From e21e52b60843bc2c19b187cd6d25723686a610dc Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 30 Sep 2019 20:00:17 +0000 Subject: Linux v5.3-13236-g97f9a3c4eee5 This is a first pass at getting the secureboot patches working with the upstream lockdown patches that got merged. The final patch from our lockdown set is the sysrq patch which also needs work. For the present it is not applied. --- kernel-armv7hl.config | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'kernel-armv7hl.config') diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index f4f5ab153..996968493 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -2467,6 +2467,7 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m CONFIG_IMA_APPRAISE_BOOTPARAM=y # CONFIG_IMA_APPRAISE_BUILD_POLICY is not set +# CONFIG_IMA_APPRAISE_MODSIG is not set CONFIG_IMA_APPRAISE=y # CONFIG_IMA_ARCH_POLICY is not set # CONFIG_IMA_BLACKLIST_KEYRING is not set @@ -2488,6 +2489,7 @@ CONFIG_IMA=y # CONFIG_IMG_ASCII_LCD is not set CONFIG_IMX2_WDT=m CONFIG_IMX7D_ADC=m +# CONFIG_IMX7ULP_WDT is not set # CONFIG_IMX_DMA is not set # CONFIG_IMX_DSP is not set CONFIG_IMX_GPCV2_PM_DOMAINS=y @@ -3145,6 +3147,9 @@ CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m # CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set +# CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set +CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL is not set CONFIG_LOCKD_V4=y # CONFIG_LOCK_EVENT_COUNTS is not set @@ -4400,7 +4405,7 @@ CONFIG_OPENVSWITCH_VXLAN=m CONFIG_OPT3001=m CONFIG_OPTEE=m CONFIG_OPTEE_SHM_NUM_PRIV_PAGES=1 -# CONFIG_OPTIMIZE_INLINING is not set +CONFIG_OPTIMIZE_INLINING=y CONFIG_OPTPROBES=y CONFIG_ORANGEFS_FS=m CONFIG_ORINOCO_USB=m @@ -5492,6 +5497,8 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITYFS=y # CONFIG_SECURITY_INFINIBAND is not set # CONFIG_SECURITY_LOADPIN is not set +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y +CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_NETWORK=y # CONFIG_SECURITY_PATH is not set @@ -7445,6 +7452,7 @@ CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_BLK=m # CONFIG_VIRTIO_BLK_SCSI is not set CONFIG_VIRTIO_CONSOLE=m +CONFIG_VIRTIO_FS=m CONFIG_VIRTIO_INPUT=m # CONFIG_VIRTIO_IOMMU is not set CONFIG_VIRTIO_MENU=y -- cgit