15ea0e1e3e
Secure Boot stores a list of allowed certificates in the 'db' variable. This patch imports those certificates into the platform keyring. The shim UEFI bootloader has a similar certificate list stored in the 'MokListRT' variable. We import those as well. Secure Boot also maintains a list of disallowed certificates in the 'dbx' variable. We load those certificates into the system blacklist keyring and forbid any kernel signed with those from loading. [zohar@linux.ibm.com: dropped Josh's original patch description] Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
21 lines
717 B
Makefile
21 lines
717 B
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Makefile for caching inode integrity data (iint)
|
|
#
|
|
|
|
obj-$(CONFIG_INTEGRITY) += integrity.o
|
|
|
|
integrity-y := iint.o
|
|
integrity-$(CONFIG_INTEGRITY_AUDIT) += integrity_audit.o
|
|
integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
|
|
integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
|
|
integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o \
|
|
platform_certs/efi_parser.o \
|
|
platform_certs/load_uefi.o
|
|
obj-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/load_uefi.o
|
|
$(obj)/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar
|
|
|
|
subdir-$(CONFIG_IMA) += ima
|
|
obj-$(CONFIG_IMA) += ima/
|
|
subdir-$(CONFIG_EVM) += evm
|
|
obj-$(CONFIG_EVM) += evm/
|