From 6478286a7356cddc70aeb899becc21d66272503b Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Wed, 3 Mar 2021 08:44:27 +0100
Subject: [PATCH] config: add digest list options for arm64 and x86

hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

---------------------------

Enable digest lists and PGP keys preload.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 arch/arm64/configs/openeuler_defconfig |  7 +++++++
 arch/x86/configs/openeuler_defconfig   | 27 ++++++++++++++++----------
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig
index 61534c74896c..9ab0ba65f954 100644
--- a/arch/arm64/configs/openeuler_defconfig
+++ b/arch/arm64/configs/openeuler_defconfig
@@ -6415,6 +6415,9 @@ CONFIG_IMA_TRUSTED_KEYRING=y
 CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_IMA_DIGEST_LIST=y
+CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"
+CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"
 CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
 CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 CONFIG_EVM=y
@@ -6667,6 +6670,9 @@ CONFIG_X509_CERTIFICATE_PARSER=y
 CONFIG_PKCS7_MESSAGE_PARSER=y
 # CONFIG_PKCS7_TEST_KEY is not set
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y
+CONFIG_PGP_LIBRARY=y
+CONFIG_PGP_KEY_PARSER=y
+CONFIG_PGP_PRELOAD=y
 
 #
 # Certificates for signature checking
@@ -6677,6 +6683,7 @@ CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
 # CONFIG_SECONDARY_TRUSTED_KEYRING is not set
 # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_PGP_PRELOAD_PUBLIC_KEYS=y
 # end of Certificates for signature checking
 
 CONFIG_BINARY_PRINTF=y
diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig
index ca3fb8a71f4a..0fd82af04739 100644
--- a/arch/x86/configs/openeuler_defconfig
+++ b/arch/x86/configs/openeuler_defconfig
@@ -3536,19 +3536,19 @@ CONFIG_TCG_TPM=y
 CONFIG_HW_RANDOM_TPM=y
 CONFIG_TCG_TIS_CORE=y
 CONFIG_TCG_TIS=y
-# CONFIG_TCG_TIS_SPI is not set
-CONFIG_TCG_TIS_I2C_ATMEL=m
-CONFIG_TCG_TIS_I2C_INFINEON=m
-CONFIG_TCG_TIS_I2C_NUVOTON=m
-CONFIG_TCG_NSC=m
-CONFIG_TCG_ATMEL=m
-CONFIG_TCG_INFINEON=m
+CONFIG_TCG_TIS_SPI=y
+CONFIG_TCG_TIS_I2C_ATMEL=y
+CONFIG_TCG_TIS_I2C_INFINEON=y
+CONFIG_TCG_TIS_I2C_NUVOTON=y
+CONFIG_TCG_NSC=y
+CONFIG_TCG_ATMEL=y
+CONFIG_TCG_INFINEON=y
 # CONFIG_TCG_XEN is not set
 CONFIG_TCG_CRB=y
 # CONFIG_TCG_VTPM_PROXY is not set
-CONFIG_TCG_TIS_ST33ZP24=m
-CONFIG_TCG_TIS_ST33ZP24_I2C=m
-# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
+CONFIG_TCG_TIS_ST33ZP24=y
+CONFIG_TCG_TIS_ST33ZP24_I2C=y
+CONFIG_TCG_TIS_ST33ZP24_SPI=y
 CONFIG_TELCLOCK=m
 # CONFIG_XILLYBUS is not set
 # end of Character devices
@@ -7779,6 +7779,9 @@ CONFIG_IMA_TRUSTED_KEYRING=y
 CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_X509_PATH="/etc/keys/x509_ima.der"
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
+CONFIG_IMA_DIGEST_LIST=y
+CONFIG_IMA_DIGEST_LISTS_DIR="/etc/ima/digest_lists"
+CONFIG_IMA_PARSER_BINARY_PATH="/usr/bin/upload_digest_lists"
 CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
 CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
@@ -8061,6 +8064,9 @@ CONFIG_X509_CERTIFICATE_PARSER=y
 CONFIG_PKCS7_MESSAGE_PARSER=y
 # CONFIG_PKCS7_TEST_KEY is not set
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y
+CONFIG_PGP_LIBRARY=y
+CONFIG_PGP_KEY_PARSER=y
+CONFIG_PGP_PRELOAD=y
 
 #
 # Certificates for signature checking
@@ -8072,6 +8078,7 @@ CONFIG_SYSTEM_TRUSTED_KEYS=""
 # CONFIG_SECONDARY_TRUSTED_KEYRING is not set
 CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+CONFIG_PGP_PRELOAD_PUBLIC_KEYS=y
 # end of Certificates for signature checking
 
 CONFIG_BINARY_PRINTF=y
-- 
GitLab