Rebase the kernel lockdown patch set
Use the latest version of the kernel lockdown patch set. This includes a few configuration renames: CONFIG_KEXEC_VERIFY_SIG became CONFIG_KEXEC_SIG and CONFIG_KEXEC_SIG_FORCE was added. CONFIG_KEXEC_SIG_FORCE=n because the "kexec_file: Restrict at runtime if the kernel is locked down" patch enforces the signature requirement when the kernel is locked down. CONFIG_LOCK_DOWN_MANDATORY got renamed to CONFIG_LOCK_DOWN_KERNEL_FORCE and remains false as LOCK_DOWN_IN_EFI_SECURE_BOOT covers enabling it for EFI Secure Boot users. Finally, the SysRq patches got dropped for the present.
This commit is contained in:
Jeremy Cline
parent
8495ba147b
commit
4b5e4234be
11 changed files with 843 additions and 630 deletions
|
|
@ -2644,7 +2644,8 @@ CONFIG_KERNEL_GZIP=y
|
|||
# CONFIG_KERNEL_XZ is not set
|
||||
# CONFIG_KEXEC_FILE is not set
|
||||
# CONFIG_KEXEC_JUMP is not set
|
||||
CONFIG_KEXEC_VERIFY_SIG=y
|
||||
# CONFIG_KEXEC_SIG_FORCE is not set
|
||||
CONFIG_KEXEC_SIG=y
|
||||
CONFIG_KEXEC=y
|
||||
# CONFIG_KEYBOARD_ADC is not set
|
||||
# CONFIG_KEYBOARD_ADP5588 is not set
|
||||
|
|
@ -2827,8 +2828,8 @@ CONFIG_LOCALVERSION=""
|
|||
# CONFIG_LOCALVERSION_AUTO is not set
|
||||
CONFIG_LOCKD=m
|
||||
# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set
|
||||
# CONFIG_LOCK_DOWN_KERNEL_FORCE is not set
|
||||
CONFIG_LOCK_DOWN_KERNEL=y
|
||||
# CONFIG_LOCK_DOWN_MANDATORY is not set
|
||||
CONFIG_LOCKD_V4=y
|
||||
CONFIG_LOCK_STAT=y
|
||||
CONFIG_LOCK_TORTURE_TEST=m
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue