##// END OF EJS Templates
a
Unknown -
r509:5a872d66828a
parent child
Show More
@@ -119,81 +119,81 if [ "$BUILD_KERNEL" = true ] ; then
119 if [ "$KERNEL_SECURITY" = true ] ; then
119 if [ "$KERNEL_SECURITY" = true ] ; then
120
120
121 # security filesystem, security models and audit
121 # security filesystem, security models and audit
122 set_kernel_config CONFIG_SECURITYFS y
122 set_kernel_config CONFIG_SECURITYFS y
123 set_kernel_config CONFIG_SECURITY y
123 set_kernel_config CONFIG_SECURITY y
124 set_kernel_config CONFIG_AUDIT y
124 set_kernel_config CONFIG_AUDIT y
125
125
126 # harden strcpy and memcpy
126 # harden strcpy and memcpy
127 set_kernel_config CONFIG_HARDENED_USERCOPY=y
127 set_kernel_config CONFIG_HARDENED_USERCOPY=y
128 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
128 set_kernel_config CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
129 set_kernel_config CONFIG_FORTIFY_SOURCE=y
129 set_kernel_config CONFIG_FORTIFY_SOURCE=y
130
130
131 # integrity sub-system
131 # integrity sub-system
132 set_kernel_config CONFIG_INTEGRITY=y
132 set_kernel_config CONFIG_INTEGRITY=y
133 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
133 set_kernel_config CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
134 set_kernel_config CONFIG_INTEGRITY_AUDIT=y
134 set_kernel_config CONFIG_INTEGRITY_AUDIT=y
135 set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
135 set_kernel_config CONFIG_INTEGRITY_SIGNATURE=y
136 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
136 set_kernel_config CONFIG_INTEGRITY_TRUSTED_KEYRING=y
137
137
138 # This option provides support for retaining authentication tokens and access keys in the kernel.
138 # This option provides support for retaining authentication tokens and access keys in the kernel.
139 set_kernel_config CONFIG_KEYS=y
139 set_kernel_config CONFIG_KEYS=y
140 set_kernel_config CONFIG_KEYS_COMPAT=y
140 set_kernel_config CONFIG_KEYS_COMPAT=y
141
141
142 # Apparmor
142 # Apparmor
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
143 set_kernel_config CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE 0
144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
144 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH_DEFAULT y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
145 set_kernel_config CONFIG_DEFAULT_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
146 set_kernel_config CONFIG_SECURITY_APPARMOR y
147 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
147 set_kernel_config CONFIG_SECURITY_APPARMOR_HASH y
148 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
148 set_kernel_config CONFIG_DEFAULT_SECURITY "apparmor"
149
149
150 # restrictions on unprivileged users reading the kernel
150 # restrictions on unprivileged users reading the kernel
151 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
151 set_kernel_config CONFIG_SECURITY_DMESG_RESTRICT=y
152
152
153 # network security hooks
153 # network security hooks
154 set_kernel_config CONFIG_SECURITY_NETWORK y
154 set_kernel_config CONFIG_SECURITY_NETWORK y
155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
155 set_kernel_config CONFIG_SECURITY_NETWORK_XFRM=y
156 set_kernel_config CONFIG_SECURITY_PATH=y
156 set_kernel_config CONFIG_SECURITY_PATH=y
157 set_kernel_config CONFIG_SECURITY_YAMA=y
157 set_kernel_config CONFIG_SECURITY_YAMA=y
158
158
159 # New Options
159 # New Options
160 if [ "$KERNEL_NF" = true ] ; then
160 if [ "$KERNEL_NF" = true ] ; then
161 set_kernel_config CONFIG_IP_NF_SECURITY m
161 set_kernel_config CONFIG_IP_NF_SECURITY m
162 set_kernel_config CONFIG_NETLABEL m
162 set_kernel_config CONFIG_NETLABEL m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
163 set_kernel_config CONFIG_IP6_NF_SECURITY m
164 fi
164 fi
165 set_kernel_config CONFIG_SECURITY_SELINUX n
165 set_kernel_config CONFIG_SECURITY_SELINUX n
166 set_kernel_config CONFIG_SECURITY_SMACK n
166 set_kernel_config CONFIG_SECURITY_SMACK n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
167 set_kernel_config CONFIG_SECURITY_TOMOYO n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
168 set_kernel_config CONFIG_SECURITY_APPARMOR_DEBUG n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
169 set_kernel_config CONFIG_SECURITY_LOADPIN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
170 set_kernel_config CONFIG_HARDENED_USERCOPY_PAGESPAN n
171 set_kernel_config CONFIG_IMA n
171 set_kernel_config CONFIG_IMA n
172 set_kernel_config CONFIG_EVM n
172 set_kernel_config CONFIG_EVM n
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
173 set_kernel_config CONFIG_FANOTIFY_ACCESS_PERMISSIONS y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
174 set_kernel_config CONFIG_NFSD_V4_SECURITY_LABEL y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
175 set_kernel_config CONFIG_PKCS7_MESSAGE_PARSER y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
176 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYRING y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
177 set_kernel_config CONFIG_SYSTEM_TRUSTED_KEYS y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
178 set_kernel_config CONFIG_SYSTEM_EXTRA_CERTIFICATE y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
179 set_kernel_config CONFIG_SECONDARY_TRUSTED_KEYRING y
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
180 set_kernel_config CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY n
181
181
182 set_kernel_config CONFIG_ARM64_CRYPTO y
182 set_kernel_config CONFIG_ARM64_CRYPTO y
183 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
183 set_kernel_config CONFIG_CRYPTO_SHA256_ARM64 m
184 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
184 set_kernel_config CONFIG_CRYPTO_SHA512_ARM64 m
185 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
185 set_kernel_config CONFIG_CRYPTO_SHA1_ARM64_CE m
186 set_kernel_config CRYPTO_GHASH_ARM64_CE m
186 set_kernel_config CRYPTO_GHASH_ARM64_CE m
187 set_kernel_config CRYPTO_SHA2_ARM64_CE m
187 set_kernel_config CRYPTO_SHA2_ARM64_CE m
188 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
188 set_kernel_config CONFIG_CRYPTO_CRCT10DIF_ARM64_CE m
189 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
189 set_kernel_config CONFIG_CRYPTO_CRC32_ARM64_CE m
190 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
190 set_kernel_config CONFIG_CRYPTO_AES_ARM64 m
191 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
191 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE m
192 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
192 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_CCM y
193 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
193 set_kernel_config CONFIG_CRYPTO_AES_ARM64_CE_BLK y
194 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
194 set_kernel_config CONFIG_CRYPTO_AES_ARM64_NEON_BLK m
195 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
195 set_kernel_config CONFIG_CRYPTO_CHACHA20_NEON m
196 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
196 set_kernel_config CONFIG_CRYPTO_AES_ARM64_BS m
197 fi
197 fi
198
198
199 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
199 # Netfilter kernel support See https://github.com/raspberrypi/linux/issues/2177#issuecomment-354647406
@@ -314,7 +314,7 if [ "$BUILD_KERNEL" = true ] ; then
314 fi
314 fi
315
315
316 # KERNEL_DEFAULT_GOV was set by user
316 # KERNEL_DEFAULT_GOV was set by user
317 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ]; then
317 if [ "$KERNEL_DEFAULT_GOV" != powersave ] && [ -n "$KERNEL_DEFAULT_GOV" ] ; then
318
318
319 case "$KERNEL_DEFAULT_GOV" in
319 case "$KERNEL_DEFAULT_GOV" in
320 performance)
320 performance)
General Comments 0
Vous devez vous connecter pour laisser un commentaire. Se connecter maintenant