IMA: refresh kernel cfg

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>

meta-integrity/recipes-kernel/linux/linux-yocto-integrity.inc

@@ -7,7 +7,7 @@ DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1
 # in initramfs only. So we don't add it to RDEPENDS_${PN} here.
 
 SRC_URI += " \
-    ${@'file://ima.scc file://ima.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
+    ${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
 "
 
 do_configure_append() {

meta-integrity/recipes-kernel/linux/linux-yocto-rt_4.%.bbappend

@@ -1 +1 @@
-include linux-yocto-integrity.inc
+require linux-yocto-integrity.inc

meta-integrity/recipes-kernel/linux/linux-yocto/ima.cfg

@@ -1,17 +1,8 @@
-..........................................................................
-.                                WARNING
-.
-. This file is a kernel configuration fragment, and not a full kernel
-. configuration file.  The final kernel configuration is made up of
-. an assembly of processed fragments, each of which is designed to
-. capture a specific part of the final configuration (e.g. platform
-. configuration, feature configuration, and board specific hardware
-. configuration).  For more information on kernel configuration, please
-. consult the product documentation.
-.
-..........................................................................
-
 CONFIG_IMA=y
+# CONFIG_IMA_KEXEC is not set
+# CONFIG_IMA_LSM_RULES is not set
+# CONFIG_IMA_WRITE_POLICY is not set
+# CONFIG_IMA_READ_POLICY is not set
 CONFIG_IMA_MEASURE_PCR_IDX=10
 # CONFIG_IMA_TEMPLATE is not set
 # CONFIG_IMA_NG_TEMPLATE=y is not set
@@ -23,13 +14,9 @@ CONFIG_IMA_DEFAULT_HASH_SHA256=y
 # CONFIG_IMA_DEFAULT_HASH_WP512 is not set
 CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_APPRAISE=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_IMA_LOAD_X509=y
 CONFIG_IMA_TRUSTED_KEYRING=y
+CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
+CONFIG_IMA_BLACKLIST_KEYRING=y
 CONFIG_IMA_X509_PATH="/etc/keys/x509_evm.der"
 # CONFIG_IMA_APPRAISE_SIGNED_INIT is not set
-CONFIG_AUDIT=y
-CONFIG_INTEGRITY_AUDIT=y

meta-integrity/recipes-kernel/linux/linux-yocto/ima.scc

@@ -1,4 +1,5 @@
 define KFEATURE_DESCRIPTION "Integrity Measurement Architecture (IMA) enablement"
-define KFEATURE_COMPATIBILITY board
+define KFEATURE_COMPATIBILITY all
 
+include integrity.scc
 kconf non-hardware ima.cfg

meta-integrity/recipes-kernel/linux/linux-yocto/integrity.cfg

@@ -0,0 +1,7 @@
+CONFIG_SECURITYFS=y
+CONFIG_AUDIT=y
+CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+CONFIG_SYSTEM_TRUSTED_KEYRING=y

meta-integrity/recipes-kernel/linux/linux-yocto/integrity.scc

@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Integrity subsystem enablement"
+define KFEATURE_COMPATIBILITY all
+
+kconf non-hardware integrity.cfg

meta-integrity/recipes-kernel/linux/linux-yocto_4.%.bbappend

@@ -1 +1 @@
-include linux-yocto-integrity.inc
+require linux-yocto-integrity.inc