commit cb3be811b87b1f7f896e2c4a5591ae0d3c1bdb32
author Oleksandr Tymoshenko <ovt@google.com> Wed Apr 27 03:46:16 2022 +0000
committer Oleksandr Tymoshenko <ovt@google.com> Thu Apr 28 01:16:29 2022 +0000
tree 75b014f8d08f40dac9020c873df0973a0a43e9aa
parent 72fb3f1f2fe25647519dd273216a6dd2860ad433

lakitu: add support for platform keys and UEFI as a key source

Kernel config options related to the platform keys support were
not included in the x86 lakitu_defconfig during 5.10 to 5.15 so
re-introduce them to the kernel config.

BUG=b/230399111
TEST=presubmit
RELEASE_NOTE=None

Change-Id: Ief6294691220a6987c2174730fd35da626aa8900
Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/32160
Reviewed-by: Roy Yang <royyang@google.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Meena Shanmugam <meenashanmugam@google.com>

arch/x86/configs/lakitu_defconfig

diff --git a/arch/x86/configs/lakitu_defconfig b/arch/x86/configs/lakitu_defconfig
index b80549d..0854908 100644
--- a/arch/x86/configs/lakitu_defconfig
+++ b/arch/x86/configs/lakitu_defconfig
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.15.34 Kernel Configuration
+# Linux/x86_64 5.15.35 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="Chromium OS 14.0_pre437112_p20211208-r9 clang version 14.0.0 (/var/tmp/portage/sys-devel/llvm-14.0_pre437112_p20211208-r9/work/llvm-14.0_pre437112_p20211208/clang 79d58b4d3017d159bf09a77398c9a116128de193)"
 CONFIG_GCC_VERSION=0
@@ -3351,7 +3351,11 @@
 # CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set
 # CONFIG_SECURITY_LANDLOCK is not set
 CONFIG_INTEGRITY=y
-# CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_INTEGRITY_TRUSTED_KEYRING=y
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
+CONFIG_LOAD_UEFI_KEYS=y
 CONFIG_INTEGRITY_AUDIT=y
 CONFIG_IMA=y
 CONFIG_IMA_MEASURE_PCR_IDX=10
@@ -3366,6 +3370,7 @@
 # CONFIG_IMA_WRITE_POLICY is not set
 # CONFIG_IMA_READ_POLICY is not set
 # CONFIG_IMA_APPRAISE is not set
+# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set
 CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
 CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
@@ -3627,7 +3632,9 @@
 CONFIG_SYSTEM_TRUSTED_KEYS="google/certs/lakitu_root_cert.pem"
 # CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set
 CONFIG_SECONDARY_TRUSTED_KEYRING=y
-# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set
+CONFIG_SYSTEM_BLACKLIST_KEYRING=y
+CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
+# CONFIG_SYSTEM_REVOCATION_LIST is not set
 # end of Certificates for signature checking
 
 CONFIG_BINARY_PRINTF=y
@@ -3717,6 +3724,7 @@
 CONFIG_CLZ_TAB=y
 # CONFIG_IRQ_POLL is not set
 CONFIG_MPILIB=y
+CONFIG_SIGNATURE=y
 CONFIG_DIMLIB=y
 CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y