uek-rpm: onfig: enable some secure boot features

Orabug: 21539498

Signed-off-by: Guangyu Sun <guangyu.sun@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

diff --git a/uek-rpm/ol6/config-x86_64 b/uek-rpm/ol6/config-x86_64
index 3990899b049a31304847356730846d3958bdb425..2716df7219603a07dbebc2f5db1bd9b4daed4953 100644 (file)
--- a/uek-rpm/ol6/config-x86_64
+++ b/uek-rpm/ol6/config-x86_64
@@ -323,6 +323,7 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
 CONFIG_SLABINFO=y
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_MODULES=y
 CONFIG_MODULE_FORCE_LOAD=y
 CONFIG_MODULE_UNLOAD=y
@@ -332,6 +333,7 @@ CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_SIG=y
 # CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_UEFI=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA224 is not set
 # CONFIG_MODULE_SIG_SHA256 is not set
@@ -571,6 +573,7 @@ CONFIG_X86_INTEL_MPX=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_MIXED=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 # CONFIG_HZ_250 is not set
@@ -5994,6 +5997,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 # CONFIG_SECURITY_PATH is not set
+CONFIG_SECURITY_SECURELEVEL=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=65535
 CONFIG_SECURITY_SELINUX=y
@@ -6193,6 +6197,7 @@ CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 CONFIG_PUBLIC_KEY_ALGO_RSA=y
 CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_EFI_SIGNATURE_LIST_PARSER=y
 CONFIG_PKCS7_MESSAGE_PARSER=m
 CONFIG_PKCS7_TEST_KEY=m
 CONFIG_HAVE_KVM=y

diff --git a/uek-rpm/ol6/config-x86_64-debug b/uek-rpm/ol6/config-x86_64-debug
index f98d4125b68575f241741061dde83e4cefc229b4..1b88cd8aaec3e1bfb90d15f4143c010ea02a0ab1 100644 (file)
--- a/uek-rpm/ol6/config-x86_64-debug
+++ b/uek-rpm/ol6/config-x86_64-debug
@@ -313,6 +313,7 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
 CONFIG_SLABINFO=y
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_MODULES=y
 CONFIG_MODULE_FORCE_LOAD=y
 CONFIG_MODULE_UNLOAD=y
@@ -322,6 +323,7 @@ CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_SIG=y
 # CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_UEFI=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA224 is not set
 # CONFIG_MODULE_SIG_SHA256 is not set
@@ -556,6 +558,7 @@ CONFIG_X86_INTEL_MPX=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_MIXED=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 # CONFIG_HZ_250 is not set
@@ -6015,6 +6018,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 # CONFIG_SECURITY_PATH is not set
+CONFIG_SECURITY_SECURELEVEL=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=65535
 CONFIG_SECURITY_SELINUX=y
@@ -6214,6 +6218,7 @@ CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 CONFIG_PUBLIC_KEY_ALGO_RSA=y
 CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_EFI_SIGNATURE_LIST_PARSER=y
 CONFIG_PKCS7_MESSAGE_PARSER=m
 CONFIG_PKCS7_TEST_KEY=m
 CONFIG_HAVE_KVM=y

diff --git a/uek-rpm/ol7/config-x86_64 b/uek-rpm/ol7/config-x86_64
index a5ce7b59610b0a3d48eedb5ad6d69cf4d2470305..5addb77112d410decf6c67621c28d10f7bf0bee3 100644 (file)
--- a/uek-rpm/ol7/config-x86_64
+++ b/uek-rpm/ol7/config-x86_64
@@ -323,6 +323,7 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
 CONFIG_SLABINFO=y
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_MODULES=y
 CONFIG_MODULE_FORCE_LOAD=y
 CONFIG_MODULE_UNLOAD=y
@@ -332,6 +333,7 @@ CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_SIG=y
 # CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_UEFI=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA224 is not set
 # CONFIG_MODULE_SIG_SHA256 is not set
@@ -573,6 +575,7 @@ CONFIG_X86_INTEL_MPX=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_MIXED=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 # CONFIG_HZ_250 is not set
@@ -6146,6 +6149,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 # CONFIG_SECURITY_PATH is not set
+CONFIG_SECURITY_SECURELEVEL=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=65535
 CONFIG_SECURITY_SELINUX=y
@@ -6349,6 +6353,7 @@ CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 CONFIG_PUBLIC_KEY_ALGO_RSA=y
 CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_EFI_SIGNATURE_LIST_PARSER=y
 CONFIG_PKCS7_MESSAGE_PARSER=y
 CONFIG_PKCS7_TEST_KEY=y
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y

diff --git a/uek-rpm/ol7/config-x86_64-debug b/uek-rpm/ol7/config-x86_64-debug
index ae911c9432098364ae8123539ad923d3c7ad4b6f..44dc0335aea5dbabf6879983168b3276ef87cf87 100644 (file)
--- a/uek-rpm/ol7/config-x86_64-debug
+++ b/uek-rpm/ol7/config-x86_64-debug
@@ -313,6 +313,7 @@ CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
 CONFIG_SLABINFO=y
 CONFIG_RT_MUTEXES=y
 CONFIG_BASE_SMALL=0
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_MODULES=y
 CONFIG_MODULE_FORCE_LOAD=y
 CONFIG_MODULE_UNLOAD=y
@@ -322,6 +323,7 @@ CONFIG_MODULE_SRCVERSION_ALL=y
 CONFIG_MODULE_SIG=y
 # CONFIG_MODULE_SIG_FORCE is not set
 CONFIG_MODULE_SIG_ALL=y
+CONFIG_MODULE_SIG_UEFI=y
 # CONFIG_MODULE_SIG_SHA1 is not set
 # CONFIG_MODULE_SIG_SHA224 is not set
 # CONFIG_MODULE_SIG_SHA256 is not set
@@ -558,6 +560,7 @@ CONFIG_X86_INTEL_MPX=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_EFI_MIXED=y
+CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
 CONFIG_SECCOMP=y
 # CONFIG_HZ_100 is not set
 # CONFIG_HZ_250 is not set
@@ -6165,6 +6168,7 @@ CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_NETWORK_XFRM=y
 # CONFIG_SECURITY_PATH is not set
+CONFIG_SECURITY_SECURELEVEL=y
 CONFIG_INTEL_TXT=y
 CONFIG_LSM_MMAP_MIN_ADDR=65535
 CONFIG_SECURITY_SELINUX=y
@@ -6368,6 +6372,7 @@ CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 CONFIG_PUBLIC_KEY_ALGO_RSA=y
 CONFIG_X509_CERTIFICATE_PARSER=y
+CONFIG_EFI_SIGNATURE_LIST_PARSER=y
 CONFIG_PKCS7_MESSAGE_PARSER=y
 CONFIG_PKCS7_TEST_KEY=y
 CONFIG_SIGNED_PE_FILE_VERIFICATION=y