE.config index 7add60bd6..c513757d9 100644 --- a/kernel-i686-PAE.config +++ b/kernel-i686-PAE.config @@ -2053,7 +2053,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-i686-PAEdebug.config b/kernel-i686-PAEdebug.config index 41689a39e..5e00edecd 100644 --- a/kernel-i686-PAEdebug.config +++ b/kernel-i686-PAEdebug.config @@ -2072,7 +2072,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index abfac8c54..35e3a899e 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -2072,7 +2072,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-i686.config b/kernel-i686.config index e2b0ac96c..5a9f9a9dc 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2053,7 +2053,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-ppc64-debug.config b/kernel-ppc64-debug.config index 3289affb3..70139d1ca 100644 --- a/kernel-ppc64-debug.config +++ b/kernel-ppc64-debug.config @@ -1961,7 +1961,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y diff --git a/kernel-ppc64.config b/kernel-ppc64.config index f211e4b89..e81bdb3a0 100644 --- a/kernel-ppc64.config +++ b/kernel-ppc64.config @@ -1942,7 +1942,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 59b3e81bc..8370a180c 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -1906,7 +1906,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index 93ed61ad6..517a9de86 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -1887,7 +1887,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index c05b3c585..ac608ceb4 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -1861,7 +1861,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-s390x.config b/kernel-s390x.config index 21eafc9b8..3d7914a5f 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -1842,7 +1842,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index 0b83aa306..685ec8eb7 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -2119,7 +2119,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 2b62f36a1..38352e2fb 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2100,7 +2100,7 @@ CONFIG_IIO_TRIGGERED_BUFFER=m CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IMA_APPRAISE_BOOTPARAM=y -CONFIG_IMA_APPRAISE=y +# CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y # CONFIG_IMA_LOAD_X509 is not set -- cgit