configs: enable security and sm3/4 configs for trust

to #26581627 Enable a set of config related to kernel trust, including vptm, IMA, EVM, smack LSM, and SM3, SM4, in which SM algorithm is compiled into module. These configs also support the x64 arm platform. The following are some performance data. The output of `systemd-analyze` on the startup time of an ECS (executed three times): before: 725ms (kernel) + 471ms (initrd) + 3.375s (userspace) = 4.572s 794ms (kernel) + 426ms (initrd) + 3.281s (userspace) = 4.501s 797ms (kernel) + 464ms (initrd) + 3.275s (userspace) = 4.538s after: 777ms (kernel) + 439ms (initrd) + 3.456s (userspace) = 4.672s 785ms (kernel) + 450ms (initrd) + 3.313s (userspace) = 4.549s 741ms (kernel) + 481ms (initrd) + 3.274s (userspace) = 4.497s Signed-off-by: N Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Jia Zhang <zhang.jia@linux.alibaba.com> Reviewed-by: N Shile Zhang <shile.zhang@linux.alibaba.com>

configs: enable security and sm3/4 configs for trust
to #26581627 Enable a set of config related to kernel trust, including vptm, IMA, EVM, smack LSM, and SM3, SM4, in which SM algorithm is compiled into module. These configs also support the x64 arm platform. The following are some performance data. The output of `systemd-analyze` on the startup time of an ECS (executed three times): before: 725ms (kernel) + 471ms (initrd) + 3.375s (userspace) = 4.572s 794ms (kernel) + 426ms (initrd) + 3.281s (userspace) = 4.501s 797ms (kernel) + 464ms (initrd) + 3.275s (userspace) = 4.538s after: 777ms (kernel) + 439ms (initrd) + 3.456s (userspace) = 4.672s 785ms (kernel) + 450ms (initrd) + 3.313s (userspace) = 4.549s 741ms (kernel) + 481ms (initrd) + 3.274s (userspace) = 4.497s Signed-off-by: N Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Jia Zhang <zhang.jia@linux.alibaba.com> Reviewed-by: N Shile Zhang <shile.zhang@linux.alibaba.com>
34e80779 · Tianjia Zhang · f958a9df · 34e80779 · 34e80779 · 34e80779
6 changed file
--- a/configs/config-4.19.y-aarch64
+++ b/configs/config-4.19.y-aarch64
@@ -654,7 +654,7 @@ CONFIG_CRYPTO_SHA1_ARM64_CE=m
 CONFIG_CRYPTO_SHA2_ARM64_CE=m
 # CONFIG_CRYPTO_SHA512_ARM64_CE is not set
 # CONFIG_CRYPTO_SHA3_ARM64 is not set
-# CONFIG_CRYPTO_SM3_ARM64_CE is not set
+CONFIG_CRYPTO_SM3_ARM64_CE=m
 CONFIG_CRYPTO_SM4_ARM64_CE=m
 CONFIG_CRYPTO_GHASH_ARM64_CE=m
 CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m
@@ -4963,7 +4963,7 @@ CONFIG_KEYS=y
 CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_BIG_KEYS=y
 CONFIG_TRUSTED_KEYS=m
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_KEY_DH_OPERATIONS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
 CONFIG_SECURITY=y
@@ -4986,13 +4986,53 @@ CONFIG_SECURITY_SELINUX_DISABLE=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_SMACK=y
+# CONFIG_SECURITY_SMACK_BRINGUP is not set
+# CONFIG_SECURITY_SMACK_NETFILTER is not set
+# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
-# CONFIG_INTEGRITY is not set
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+# CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+CONFIG_IMA_BLACKLIST_KEYRING=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_SMACK is not set
 # CONFIG_DEFAULT_SECURITY_DAC is not set
 CONFIG_DEFAULT_SECURITY="selinux"
 CONFIG_XOR_BLOCKS=m
@@ -5094,7 +5134,7 @@ CONFIG_CRYPTO_SHA1=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=m
 CONFIG_CRYPTO_SHA3=m
-# CONFIG_CRYPTO_SM3 is not set
+CONFIG_CRYPTO_SM3=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_WP512=m
@@ -5182,8 +5222,9 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="certs/modsign_alinux.pem"
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
-# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
 CONFIG_BINARY_PRINTF=y
 #

--- a/configs/config-4.19.y-aarch64-debug
+++ b/configs/config-4.19.y-aarch64-debug
@@ -659,7 +659,7 @@ CONFIG_CRYPTO_SHA1_ARM64_CE=m
 CONFIG_CRYPTO_SHA2_ARM64_CE=m
 # CONFIG_CRYPTO_SHA512_ARM64_CE is not set
 # CONFIG_CRYPTO_SHA3_ARM64 is not set
-# CONFIG_CRYPTO_SM3_ARM64_CE is not set
+CONFIG_CRYPTO_SM3_ARM64_CE=m
 CONFIG_CRYPTO_SM4_ARM64_CE=m
 CONFIG_CRYPTO_GHASH_ARM64_CE=m
 CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m
@@ -4945,7 +4945,7 @@ CONFIG_KEYS=y
 CONFIG_PERSISTENT_KEYRINGS=y
 CONFIG_BIG_KEYS=y
 CONFIG_TRUSTED_KEYS=m
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_KEY_DH_OPERATIONS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
 CONFIG_SECURITY=y
@@ -4968,13 +4968,53 @@ CONFIG_SECURITY_SELINUX_DISABLE=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_SMACK=y
+# CONFIG_SECURITY_SMACK_BRINGUP is not set
+# CONFIG_SECURITY_SMACK_NETFILTER is not set
+# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
 CONFIG_SECURITY_YAMA=y
-# CONFIG_INTEGRITY is not set
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_IMA=y
+CONFIG_IMA_MEASURE_PCR_IDX=10
+CONFIG_IMA_LSM_RULES=y
+# CONFIG_IMA_TEMPLATE is not set
+# CONFIG_IMA_NG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
+# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
+CONFIG_IMA_DEFAULT_HASH="sha256"
+CONFIG_IMA_WRITE_POLICY=y
+CONFIG_IMA_READ_POLICY=y
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+# CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS is not set
+CONFIG_IMA_APPRAISE_BOOTPARAM=y
+CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+CONFIG_IMA_BLACKLIST_KEYRING=y
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_SMACK is not set
 # CONFIG_DEFAULT_SECURITY_DAC is not set
 CONFIG_DEFAULT_SECURITY="selinux"
 CONFIG_XOR_BLOCKS=m
@@ -5076,7 +5116,7 @@ CONFIG_CRYPTO_SHA1=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=m
 CONFIG_CRYPTO_SHA3=m
-# CONFIG_CRYPTO_SM3 is not set
+CONFIG_CRYPTO_SM3=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_WP512=m
@@ -5164,8 +5204,9 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="certs/modsign_alinux.pem"
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
-# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
 CONFIG_BINARY_PRINTF=y
 #

--- a/configs/config-4.19.y-x86_64
+++ b/configs/config-4.19.y-x86_64
@@ -1073,7 +1073,7 @@ CONFIG_IPV6_SUBTREES=y
 # CONFIG_IPV6_MROUTE is not set
 # CONFIG_IPV6_SEG6_LWTUNNEL is not set
 # CONFIG_IPV6_SEG6_HMAC is not set
-# CONFIG_NETLABEL is not set
+CONFIG_NETLABEL=y
 CONFIG_NETWORK_SECMARK=y
 CONFIG_NET_PTP_CLASSIFY=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
@@ -3719,7 +3719,7 @@ CONFIG_KEYS_COMPAT=y
 # CONFIG_PERSISTENT_KEYRINGS is not set
 # CONFIG_BIG_KEYS is not set
 # CONFIG_TRUSTED_KEYS is not set
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_KEY_DH_OPERATIONS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
 CONFIG_SECURITY=y
@@ -3744,7 +3744,10 @@ CONFIG_SECURITY_SELINUX_DISABLE=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_SMACK=y
+# CONFIG_SECURITY_SMACK_BRINGUP is not set
+# CONFIG_SECURITY_SMACK_NETFILTER is not set
+# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
@@ -3758,23 +3761,36 @@ CONFIG_IMA=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_LSM_RULES=y
 # CONFIG_IMA_TEMPLATE is not set
-CONFIG_IMA_NG_TEMPLATE=y
+# CONFIG_IMA_NG_TEMPLATE is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
-CONFIG_IMA_DEFAULT_HASH="sha1"
+CONFIG_IMA_DEFAULT_HASH="sha256"
-# CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_WRITE_POLICY=y
-# CONFIG_IMA_READ_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+# CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 CONFIG_IMA_TRUSTED_KEYRING=y
-# CONFIG_IMA_BLACKLIST_KEYRING is not set
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_BLACKLIST_KEYRING=y
-# CONFIG_EVM is not set
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_SMACK is not set
 # CONFIG_DEFAULT_SECURITY_DAC is not set
 CONFIG_DEFAULT_SECURITY="selinux"
 CONFIG_XOR_BLOCKS=m
@@ -3890,7 +3906,7 @@ CONFIG_CRYPTO_SHA1_MB=m
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 # CONFIG_CRYPTO_SHA3 is not set
-# CONFIG_CRYPTO_SM3 is not set
+CONFIG_CRYPTO_SM3=m
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_WP512 is not set
 # CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
@@ -3926,7 +3942,7 @@ CONFIG_CRYPTO_DES=m
 # CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
 # CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set
 # CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set
-# CONFIG_CRYPTO_SM4 is not set
+CONFIG_CRYPTO_SM4=m
 # CONFIG_CRYPTO_TEA is not set
 # CONFIG_CRYPTO_TWOFISH is not set
 # CONFIG_CRYPTO_TWOFISH_X86_64 is not set
@@ -3985,8 +4001,9 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="certs/modsign_alinux.pem"
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
-# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
 CONFIG_BINARY_PRINTF=y
 #
@@ -4152,6 +4169,7 @@ CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
 CONFIG_HAVE_ARCH_KASAN=y
 # CONFIG_KASAN is not set
 CONFIG_ARCH_HAS_KCOV=y
+# CONFIG_KCOV is not set
 CONFIG_DEBUG_SHIRQ=y
 #

--- a/configs/config-4.19.y-x86_64-debug
+++ b/configs/config-4.19.y-x86_64-debug
@@ -1073,7 +1073,7 @@ CONFIG_IPV6_SUBTREES=y
 # CONFIG_IPV6_MROUTE is not set
 # CONFIG_IPV6_SEG6_LWTUNNEL is not set
 # CONFIG_IPV6_SEG6_HMAC is not set
-# CONFIG_NETLABEL is not set
+CONFIG_NETLABEL=y
 CONFIG_NETWORK_SECMARK=y
 CONFIG_NET_PTP_CLASSIFY=y
 # CONFIG_NETWORK_PHY_TIMESTAMPING is not set
@@ -3722,7 +3722,7 @@ CONFIG_KEYS_COMPAT=y
 # CONFIG_PERSISTENT_KEYRINGS is not set
 # CONFIG_BIG_KEYS is not set
 # CONFIG_TRUSTED_KEYS is not set
-CONFIG_ENCRYPTED_KEYS=m
+CONFIG_ENCRYPTED_KEYS=y
 # CONFIG_KEY_DH_OPERATIONS is not set
 # CONFIG_SECURITY_DMESG_RESTRICT is not set
 CONFIG_SECURITY=y
@@ -3747,7 +3747,10 @@ CONFIG_SECURITY_SELINUX_DISABLE=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
 CONFIG_SECURITY_SELINUX_AVC_STATS=y
 CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
-# CONFIG_SECURITY_SMACK is not set
+CONFIG_SECURITY_SMACK=y
+# CONFIG_SECURITY_SMACK_BRINGUP is not set
+# CONFIG_SECURITY_SMACK_NETFILTER is not set
+# CONFIG_SECURITY_SMACK_APPEND_SIGNALS is not set
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
@@ -3761,23 +3764,36 @@ CONFIG_IMA=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
 CONFIG_IMA_LSM_RULES=y
 # CONFIG_IMA_TEMPLATE is not set
-CONFIG_IMA_NG_TEMPLATE=y
+# CONFIG_IMA_NG_TEMPLATE is not set
-# CONFIG_IMA_SIG_TEMPLATE is not set
+CONFIG_IMA_SIG_TEMPLATE=y
-CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng"
+CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig"
-CONFIG_IMA_DEFAULT_HASH_SHA1=y
+# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set
-# CONFIG_IMA_DEFAULT_HASH_SHA256 is not set
+CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_SHA512 is not set
-CONFIG_IMA_DEFAULT_HASH="sha1"
+CONFIG_IMA_DEFAULT_HASH="sha256"
-# CONFIG_IMA_WRITE_POLICY is not set
+CONFIG_IMA_WRITE_POLICY=y
-# CONFIG_IMA_READ_POLICY is not set
+CONFIG_IMA_READ_POLICY=y
 CONFIG_IMA_APPRAISE=y
-# CONFIG_IMA_APPRAISE_BUILD_POLICY is not set
+CONFIG_IMA_APPRAISE_BUILD_POLICY=y
+# CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS is not set
+# CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS is not set
 CONFIG_IMA_APPRAISE_BOOTPARAM=y
 CONFIG_IMA_TRUSTED_KEYRING=y
-# CONFIG_IMA_BLACKLIST_KEYRING is not set
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
-# CONFIG_IMA_LOAD_X509 is not set
+CONFIG_IMA_BLACKLIST_KEYRING=y
-# CONFIG_EVM is not set
+CONFIG_IMA_LOAD_X509=y
+CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
+# CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_EVM=y
+CONFIG_EVM_ATTR_FSUUID=y
+CONFIG_EVM_EXTRA_SMACK_XATTRS=y
+# CONFIG_EVM_ADD_XATTRS is not set
+CONFIG_EVM_LOAD_X509=y
+CONFIG_EVM_X509_PATH="/etc/keys/x509_evm.der"
 CONFIG_DEFAULT_SECURITY_SELINUX=y
+# CONFIG_DEFAULT_SECURITY_SMACK is not set
 # CONFIG_DEFAULT_SECURITY_DAC is not set
 CONFIG_DEFAULT_SECURITY="selinux"
 CONFIG_XOR_BLOCKS=m
@@ -3892,7 +3908,7 @@ CONFIG_CRYPTO_SHA1_MB=m
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 # CONFIG_CRYPTO_SHA3 is not set
-# CONFIG_CRYPTO_SM3 is not set
+CONFIG_CRYPTO_SM3=m
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_WP512 is not set
 # CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
@@ -3928,7 +3944,7 @@ CONFIG_CRYPTO_DES=m
 # CONFIG_CRYPTO_SERPENT_SSE2_X86_64 is not set
 # CONFIG_CRYPTO_SERPENT_AVX_X86_64 is not set
 # CONFIG_CRYPTO_SERPENT_AVX2_X86_64 is not set
-# CONFIG_CRYPTO_SM4 is not set
+CONFIG_CRYPTO_SM4=m
 # CONFIG_CRYPTO_TEA is not set
 # CONFIG_CRYPTO_TWOFISH is not set
 # CONFIG_CRYPTO_TWOFISH_X86_64 is not set
@@ -3987,8 +4003,9 @@ CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="certs/modsign_alinux.pem"
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
-# CONFIG_SECONDARY_TRUSTED_KEYRING is not set
+CONFIG_SECONDARY_TRUSTED_KEYRING=y
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
 CONFIG_BINARY_PRINTF=y
 #
@@ -4173,6 +4190,7 @@ CONFIG_KASAN=y
 CONFIG_KASAN_INLINE=y
 CONFIG_TEST_KASAN=m
 CONFIG_ARCH_HAS_KCOV=y
+# CONFIG_KCOV is not set
 CONFIG_DEBUG_SHIRQ=y
 #

--- a/configs/kernel-4.19-x86_64-alios7-debug.config
+++ b/configs/kernel-4.19-x86_64-alios7-debug.config
@@ -6227,7 +6227,7 @@ CONFIG_CRYPTO_SHA512_SSSE3=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 # CONFIG_CRYPTO_SHA3 is not set
-# CONFIG_CRYPTO_SM3 is not set
+CONFIG_CRYPTO_SM3=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_WP512=m
 CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
@@ -6265,7 +6265,7 @@ CONFIG_CRYPTO_SERPENT=m
 CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
 CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
 CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
-# CONFIG_CRYPTO_SM4 is not set
+CONFIG_CRYPTO_SM4=m
 CONFIG_CRYPTO_TEA=m
 CONFIG_CRYPTO_TWOFISH=m
 CONFIG_CRYPTO_TWOFISH_COMMON=m

--- a/configs/kernel-4.19-x86_64-alios7.config
+++ b/configs/kernel-4.19-x86_64-alios7.config
@@ -6225,7 +6225,7 @@ CONFIG_CRYPTO_SHA512_SSSE3=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 # CONFIG_CRYPTO_SHA3 is not set
-# CONFIG_CRYPTO_SM3 is not set
+CONFIG_CRYPTO_SM3=m
 CONFIG_CRYPTO_TGR192=m
 CONFIG_CRYPTO_WP512=m
 CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m
@@ -6263,7 +6263,7 @@ CONFIG_CRYPTO_SERPENT=m
 CONFIG_CRYPTO_SERPENT_SSE2_X86_64=m
 CONFIG_CRYPTO_SERPENT_AVX_X86_64=m
 CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m
-# CONFIG_CRYPTO_SM4 is not set
+CONFIG_CRYPTO_SM4=m
 CONFIG_CRYPTO_TEA=m
 CONFIG_CRYPTO_TWOFISH=m
 CONFIG_CRYPTO_TWOFISH_COMMON=m