From 8d34c4a3862467bb1908dc32d077c167d018b633 Mon Sep 17 00:00:00 2001 From: Robert Nelson Date: Fri, 28 Apr 2023 16:50:46 -0500 Subject: [PATCH] config: SECURITY profile Signed-off-by: Robert Nelson --- arch/riscv/configs/beaglev_defconfig | 43 +++++++++++++++++----------- 1 file changed, 27 insertions(+), 16 deletions(-) diff --git a/arch/riscv/configs/beaglev_defconfig b/arch/riscv/configs/beaglev_defconfig index 678f8085f..962bd9574 100644 --- a/arch/riscv/configs/beaglev_defconfig +++ b/arch/riscv/configs/beaglev_defconfig @@ -98,6 +98,7 @@ CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y # end of RCU Subsystem +CONFIG_BUILD_BIN2C=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y # CONFIG_IKHEADERS is not set @@ -5185,7 +5186,7 @@ CONFIG_KEYS=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y CONFIG_SECURITY_NETWORK=y -# CONFIG_SECURITY_NETWORK_XFRM is not set +CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_PATH=y CONFIG_LSM_MMAP_MIN_ADDR=65536 CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y @@ -5200,24 +5201,33 @@ CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 # CONFIG_SECURITY_SMACK is not set -# CONFIG_SECURITY_TOMOYO is not set +CONFIG_SECURITY_TOMOYO=y +CONFIG_SECURITY_TOMOYO_MAX_ACCEPT_ENTRY=2048 +CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 +# CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER is not set +CONFIG_SECURITY_TOMOYO_POLICY_LOADER="/sbin/tomoyo-init" +CONFIG_SECURITY_TOMOYO_ACTIVATION_TRIGGER="/sbin/init" +# CONFIG_SECURITY_TOMOYO_INSECURE_BUILTIN_SETTING is not set CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_HASH=y CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y # CONFIG_SECURITY_APPARMOR_DEBUG is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set # CONFIG_SECURITY_LOCKDOWN_LSM is not set CONFIG_INTEGRITY=y -# CONFIG_INTEGRITY_SIGNATURE is not set +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y +# CONFIG_INTEGRITY_TRUSTED_KEYRING is not set CONFIG_INTEGRITY_AUDIT=y # CONFIG_IMA is not set # CONFIG_EVM is not set # CONFIG_DEFAULT_SECURITY_SELINUX is not set -# CONFIG_DEFAULT_SECURITY_APPARMOR is not set -CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +# CONFIG_DEFAULT_SECURITY_TOMOYO is not set +CONFIG_DEFAULT_SECURITY_APPARMOR=y +# CONFIG_DEFAULT_SECURITY_DAC is not set +CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" # # Kernel hardening options @@ -5282,7 +5292,7 @@ CONFIG_CRYPTO_CURVE25519=y # # Authenticated Encryption with Associated Data # -# CONFIG_CRYPTO_CCM is not set +CONFIG_CRYPTO_CCM=m CONFIG_CRYPTO_GCM=m CONFIG_CRYPTO_CHACHA20POLY1305=y # CONFIG_CRYPTO_AEGIS128 is not set @@ -5317,14 +5327,14 @@ CONFIG_CRYPTO_HMAC=y # Digest # CONFIG_CRYPTO_CRC32C=y -# CONFIG_CRYPTO_CRC32 is not set +CONFIG_CRYPTO_CRC32=y CONFIG_CRYPTO_XXHASH=y CONFIG_CRYPTO_BLAKE2B=y # CONFIG_CRYPTO_BLAKE2S is not set -# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_CRCT10DIF=y CONFIG_CRYPTO_GHASH=m CONFIG_CRYPTO_POLY1305=y -# CONFIG_CRYPTO_MD4 is not set +CONFIG_CRYPTO_MD4=m CONFIG_CRYPTO_MD5=y # CONFIG_CRYPTO_MICHAEL_MIC is not set # CONFIG_CRYPTO_RMD128 is not set @@ -5450,19 +5460,19 @@ CONFIG_RATIONAL=y CONFIG_GENERIC_PCI_IOMAP=y CONFIG_CRC_CCITT=y CONFIG_CRC16=y -# CONFIG_CRC_T10DIF is not set -# CONFIG_CRC_ITU_T is not set +CONFIG_CRC_T10DIF=y +CONFIG_CRC_ITU_T=y CONFIG_CRC32=y # CONFIG_CRC32_SELFTEST is not set CONFIG_CRC32_SLICEBY8=y # CONFIG_CRC32_SLICEBY4 is not set # CONFIG_CRC32_SARWATE is not set # CONFIG_CRC32_BIT is not set -# CONFIG_CRC64 is not set +CONFIG_CRC64=m # CONFIG_CRC4 is not set -# CONFIG_CRC7 is not set +CONFIG_CRC7=y CONFIG_LIBCRC32C=y -# CONFIG_CRC8 is not set +CONFIG_CRC8=m CONFIG_XXHASH=y CONFIG_AUDIT_GENERIC=y # CONFIG_RANDOM32_SELFTEST is not set @@ -5533,6 +5543,7 @@ CONFIG_NLATTR=y CONFIG_CLZ_TAB=y # CONFIG_IRQ_POLL is not set CONFIG_MPILIB=y +CONFIG_SIGNATURE=y CONFIG_LIBFDT=y CONFIG_OID_REGISTRY=y CONFIG_UCS2_STRING=y