From 9311d0121abc45953d53de794e926eeabb13af2d Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Jul 17 2019 10:13:35 +0000 Subject: IMA: change default hash from sha1 to sha256, the later is more secuure and hence should be the default --- diff --git a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 index f1f433a..b518898 100644 --- a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 +++ b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA1 @@ -1 +1 @@ -CONFIG_IMA_DEFAULT_HASH_SHA1=y +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set diff --git a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 index 29bd8f8..e627fd9 100644 --- a/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 +++ b/configs/fedora/generic/CONFIG_IMA_DEFAULT_HASH_SHA256 @@ -1 +1 @@ -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config index a8820ae..a21830e 100644 --- a/kernel-aarch64-debug.config +++ b/kernel-aarch64-debug.config @@ -2432,8 +2432,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-aarch64.config b/kernel-aarch64.config index 73ce298..cf0b668 100644 --- a/kernel-aarch64.config +++ b/kernel-aarch64.config @@ -2416,8 +2416,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config index 871f216..d45a249 100644 --- a/kernel-armv7hl-debug.config +++ b/kernel-armv7hl-debug.config @@ -2463,8 +2463,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config index 3afc394..fdb67ba 100644 --- a/kernel-armv7hl-lpae-debug.config +++ b/kernel-armv7hl-lpae-debug.config @@ -2381,8 +2381,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config index 2480cf9..bf03cfb 100644 --- a/kernel-armv7hl-lpae.config +++ b/kernel-armv7hl-lpae.config @@ -2366,8 +2366,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config index 0d84290..f621915 100644 --- a/kernel-armv7hl.config +++ b/kernel-armv7hl.config @@ -2448,8 +2448,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 25d715f..1af028d 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -2184,8 +2184,8 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-i686.config b/kernel-i686.config index 0143341..cccf51d 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2167,8 +2167,8 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config index 4f9c756..48ba9cc 100644 --- a/kernel-ppc64le-debug.config +++ b/kernel-ppc64le-debug.config @@ -1992,8 +1992,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config index fd0d323..896ea2a 100644 --- a/kernel-ppc64le.config +++ b/kernel-ppc64le.config @@ -1975,8 +1975,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y # CONFIG_IMA is not set CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config index b10f1c7..b316226 100644 --- a/kernel-s390x-debug.config +++ b/kernel-s390x-debug.config @@ -1972,8 +1972,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-s390x.config b/kernel-s390x.config index 4134d0e..a6b4838 100644 --- a/kernel-s390x.config +++ b/kernel-s390x.config @@ -1955,8 +1955,8 @@ CONFIG_IIO_TRIGGER=y # CONFIG_IKCONFIG is not set CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index fbb4a69..bd48d12 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -2228,8 +2228,8 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10 diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 72a310c..16e5799 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2211,8 +2211,8 @@ CONFIG_IIO_TRIGGER=y CONFIG_IKHEADERS=m # CONFIG_IMA_APPRAISE is not set # CONFIG_IMA_ARCH_POLICY is not set -CONFIG_IMA_DEFAULT_HASH_SHA1=y -# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set +# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set +CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y CONFIG_IMA_LSM_RULES=y CONFIG_IMA_MEASURE_PCR_IDX=10