summaryrefslogtreecommitdiff
path: root/certs
diff options
context:
space:
mode:
authorNayna Jain <nayna@linux.ibm.com>2021-04-09 17:35:06 +0300
committerMimi Zohar <zohar@linux.ibm.com>2021-04-09 17:40:20 +0300
commit0165f4ca223b04bb032095753fadd28816dc435f (patch)
tree549d478f843b542512926f73f19b6656005753b5 /certs
parentb31f2a495debc71bdfefefea8056ade429f79c4b (diff)
downloadlinux-0165f4ca223b04bb032095753fadd28816dc435f.tar.xz
ima: enable signing of modules with build time generated key
The kernel build process currently only signs kernel modules when MODULE_SIG is enabled. Also, sign the kernel modules at build time when IMA_APPRAISE_MODSIG is enabled. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Acked-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Diffstat (limited to 'certs')
-rw-r--r--certs/Kconfig2
-rw-r--r--certs/Makefile8
2 files changed, 9 insertions, 1 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index c94e93d8bccf..48675ad319db 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -4,7 +4,7 @@ menu "Certificates for signature checking"
config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key"
default "certs/signing_key.pem"
- depends on MODULE_SIG
+ depends on MODULE_SIG || IMA_APPRAISE_MODSIG
help
Provide the file name of a private key/certificate in PEM format,
or a PKCS#11 URI according to RFC7512. The file should contain, or
diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..e3185c57fbd8 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -32,6 +32,14 @@ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
clean-files := x509_certificate_list .x509.list
ifeq ($(CONFIG_MODULE_SIG),y)
+ SIGN_KEY = y
+endif
+
+ifeq ($(CONFIG_IMA_APPRAISE_MODSIG),y)
+ SIGN_KEY = y
+endif
+
+ifdef SIGN_KEY
###############################################################################
#
# If module signing is requested, say by allyesconfig, but a key has not been