From: Arne Fitzenreiter Date: Thu, 6 Feb 2020 14:09:52 +0000 (+0100) Subject: kernel: enable and enforce signed kernel modules X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=831ff05d898cbf3484922d33573ee067782eb663;p=people%2Fms%2Fipfire-2.x.git kernel: enable and enforce signed kernel modules Signed-off-by: Arne Fitzenreiter --- diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index e79403bc77..32ad2df071 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 4.14.154-ipfire Kernel Configuration +# Linux/arm64 4.14.166-ipfire Kernel Configuration # CONFIG_ARM64=y CONFIG_64BIT=y @@ -221,7 +221,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y # CONFIG_KPROBES is not set @@ -306,7 +306,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -369,6 +377,7 @@ CONFIG_MQ_IOSCHED_KYBER=y CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PADATA=y +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -2065,6 +2074,7 @@ CONFIG_ACENIC=m # CONFIG_ACENIC_OMIT_TIGON_I is not set CONFIG_ALTERA_TSE=m CONFIG_NET_VENDOR_AMAZON=y +CONFIG_ENA_ETHERNET=m CONFIG_NET_VENDOR_AMD=y CONFIG_AMD8111_ETH=m CONFIG_PCNET32=m @@ -6609,6 +6619,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6621,10 +6632,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_RSA=y # CONFIG_CRYPTO_DH is not set CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6741,6 +6753,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y # CONFIG_CRYPTO_USER_API_RNG is not set # CONFIG_CRYPTO_USER_API_AEAD is not set +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_DEV_MARVELL_CESA is not set # CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC is not set @@ -6751,11 +6764,21 @@ CONFIG_CRYPTO_DEV_ROCKCHIP=y # CONFIG_CRYPTO_DEV_CHELSIO is not set CONFIG_CRYPTO_DEV_VIRTIO=m # CONFIG_CRYPTO_DEV_SAFEXCEL is not set -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set # CONFIG_ARM64_CRYPTO is not set CONFIG_BINARY_PRINTF=y @@ -6831,11 +6854,13 @@ CONFIG_DQL=y CONFIG_GLOB=y # CONFIG_GLOB_SELFTEST is not set CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y CONFIG_CORDIC=m CONFIG_DDR=y CONFIG_IRQ_POLL=y +CONFIG_MPILIB=y CONFIG_LIBFDT=y -CONFIG_OID_REGISTRY=m +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index 7e9de39eaa..cfa7660056 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 4.14.154-ipfire-multi Kernel Configuration +# Linux/arm 4.14.166-ipfire-multi Kernel Configuration # CONFIG_ARM=y CONFIG_ARM_HAS_SG_CHAIN=y @@ -218,7 +218,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HAVE_OPROFILE=y @@ -301,7 +301,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -363,6 +371,7 @@ CONFIG_MQ_IOSCHED_KYBER=y CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PADATA=y +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -2333,6 +2342,7 @@ CONFIG_ACENIC=m # CONFIG_ACENIC_OMIT_TIGON_I is not set CONFIG_ALTERA_TSE=m CONFIG_NET_VENDOR_AMAZON=y +CONFIG_ENA_ETHERNET=m CONFIG_NET_VENDOR_AMD=y CONFIG_AMD8111_ETH=m CONFIG_PCNET32=m @@ -7045,7 +7055,6 @@ CONFIG_ARM_UNWIND=y CONFIG_OLD_MCOUNT=y # CONFIG_DEBUG_USER is not set # CONFIG_DEBUG_LL is not set -CONFIG_DEBUG_IMX_UART_PORT=1 CONFIG_DEBUG_LL_INCLUDE="mach/debug-macro.S" # CONFIG_DEBUG_UART_8250 is not set CONFIG_UNCOMPRESS_INCLUDE="debug/uncompress.h" @@ -7092,6 +7101,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -7104,10 +7114,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_RSA=y # CONFIG_CRYPTO_DH is not set CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -7224,6 +7235,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y # CONFIG_CRYPTO_USER_API_RNG is not set # CONFIG_CRYPTO_USER_API_AEAD is not set +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_MV_CESA=m # CONFIG_CRYPTO_DEV_MARVELL_CESA is not set @@ -7242,11 +7254,21 @@ CONFIG_CRYPTO_DEV_SUN4I_SS=y CONFIG_CRYPTO_DEV_SUN4I_SS_PRNG=y CONFIG_CRYPTO_DEV_ROCKCHIP=y # CONFIG_CRYPTO_DEV_CHELSIO is not set -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_ARM_CRYPTO=y CONFIG_CRYPTO_SHA1_ARM=m @@ -7327,11 +7349,13 @@ CONFIG_GLOB=y # CONFIG_GLOB_SELFTEST is not set CONFIG_NLATTR=y CONFIG_GENERIC_ATOMIC64=y +CONFIG_CLZ_TAB=y CONFIG_CORDIC=m CONFIG_DDR=y CONFIG_IRQ_POLL=y +CONFIG_MPILIB=y CONFIG_LIBFDT=y -CONFIG_OID_REGISTRY=m +CONFIG_OID_REGISTRY=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set CONFIG_FONT_8x8=y diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index 2732bba422..4bb39fc208 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.154-ipfire-pae Kernel Configuration +# Linux/x86 4.14.170-ipfire Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -233,7 +233,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HOTPLUG_SMT=y @@ -334,7 +334,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -398,7 +406,7 @@ CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PREEMPT_NOTIFIERS=y CONFIG_PADATA=y -CONFIG_ASN1=m +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -6703,6 +6711,7 @@ CONFIG_DOUBLEFAULT=y # CONFIG_DEBUG_TLBFLUSH is not set # CONFIG_IOMMU_STRESS is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_TYPE_0X80=0 CONFIG_IO_DELAY_TYPE_0XED=1 CONFIG_IO_DELAY_TYPE_UDELAY=2 @@ -6766,6 +6775,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6778,11 +6788,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y -CONFIG_CRYPTO_AKCIPHER=m +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_DH=m CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6851,7 +6861,7 @@ CONFIG_CRYPTO_RMD256=m CONFIG_CRYPTO_RMD320=m CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6908,6 +6918,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -6928,11 +6939,21 @@ CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m CONFIG_CRYPTO_DEV_QAT_C62XVF=m CONFIG_CRYPTO_DEV_CHELSIO=m CONFIG_CRYPTO_DEV_VIRTIO=m -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_HAVE_KVM=y CONFIG_HAVE_KVM_IRQCHIP=y @@ -7040,8 +7061,8 @@ CONFIG_CLZ_TAB=y CONFIG_CORDIC=m # CONFIG_DDR is not set CONFIG_IRQ_POLL=y -CONFIG_MPILIB=m -CONFIG_OID_REGISTRY=m +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/kernel.config.i586-ipfire-pae b/config/kernel/kernel.config.i586-ipfire-pae index 9b53ab35c3..318384613e 100644 --- a/config/kernel/kernel.config.i586-ipfire-pae +++ b/config/kernel/kernel.config.i586-ipfire-pae @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.154-ipfire-pae Kernel Configuration +# Linux/x86 4.14.170-ipfire-pae Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -233,7 +233,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HOTPLUG_SMT=y @@ -335,7 +335,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -399,7 +407,7 @@ CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PREEMPT_NOTIFIERS=y CONFIG_PADATA=y -CONFIG_ASN1=m +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -6709,6 +6717,7 @@ CONFIG_DOUBLEFAULT=y # CONFIG_DEBUG_TLBFLUSH is not set # CONFIG_IOMMU_STRESS is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_TYPE_0X80=0 CONFIG_IO_DELAY_TYPE_0XED=1 CONFIG_IO_DELAY_TYPE_UDELAY=2 @@ -6772,6 +6781,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6784,11 +6794,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y -CONFIG_CRYPTO_AKCIPHER=m +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_DH=m CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6857,7 +6867,7 @@ CONFIG_CRYPTO_RMD256=m CONFIG_CRYPTO_RMD320=m CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6914,6 +6924,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -6933,11 +6944,21 @@ CONFIG_CRYPTO_DEV_QAT_C3XXXVF=m CONFIG_CRYPTO_DEV_QAT_C62XVF=m CONFIG_CRYPTO_DEV_CHELSIO=m CONFIG_CRYPTO_DEV_VIRTIO=m -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_PKCS7_TEST_KEY=m +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_HAVE_KVM=y CONFIG_HAVE_KVM_IRQCHIP=y @@ -7045,8 +7066,8 @@ CONFIG_CLZ_TAB=y CONFIG_CORDIC=m # CONFIG_DDR is not set CONFIG_IRQ_POLL=y -CONFIG_MPILIB=m -CONFIG_OID_REGISTRY=m +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 2fcf1e589d..b16d135046 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.154-ipfire Kernel Configuration +# Linux/x86 4.14.170-ipfire Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -242,7 +242,7 @@ CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLAB_FREELIST_RANDOM=y CONFIG_SLAB_FREELIST_HARDENED=y CONFIG_SLUB_CPU_PARTIAL=y -# CONFIG_SYSTEM_DATA_VERIFICATION is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y # CONFIG_PROFILING is not set CONFIG_TRACEPOINTS=y CONFIG_HOTPLUG_SMT=y @@ -354,7 +354,15 @@ CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set CONFIG_MODVERSIONS=y CONFIG_MODULE_SRCVERSION_ALL=y -# CONFIG_MODULE_SIG is not set +CONFIG_MODULE_SIG=y +CONFIG_MODULE_SIG_FORCE=y +CONFIG_MODULE_SIG_ALL=y +# CONFIG_MODULE_SIG_SHA1 is not set +# CONFIG_MODULE_SIG_SHA224 is not set +# CONFIG_MODULE_SIG_SHA256 is not set +# CONFIG_MODULE_SIG_SHA384 is not set +CONFIG_MODULE_SIG_SHA512=y +CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_COMPRESS=y # CONFIG_MODULE_COMPRESS_GZIP is not set CONFIG_MODULE_COMPRESS_XZ=y @@ -418,7 +426,7 @@ CONFIG_IOSCHED_BFQ=y CONFIG_BFQ_GROUP_IOSCHED=y CONFIG_PREEMPT_NOTIFIERS=y CONFIG_PADATA=y -CONFIG_ASN1=m +CONFIG_ASN1=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y @@ -6565,6 +6573,7 @@ CONFIG_DOUBLEFAULT=y # CONFIG_DEBUG_TLBFLUSH is not set # CONFIG_IOMMU_STRESS is not set CONFIG_HAVE_MMIOTRACE_SUPPORT=y +# CONFIG_X86_DECODER_SELFTEST is not set CONFIG_IO_DELAY_TYPE_0X80=0 CONFIG_IO_DELAY_TYPE_0XED=1 CONFIG_IO_DELAY_TYPE_UDELAY=2 @@ -6630,6 +6639,7 @@ CONFIG_CRYPTO=y # # Crypto core or helper # +# CONFIG_CRYPTO_FIPS is not set CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD=y @@ -6642,11 +6652,11 @@ CONFIG_CRYPTO_RNG=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_RNG_DEFAULT=y CONFIG_CRYPTO_AKCIPHER2=y -CONFIG_CRYPTO_AKCIPHER=m +CONFIG_CRYPTO_AKCIPHER=y CONFIG_CRYPTO_KPP2=y CONFIG_CRYPTO_KPP=m CONFIG_CRYPTO_ACOMP2=y -CONFIG_CRYPTO_RSA=m +CONFIG_CRYPTO_RSA=y CONFIG_CRYPTO_DH=m CONFIG_CRYPTO_ECDH=m CONFIG_CRYPTO_MANAGER=y @@ -6723,7 +6733,7 @@ CONFIG_CRYPTO_SHA1_MB=m CONFIG_CRYPTO_SHA256_MB=m CONFIG_CRYPTO_SHA512_MB=m CONFIG_CRYPTO_SHA256=y -CONFIG_CRYPTO_SHA512=m +CONFIG_CRYPTO_SHA512=y CONFIG_CRYPTO_SHA3=m CONFIG_CRYPTO_TGR192=m CONFIG_CRYPTO_WP512=m @@ -6793,6 +6803,7 @@ CONFIG_CRYPTO_USER_API_HASH=y CONFIG_CRYPTO_USER_API_SKCIPHER=y CONFIG_CRYPTO_USER_API_RNG=m CONFIG_CRYPTO_USER_API_AEAD=m +CONFIG_CRYPTO_HASH_INFO=y CONFIG_CRYPTO_HW=y CONFIG_CRYPTO_DEV_PADLOCK=m CONFIG_CRYPTO_DEV_PADLOCK_AES=m @@ -6813,11 +6824,21 @@ CONFIG_CRYPTO_DEV_NITROX=m CONFIG_CRYPTO_DEV_NITROX_CNN55XX=m CONFIG_CRYPTO_DEV_CHELSIO=m CONFIG_CRYPTO_DEV_VIRTIO=m -# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_PKCS7_TEST_KEY is not set +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set # # Certificates for signature checking # +CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set # CONFIG_SYSTEM_BLACKLIST_KEYRING is not set CONFIG_HAVE_KVM=y CONFIG_HAVE_KVM_IRQCHIP=y @@ -6925,8 +6946,8 @@ CONFIG_CLZ_TAB=y CONFIG_CORDIC=m # CONFIG_DDR is not set CONFIG_IRQ_POLL=y -CONFIG_MPILIB=m -CONFIG_OID_REGISTRY=m +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_FONT_SUPPORT=y # CONFIG_FONTS is not set diff --git a/config/kernel/x509.genkey b/config/kernel/x509.genkey new file mode 100644 index 0000000000..9640ec6d06 --- /dev/null +++ b/config/kernel/x509.genkey @@ -0,0 +1,17 @@ +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +O = IPFire.org +CN = Build time autogenerated kernel key +emailAddress = development@lists.ipfire.org + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid diff --git a/config/rootfiles/common/i586/linux b/config/rootfiles/common/i586/linux index 684dbe07bd..e65260974f 100644 --- a/config/rootfiles/common/i586/linux +++ b/config/rootfiles/common/i586/linux @@ -2092,6 +2092,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/certs #lib/modules/KVER-ipfire/build/certs/Kconfig #lib/modules/KVER-ipfire/build/certs/Makefile +#lib/modules/KVER-ipfire/build/certs/signing_key.pem +#lib/modules/KVER-ipfire/build/certs/signing_key.x509 #lib/modules/KVER-ipfire/build/crypto #lib/modules/KVER-ipfire/build/crypto/Kconfig #lib/modules/KVER-ipfire/build/crypto/Makefile @@ -6198,6 +6200,12 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/asus/nb/wmi.h #lib/modules/KVER-ipfire/build/include/config/asus/wireless.h #lib/modules/KVER-ipfire/build/include/config/asus/wmi.h +#lib/modules/KVER-ipfire/build/include/config/asymmetric +#lib/modules/KVER-ipfire/build/include/config/asymmetric/key +#lib/modules/KVER-ipfire/build/include/config/asymmetric/key/type.h +#lib/modules/KVER-ipfire/build/include/config/asymmetric/public +#lib/modules/KVER-ipfire/build/include/config/asymmetric/public/key +#lib/modules/KVER-ipfire/build/include/config/asymmetric/public/key/subtype.h #lib/modules/KVER-ipfire/build/include/config/async #lib/modules/KVER-ipfire/build/include/config/async/core.h #lib/modules/KVER-ipfire/build/include/config/async/memcpy.h @@ -6853,7 +6861,9 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/crypto/glue #lib/modules/KVER-ipfire/build/include/config/crypto/glue/helper #lib/modules/KVER-ipfire/build/include/config/crypto/glue/helper/x86.h +#lib/modules/KVER-ipfire/build/include/config/crypto/hash #lib/modules/KVER-ipfire/build/include/config/crypto/hash.h +#lib/modules/KVER-ipfire/build/include/config/crypto/hash/info.h #lib/modules/KVER-ipfire/build/include/config/crypto/hash2.h #lib/modules/KVER-ipfire/build/include/config/crypto/hmac.h #lib/modules/KVER-ipfire/build/include/config/crypto/hw.h @@ -9077,6 +9087,13 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/module/compress #lib/modules/KVER-ipfire/build/include/config/module/compress.h #lib/modules/KVER-ipfire/build/include/config/module/compress/xz.h +#lib/modules/KVER-ipfire/build/include/config/module/sig +#lib/modules/KVER-ipfire/build/include/config/module/sig.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/all.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/force.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/hash.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/key.h +#lib/modules/KVER-ipfire/build/include/config/module/sig/sha512.h #lib/modules/KVER-ipfire/build/include/config/module/srcversion #lib/modules/KVER-ipfire/build/include/config/module/srcversion/all.h #lib/modules/KVER-ipfire/build/include/config/module/unload.h @@ -10008,6 +10025,11 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/pinctrl/lewisburg.h #lib/modules/KVER-ipfire/build/include/config/pinctrl/mcp23s08.h #lib/modules/KVER-ipfire/build/include/config/pinmux.h +#lib/modules/KVER-ipfire/build/include/config/pkcs7 +#lib/modules/KVER-ipfire/build/include/config/pkcs7/message +#lib/modules/KVER-ipfire/build/include/config/pkcs7/message/parser.h +#lib/modules/KVER-ipfire/build/include/config/pkcs7/test +#lib/modules/KVER-ipfire/build/include/config/pkcs7/test/key.h #lib/modules/KVER-ipfire/build/include/config/plx #lib/modules/KVER-ipfire/build/include/config/plx/hermes.h #lib/modules/KVER-ipfire/build/include/config/pm @@ -11265,6 +11287,12 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/sysfs #lib/modules/KVER-ipfire/build/include/config/sysfs.h #lib/modules/KVER-ipfire/build/include/config/sysfs/syscall.h +#lib/modules/KVER-ipfire/build/include/config/system +#lib/modules/KVER-ipfire/build/include/config/system/data +#lib/modules/KVER-ipfire/build/include/config/system/data/verification.h +#lib/modules/KVER-ipfire/build/include/config/system/trusted +#lib/modules/KVER-ipfire/build/include/config/system/trusted/keyring.h +#lib/modules/KVER-ipfire/build/include/config/system/trusted/keys.h #lib/modules/KVER-ipfire/build/include/config/sysvipc #lib/modules/KVER-ipfire/build/include/config/sysvipc.h #lib/modules/KVER-ipfire/build/include/config/sysvipc/sysctl.h @@ -12118,6 +12146,9 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/wlcore/sdio.h #lib/modules/KVER-ipfire/build/include/config/wmi #lib/modules/KVER-ipfire/build/include/config/wmi/bmof.h +#lib/modules/KVER-ipfire/build/include/config/x509 +#lib/modules/KVER-ipfire/build/include/config/x509/certificate +#lib/modules/KVER-ipfire/build/include/config/x509/certificate/parser.h #lib/modules/KVER-ipfire/build/include/config/x86 #lib/modules/KVER-ipfire/build/include/config/x86.h #lib/modules/KVER-ipfire/build/include/config/x86/32 @@ -17577,6 +17608,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/dtc/util.h #lib/modules/KVER-ipfire/build/scripts/dtc/version_gen.h #lib/modules/KVER-ipfire/build/scripts/export_report.pl +#lib/modules/KVER-ipfire/build/scripts/extract-cert #lib/modules/KVER-ipfire/build/scripts/extract-cert.c #lib/modules/KVER-ipfire/build/scripts/extract-ikconfig #lib/modules/KVER-ipfire/build/scripts/extract-module-sig.pl @@ -17758,6 +17790,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/scripts/selinux/mdp/mdp.c #lib/modules/KVER-ipfire/build/scripts/setlocalversion #lib/modules/KVER-ipfire/build/scripts/show_delta +#lib/modules/KVER-ipfire/build/scripts/sign-file #lib/modules/KVER-ipfire/build/scripts/sign-file.c #lib/modules/KVER-ipfire/build/scripts/sortextable #lib/modules/KVER-ipfire/build/scripts/sortextable.c @@ -18485,6 +18518,8 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/crypto/ansi_cprng.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/anubis.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/arc4.ko.xz +#lib/modules/KVER-ipfire/kernel/crypto/asymmetric_keys +#lib/modules/KVER-ipfire/kernel/crypto/asymmetric_keys/pkcs7_test_key.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/async_tx #lib/modules/KVER-ipfire/kernel/crypto/async_tx/async_memcpy.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/async_tx/async_pq.ko.xz @@ -18527,12 +18562,10 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/crypto/rmd160.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/rmd256.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/rmd320.ko.xz -#lib/modules/KVER-ipfire/kernel/crypto/rsa_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/salsa20_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/seed.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/serpent_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/sha3_generic.ko.xz -#lib/modules/KVER-ipfire/kernel/crypto/sha512_generic.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/tcrypt.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/tea.ko.xz #lib/modules/KVER-ipfire/kernel/crypto/tgr192.ko.xz @@ -21202,7 +21235,6 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/lib/842 #lib/modules/KVER-ipfire/kernel/lib/842/842_compress.ko.xz #lib/modules/KVER-ipfire/kernel/lib/842/842_decompress.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/asn1_decoder.ko.xz #lib/modules/KVER-ipfire/kernel/lib/cordic.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crc-itu-t.ko.xz #lib/modules/KVER-ipfire/kernel/lib/crc7.ko.xz @@ -21212,9 +21244,6 @@ lib/modules/KVER-ipfire/kernel #lib/modules/KVER-ipfire/kernel/lib/lz4/lz4hc_compress.ko.xz #lib/modules/KVER-ipfire/kernel/lib/lzo #lib/modules/KVER-ipfire/kernel/lib/lzo/lzo_compress.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/mpi -#lib/modules/KVER-ipfire/kernel/lib/mpi/mpi.ko.xz -#lib/modules/KVER-ipfire/kernel/lib/oid_registry.ko.xz #lib/modules/KVER-ipfire/kernel/lib/parman.ko.xz #lib/modules/KVER-ipfire/kernel/lib/raid6 #lib/modules/KVER-ipfire/kernel/lib/raid6/raid6_pq.ko.xz diff --git a/config/rootfiles/packages/linux-pae b/config/rootfiles/packages/linux-pae index c0894cd1fa..8c7b1f66be 100644 --- a/config/rootfiles/packages/linux-pae +++ b/config/rootfiles/packages/linux-pae @@ -2092,6 +2092,8 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/certs #lib/modules/KVER-ipfire-pae/build/certs/Kconfig #lib/modules/KVER-ipfire-pae/build/certs/Makefile +#lib/modules/KVER-ipfire-pae/build/certs/signing_key.pem +#lib/modules/KVER-ipfire-pae/build/certs/signing_key.x509 #lib/modules/KVER-ipfire-pae/build/crypto #lib/modules/KVER-ipfire-pae/build/crypto/Kconfig #lib/modules/KVER-ipfire-pae/build/crypto/Makefile @@ -6204,6 +6206,12 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/asus/nb/wmi.h #lib/modules/KVER-ipfire-pae/build/include/config/asus/wireless.h #lib/modules/KVER-ipfire-pae/build/include/config/asus/wmi.h +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/key +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/key/type.h +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/public +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/public/key +#lib/modules/KVER-ipfire-pae/build/include/config/asymmetric/public/key/subtype.h #lib/modules/KVER-ipfire-pae/build/include/config/async #lib/modules/KVER-ipfire-pae/build/include/config/async/core.h #lib/modules/KVER-ipfire-pae/build/include/config/async/memcpy.h @@ -6862,7 +6870,9 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/crypto/glue #lib/modules/KVER-ipfire-pae/build/include/config/crypto/glue/helper #lib/modules/KVER-ipfire-pae/build/include/config/crypto/glue/helper/x86.h +#lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash.h +#lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash/info.h #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hash2.h #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hmac.h #lib/modules/KVER-ipfire-pae/build/include/config/crypto/hw.h @@ -9076,6 +9086,13 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/module/compress #lib/modules/KVER-ipfire-pae/build/include/config/module/compress.h #lib/modules/KVER-ipfire-pae/build/include/config/module/compress/xz.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/all.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/force.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/hash.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/key.h +#lib/modules/KVER-ipfire-pae/build/include/config/module/sig/sha512.h #lib/modules/KVER-ipfire-pae/build/include/config/module/srcversion #lib/modules/KVER-ipfire-pae/build/include/config/module/srcversion/all.h #lib/modules/KVER-ipfire-pae/build/include/config/module/unload.h @@ -10012,6 +10029,11 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/pinctrl/lewisburg.h #lib/modules/KVER-ipfire-pae/build/include/config/pinctrl/mcp23s08.h #lib/modules/KVER-ipfire-pae/build/include/config/pinmux.h +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7 +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/message +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/message/parser.h +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/test +#lib/modules/KVER-ipfire-pae/build/include/config/pkcs7/test/key.h #lib/modules/KVER-ipfire-pae/build/include/config/plx #lib/modules/KVER-ipfire-pae/build/include/config/plx/hermes.h #lib/modules/KVER-ipfire-pae/build/include/config/pm @@ -11268,6 +11290,12 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/sysfs #lib/modules/KVER-ipfire-pae/build/include/config/sysfs.h #lib/modules/KVER-ipfire-pae/build/include/config/sysfs/syscall.h +#lib/modules/KVER-ipfire-pae/build/include/config/system +#lib/modules/KVER-ipfire-pae/build/include/config/system/data +#lib/modules/KVER-ipfire-pae/build/include/config/system/data/verification.h +#lib/modules/KVER-ipfire-pae/build/include/config/system/trusted +#lib/modules/KVER-ipfire-pae/build/include/config/system/trusted/keyring.h +#lib/modules/KVER-ipfire-pae/build/include/config/system/trusted/keys.h #lib/modules/KVER-ipfire-pae/build/include/config/sysvipc #lib/modules/KVER-ipfire-pae/build/include/config/sysvipc.h #lib/modules/KVER-ipfire-pae/build/include/config/sysvipc/sysctl.h @@ -12121,6 +12149,9 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/include/config/wlcore/sdio.h #lib/modules/KVER-ipfire-pae/build/include/config/wmi #lib/modules/KVER-ipfire-pae/build/include/config/wmi/bmof.h +#lib/modules/KVER-ipfire-pae/build/include/config/x509 +#lib/modules/KVER-ipfire-pae/build/include/config/x509/certificate +#lib/modules/KVER-ipfire-pae/build/include/config/x509/certificate/parser.h #lib/modules/KVER-ipfire-pae/build/include/config/x86 #lib/modules/KVER-ipfire-pae/build/include/config/x86.h #lib/modules/KVER-ipfire-pae/build/include/config/x86/32 @@ -17647,6 +17678,7 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/scripts/dtc/util.h #lib/modules/KVER-ipfire-pae/build/scripts/dtc/version_gen.h #lib/modules/KVER-ipfire-pae/build/scripts/export_report.pl +#lib/modules/KVER-ipfire-pae/build/scripts/extract-cert #lib/modules/KVER-ipfire-pae/build/scripts/extract-cert.c #lib/modules/KVER-ipfire-pae/build/scripts/extract-ikconfig #lib/modules/KVER-ipfire-pae/build/scripts/extract-module-sig.pl @@ -17828,6 +17860,7 @@ boot/vmlinuz-KVER-ipfire-pae #lib/modules/KVER-ipfire-pae/build/scripts/selinux/mdp/mdp.c #lib/modules/KVER-ipfire-pae/build/scripts/setlocalversion #lib/modules/KVER-ipfire-pae/build/scripts/show_delta +#lib/modules/KVER-ipfire-pae/build/scripts/sign-file #lib/modules/KVER-ipfire-pae/build/scripts/sign-file.c #lib/modules/KVER-ipfire-pae/build/scripts/sortextable #lib/modules/KVER-ipfire-pae/build/scripts/sortextable.c @@ -18555,6 +18588,8 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/crypto/ansi_cprng.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/anubis.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/arc4.ko.xz +#lib/modules/KVER-ipfire-pae/kernel/crypto/asymmetric_keys +#lib/modules/KVER-ipfire-pae/kernel/crypto/asymmetric_keys/pkcs7_test_key.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/async_tx #lib/modules/KVER-ipfire-pae/kernel/crypto/async_tx/async_memcpy.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/async_tx/async_pq.ko.xz @@ -18597,12 +18632,10 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/crypto/rmd160.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/rmd256.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/rmd320.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/crypto/rsa_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/salsa20_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/seed.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/serpent_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/sha3_generic.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/crypto/sha512_generic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/tcrypt.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/tea.ko.xz #lib/modules/KVER-ipfire-pae/kernel/crypto/tgr192.ko.xz @@ -21288,7 +21321,6 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/lib/842 #lib/modules/KVER-ipfire-pae/kernel/lib/842/842_compress.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/842/842_decompress.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/lib/asn1_decoder.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/cordic.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/crc-itu-t.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/crc4.ko.xz @@ -21299,9 +21331,6 @@ lib/modules/KVER-ipfire-pae/kernel #lib/modules/KVER-ipfire-pae/kernel/lib/lz4/lz4hc_compress.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/lzo #lib/modules/KVER-ipfire-pae/kernel/lib/lzo/lzo_compress.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/lib/mpi -#lib/modules/KVER-ipfire-pae/kernel/lib/mpi/mpi.ko.xz -#lib/modules/KVER-ipfire-pae/kernel/lib/oid_registry.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/parman.ko.xz #lib/modules/KVER-ipfire-pae/kernel/lib/raid6 #lib/modules/KVER-ipfire-pae/kernel/lib/raid6/raid6_pq.ko.xz diff --git a/lfs/linux b/lfs/linux index 8c28c26dc0..9bfa49fb87 100644 --- a/lfs/linux +++ b/lfs/linux @@ -178,6 +178,9 @@ else cd $(DIR_APP) && make clean cd $(DIR_APP) && sed -i -e 's/EXTRAVERSION\ =.*/EXTRAVERSION\ =\ -$(VERSUFIX)/' Makefile + # Copy Module signing key configuration + cp -f $(DIR_SRC)/config/kernel/x509.genkey $(DIR_APP)/certs/x509.genkey + # Remove modules folder if exists rm -rf /lib/modules/$(VER)-$(VERSUFIX) @@ -219,6 +222,9 @@ endif cd $(DIR_APP) && cp -a --parents arch/$(HEADERS_ARCH)/include /lib/modules/$(VER)-$(VERSUFIX)/build cd $(DIR_APP) && cp -a include /lib/modules/$(VER)-$(VERSUFIX)/build/include + # Copy module signing key for off tree modules + cd $(DIR_APP) && cp -f certs/signing_key.* /lib/modules/$(VER)-$(VERSUFIX)/build/certs/ + # Install objtool cd $(DIR_APP) && cp -a tools/objtool/objtool \ /lib/modules/$(VER)-$(VERSUFIX)/build/tools/objtool/ || : diff --git a/lfs/xtables-addons b/lfs/xtables-addons index 2152fa5fd1..651a13f9c5 100644 --- a/lfs/xtables-addons +++ b/lfs/xtables-addons @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team # +# Copyright (C) 2007-2020 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -106,9 +106,14 @@ else cd $(DIR_APP) && make $(MAKETUNING) # Install the built kernel modules. + mkdir -p $(MODPATH) cd $(DIR_APP) && for f in $$(ls extensions/*.ko); do \ - mkdir -p $(MODPATH); \ - install -m 644 $$f $(MODPATH); \ + /lib/modules/$$(uname -r)$(KCFG)/build/scripts/sign-file sha512 \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.pem \ + /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.x509 \ + $$f; \ + xz $$f; \ + install -m 644 $$f.xz $(MODPATH); \ done endif