From 535d24ebd662bbc558d22c23fcc8d018ce1e4d74 Mon Sep 17 00:00:00 2001 From: Alexander Miroshnichenko Date: Sat, 5 Oct 2024 15:24:39 +0300 Subject: [PATCH] sys-kernel/hardened-kernel: update kernel config --- sys-kernel/hardened-kernel/Manifest | 2 +- .../files/linux-6.6.amd64.config | 28 ++++++++++--------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/sys-kernel/hardened-kernel/Manifest b/sys-kernel/hardened-kernel/Manifest index 5294671..c446958 100644 --- a/sys-kernel/hardened-kernel/Manifest +++ b/sys-kernel/hardened-kernel/Manifest @@ -1,5 +1,5 @@ AUX linux-6.1.amd64.config 174782 BLAKE2B 0e4a6382a52a14dc8f7fcb7d0912b9509cba70119a4d9818cf30af0a2b1c1d8a47fda164b5190c0916c90d7aaf106c82dcd79b8de9aaf9cb50c97501bd43b5a9 SHA512 dcb15715c26a4790782594c53a4c7614a85b141a5c2bca790189012a115be5bfcdc3119854ced8fa7b6668c4f32d2472b60af975fba262c355181bd6dab5c590 -AUX linux-6.6.amd64.config 183328 BLAKE2B 9021f69b49ff3182f336f20cf7b181c9e9c2bd6805eae942debea00c9eb9534073f931d78aca4f7903c429b7d833d3bf146a72b8536a1397c97777809bbb42c1 SHA512 b8e97c4fb03a2b1b3abe900edf9a47ebc50bb1975b4ebdbf33e87e43e32e54f27946f3ff4964955796731ba73186b41409c739dbb9ea0b0e898a4c909977d148 +AUX linux-6.6.amd64.config 183334 BLAKE2B 681480d5738b545dfa5d3d434477d7f4b60a7d3f73e45db92829a687498fbc4429cd14c09a0ca3c342d6a43252b60ca39367a630371ed36c866adb53ec25a09b SHA512 75b1f5fdca3d226a75a18a37222e0f5e14aefeccc19c71baadf3d244901994a306e3e2e51c4b1d78e9033d5d9d988577ffb06b06355f378296e7b93679f64f6f DIST genpatches-6.1-77.base.tar.xz 4198960 BLAKE2B 9c6921ca87ec2c3338107a994d6e094c6bf4ca5a705f21b3efa2803454327782ccf2cefa78b2a1bfa59413402d5d89b757a5522b86943c8c8c5d97592138758a SHA512 34daab45df35b30a5bc155aa82b074f6516bb1af7b2976590f88d88e25f6e8ae369fd1299f7e2f645c045b29d6b805dd07291ab45c212a9aa27df566dd6aca96 DIST genpatches-6.1-77.extras.tar.xz 3816 BLAKE2B 2129b36991f127c4bb4783a535a2d58bbe8ba9f4f139f7b70bf41a1c54bc2ac9026cdf3e3662f47c28118844ff40b6ad1c8da1c5fa8f1f4edc768fa69cae2083 SHA512 1de0ce45d9a0a1555faa92842f884cbaed8f5e727e4e59cbafc31326c9a183acc4954b2cdba1bec2019466545870ead8b5300f419533e30386aa2a36f6606a9a DIST genpatches-6.6-58.base.tar.xz 3154204 BLAKE2B 5b9456e93cb0984599e065fab0d05e40b7efbc8079763ede75ed7a6e7f0e241de96f0c6438cde52f64a5074f5bfcc5d55b5d3c21a9e9528138ea5c36e164ea58 SHA512 e775ac64564c201c3e1293d34a70f347a5afd5691a006d958f69959d2eea0af690cf66f7bdd450034ef9eb43daeccbedd58819dc688cd3e7e9933da9312cbf75 diff --git a/sys-kernel/hardened-kernel/files/linux-6.6.amd64.config b/sys-kernel/hardened-kernel/files/linux-6.6.amd64.config index 167bf16..a609194 100644 --- a/sys-kernel/hardened-kernel/files/linux-6.6.amd64.config +++ b/sys-kernel/hardened-kernel/files/linux-6.6.amd64.config @@ -329,7 +329,6 @@ CONFIG_HAVE_INTEL_TXT=y CONFIG_X86_64_SMP=y CONFIG_ARCH_SUPPORTS_UPROBES=y CONFIG_FIX_EARLYCON_MEM=y -CONFIG_DYNAMIC_PHYSICAL_MASK=y CONFIG_PGTABLE_LEVELS=4 CONFIG_CC_HAS_SANE_STACKPROTECTOR=y @@ -359,9 +358,9 @@ CONFIG_ARCH_CPUIDLE_HALTPOLL=y CONFIG_PVH=y CONFIG_PARAVIRT_TIME_ACCOUNTING=y CONFIG_PARAVIRT_CLOCK=y -CONFIG_JAILHOUSE_GUEST=y +# CONFIG_JAILHOUSE_GUEST is not set # CONFIG_ACRN_GUEST is not set -CONFIG_INTEL_TDX_GUEST=y +# CONFIG_INTEL_TDX_GUEST is not set # CONFIG_MK8 is not set # CONFIG_MK8SSE3 is not set # CONFIG_MK10 is not set @@ -418,9 +417,9 @@ CONFIG_IA32_FEAT_CTL=y CONFIG_X86_VMX_FEATURE_NAMES=y CONFIG_CPU_SUP_INTEL=y CONFIG_CPU_SUP_AMD=y -# CONFIG_CPU_SUP_HYGON is not set -# CONFIG_CPU_SUP_CENTAUR is not set -# CONFIG_CPU_SUP_ZHAOXIN is not set +CONFIG_CPU_SUP_HYGON=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_CPU_SUP_ZHAOXIN=y CONFIG_HPET_TIMER=y CONFIG_HPET_EMULATE_RTC=y CONFIG_DMI=y @@ -467,7 +466,6 @@ CONFIG_X86_CPUID=m # CONFIG_X86_5LEVEL is not set CONFIG_X86_DIRECT_GBPAGES=y # CONFIG_X86_CPA_STATISTICS is not set -CONFIG_X86_MEM_ENCRYPT=y # CONFIG_AMD_MEM_ENCRYPT is not set CONFIG_NUMA=y # CONFIG_AMD_NUMA is not set @@ -886,7 +884,6 @@ CONFIG_HAVE_ARCH_PREL32_RELOCATIONS=y CONFIG_ARCH_USE_MEMREMAP_PROT=y CONFIG_LOCK_EVENT_COUNTS=y CONFIG_ARCH_HAS_MEM_ENCRYPT=y -CONFIG_ARCH_HAS_CC_PLATFORM=y CONFIG_HAVE_STATIC_CALL=y CONFIG_HAVE_STATIC_CALL_INLINE=y CONFIG_HAVE_PREEMPT_DYNAMIC=y @@ -2047,7 +2044,6 @@ CONFIG_EFI_EARLYCON=y # CONFIG_EFI_CUSTOM_SSDT_OVERLAYS is not set # CONFIG_EFI_DISABLE_RUNTIME is not set CONFIG_EFI_COCO_SECRET=y -CONFIG_UNACCEPTED_MEMORY=y # end of EFI (Extensible Firmware Interface) Support CONFIG_UEFI_CPER=y @@ -5263,7 +5259,6 @@ CONFIG_VIRT_DRIVERS=y # CONFIG_VBOXGUEST is not set # CONFIG_NITRO_ENCLAVES is not set CONFIG_EFI_SECRET=m -# CONFIG_TDX_GUEST_DRIVER is not set CONFIG_VIRTIO_ANCHOR=y CONFIG_VIRTIO=y CONFIG_VIRTIO_PCI_LIB=y @@ -5730,7 +5725,8 @@ CONFIG_EXPORTFS_BLOCK_OPS=y CONFIG_FILE_LOCKING=y CONFIG_FS_ENCRYPTION=y CONFIG_FS_ENCRYPTION_ALGS=y -# CONFIG_FS_VERITY is not set +CONFIG_FS_VERITY=y +CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y CONFIG_FSNOTIFY=y CONFIG_DNOTIFY=y CONFIG_INOTIFY_USER=y @@ -6031,8 +6027,14 @@ CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y # CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set CONFIG_SECURITY_LANDLOCK=y -# CONFIG_INTEGRITY is not set +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y +CONFIG_INTEGRITY_AUDIT=y +# CONFIG_IMA is not set # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set +# CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_SELINUX=y # CONFIG_DEFAULT_SECURITY_DAC is not set CONFIG_LSM="selinux,safesetid,yama,lockdown,landlock,bpf" @@ -6452,7 +6454,6 @@ CONFIG_NEED_SG_DMA_FLAGS=y CONFIG_NEED_SG_DMA_LENGTH=y CONFIG_NEED_DMA_MAP_STATE=y CONFIG_ARCH_DMA_ADDR_T_64BIT=y -CONFIG_ARCH_HAS_FORCE_DMA_UNENCRYPTED=y CONFIG_SWIOTLB=y # CONFIG_SWIOTLB_DYNAMIC is not set # CONFIG_DMA_API_DEBUG is not set @@ -6468,6 +6469,7 @@ CONFIG_LRU_CACHE=m CONFIG_CLZ_TAB=y # CONFIG_IRQ_POLL is not set CONFIG_MPILIB=y +CONFIG_SIGNATURE=y CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y CONFIG_HAVE_GENERIC_VDSO=y