From 2758d24adfddcb6d8ede1a48a9fe045da79fb244 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 12 Mar 2018 15:31:15 -0400 Subject: Revert "Enable IMA (rhbz 790008)" This reverts commit bb540d20c6388d18e5977f14f35f96318be223e1. A recent change to the EFI lockdown patch forces IMA policy to be loaded when secureboot is used. Unfortunately, we don't have all the pieces in place to have all components fully signed. A F29 change request is planned to address this, so disable IMA for F28. --- configs/fedora/generic/CONFIG_IMA | 2 +- configs/fedora/generic/CONFIG_IMA_APPRAISE | 1 - configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM | 1 - configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING | 1 - .../generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY | 1 - configs/fedora/generic/CONFIG_IMA_LOAD_X509 | 1 - configs/fedora/generic/CONFIG_IMA_READ_POLICY | 1 - configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING | 1 - configs/fedora/generic/CONFIG_IMA_WRITE_POLICY | 1 - configs/fedora/generic/CONFIG_INTEGRITY | 2 +- configs/fedora/generic/CONFIG_INTEGRITY_ASYMMETRIC_KEYS | 1 - configs/fedora/generic/CONFIG_INTEGRITY_AUDIT | 1 - configs/fedora/generic/CONFIG_INTEGRITY_SIGNATURE | 1 - configs/fedora/generic/CONFIG_TCG_TIS | 2 +- configs/fedora/generic/CONFIG_TCG_TPM | 2 +- 15 files changed, 4 insertions(+), 15 deletions(-) delete mode 100644 configs/fedora/generic/CONFIG_IMA_APPRAISE delete mode 100644 configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM delete mode 100644 configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING delete mode 100644 configs/fedora/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY delete mode 100644 configs/fedora/generic/CONFIG_IMA_LOAD_X509 delete mode 100644 configs/fedora/generic/CONFIG_IMA_READ_POLICY delete mode 100644 configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING delete mode 100644 configs/fedora/generic/CONFIG_IMA_WRITE_POLICY delete mode 100644 configs/fedora/generic/CONFIG_INTEGRITY_ASYMMETRIC_KEYS delete mode 100644 configs/fedora/generic/CONFIG_INTEGRITY_AUDIT delete mode 100644 configs/fedora/generic/CONFIG_INTEGRITY_SIGNATURE (limited to 'configs') diff --git a/configs/fedora/generic/CONFIG_IMA b/configs/fedora/generic/CONFIG_IMA index 752982bdd..83a06345b 100644 --- a/configs/fedora/generic/CONFIG_IMA +++ b/configs/fedora/generic/CONFIG_IMA @@ -1 +1 @@ -CONFIG_IMA=y +# CONFIG_IMA is not set diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE b/configs/fedora/generic/CONFIG_IMA_APPRAISE deleted file mode 100644 index da04fd67d..000000000 --- a/configs/fedora/generic/CONFIG_IMA_APPRAISE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_APPRAISE=y diff --git a/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM b/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM deleted file mode 100644 index 000a58fb6..000000000 --- a/configs/fedora/generic/CONFIG_IMA_APPRAISE_BOOTPARAM +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_APPRAISE_BOOTPARAM=y diff --git a/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING b/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING deleted file mode 100644 index 5329626fb..000000000 --- a/configs/fedora/generic/CONFIG_IMA_BLACKLIST_KEYRING +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IMA_BLACKLIST_KEYRING is not set diff --git a/configs/fedora/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY b/configs/fedora/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY deleted file mode 100644 index 08056234d..000000000 --- a/configs/fedora/generic/CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y diff --git a/configs/fedora/generic/CONFIG_IMA_LOAD_X509 b/configs/fedora/generic/CONFIG_IMA_LOAD_X509 deleted file mode 100644 index 00d39701b..000000000 --- a/configs/fedora/generic/CONFIG_IMA_LOAD_X509 +++ /dev/null @@ -1 +0,0 @@ -# CONFIG_IMA_LOAD_X509 is not set diff --git a/configs/fedora/generic/CONFIG_IMA_READ_POLICY b/configs/fedora/generic/CONFIG_IMA_READ_POLICY deleted file mode 100644 index 8f280d803..000000000 --- a/configs/fedora/generic/CONFIG_IMA_READ_POLICY +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_READ_POLICY=y diff --git a/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING b/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING deleted file mode 100644 index d27057dad..000000000 --- a/configs/fedora/generic/CONFIG_IMA_TRUSTED_KEYRING +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_TRUSTED_KEYRING=y diff --git a/configs/fedora/generic/CONFIG_IMA_WRITE_POLICY b/configs/fedora/generic/CONFIG_IMA_WRITE_POLICY deleted file mode 100644 index e54ce85d7..000000000 --- a/configs/fedora/generic/CONFIG_IMA_WRITE_POLICY +++ /dev/null @@ -1 +0,0 @@ -CONFIG_IMA_WRITE_POLICY=y diff --git a/configs/fedora/generic/CONFIG_INTEGRITY b/configs/fedora/generic/CONFIG_INTEGRITY index a3524cb6b..5dd074057 100644 --- a/configs/fedora/generic/CONFIG_INTEGRITY +++ b/configs/fedora/generic/CONFIG_INTEGRITY @@ -1 +1 @@ -CONFIG_INTEGRITY=y +# CONFIG_INTEGRITY is not set diff --git a/configs/fedora/generic/CONFIG_INTEGRITY_ASYMMETRIC_KEYS b/configs/fedora/generic/CONFIG_INTEGRITY_ASYMMETRIC_KEYS deleted file mode 100644 index a1485b903..000000000 --- a/configs/fedora/generic/CONFIG_INTEGRITY_ASYMMETRIC_KEYS +++ /dev/null @@ -1 +0,0 @@ -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y diff --git a/configs/fedora/generic/CONFIG_INTEGRITY_AUDIT b/configs/fedora/generic/CONFIG_INTEGRITY_AUDIT deleted file mode 100644 index 09d5db2b6..000000000 --- a/configs/fedora/generic/CONFIG_INTEGRITY_AUDIT +++ /dev/null @@ -1 +0,0 @@ -CONFIG_INTEGRITY_AUDIT=y diff --git a/configs/fedora/generic/CONFIG_INTEGRITY_SIGNATURE b/configs/fedora/generic/CONFIG_INTEGRITY_SIGNATURE deleted file mode 100644 index 2d104809d..000000000 --- a/configs/fedora/generic/CONFIG_INTEGRITY_SIGNATURE +++ /dev/null @@ -1 +0,0 @@ -CONFIG_INTEGRITY_SIGNATURE=y diff --git a/configs/fedora/generic/CONFIG_TCG_TIS b/configs/fedora/generic/CONFIG_TCG_TIS index eb9a4ccac..b119645b2 100644 --- a/configs/fedora/generic/CONFIG_TCG_TIS +++ b/configs/fedora/generic/CONFIG_TCG_TIS @@ -1 +1 @@ -CONFIG_TCG_TIS=y +CONFIG_TCG_TIS=m diff --git a/configs/fedora/generic/CONFIG_TCG_TPM b/configs/fedora/generic/CONFIG_TCG_TPM index 07d9499c1..8c2c3b86d 100644 --- a/configs/fedora/generic/CONFIG_TCG_TPM +++ b/configs/fedora/generic/CONFIG_TCG_TPM @@ -1 +1 @@ -CONFIG_TCG_TPM=y +CONFIG_TCG_TPM=m -- cgit