From 9d99ee2075e1f5dcd36471ff2d36a4ce605b7c74 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 16 Aug 2016 16:32:59 -0700 Subject: [PATCH 1/4] sys-kernel/coreos-modules: Enable EXT4 native encryption https://github.com/coreos/bugs/issues/1502 --- .../sys-kernel/coreos-modules/files/commonconfig-4.7 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 index a1c7e8d6bd..3dc7e10d2e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 @@ -704,6 +704,8 @@ CONFIG_EFI_VARS=m CONFIG_EXT4_FS=m CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y +CONFIG_EXT4_ENCRYPTION=m +CONFIG_EXT4_FS_ENCRYPTION=y CONFIG_XFS_FS=m CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS=m @@ -747,6 +749,7 @@ CONFIG_NFS_FSCACHE=y CONFIG_NFSD=m CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V4=y +CONFIG_RPCSEC_GSS_KRB5=m CONFIG_SUNRPC_DEBUG=y CONFIG_CEPH_FS=m CONFIG_CEPH_FSCACHE=y @@ -797,6 +800,7 @@ CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set +CONFIG_CRYPTO_CTS=m CONFIG_CRYPTO_GCM=m CONFIG_CRYPTO_USER_API_HASH=m CONFIG_CRYPTO_USER_API_SKCIPHER=m From ab2be28b2a246f5000ceee9b734c23144e9564e9 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 16 Aug 2016 16:35:45 -0700 Subject: [PATCH 2/4] sys-kernel/coreos-modules: Enable DNS support for Ceph https://github.com/coreos/bugs/issues/1500 --- .../sys-kernel/coreos-modules/files/commonconfig-4.7 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 index 3dc7e10d2e..9941d71e82 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 @@ -384,6 +384,7 @@ CONFIG_NET_ACT_CSUM=m CONFIG_NET_ACT_VLAN=m CONFIG_NET_CLS_IND=y CONFIG_DCB=y +CONFIG_DNS_RESOLVER=y CONFIG_OPENVSWITCH=m CONFIG_VSOCKETS=m CONFIG_NETLINK_DIAG=m @@ -751,6 +752,7 @@ CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V4=y CONFIG_RPCSEC_GSS_KRB5=m CONFIG_SUNRPC_DEBUG=y +CONFIG_CEPH_LIB_USE_DNS_RESOLVER=y CONFIG_CEPH_FS=m CONFIG_CEPH_FSCACHE=y CONFIG_CIFS=m From 7fbe5b2665d7949990987162ca2506fcbc1c3c01 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 16 Aug 2016 16:39:59 -0700 Subject: [PATCH 3/4] sys-kernel/coreos-modules: Enable IMA https://github.com/coreos/bugs/issues/416 --- .../coreos-modules/files/commonconfig-4.7 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 index 9941d71e82..0f2688592a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 +++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/files/commonconfig-4.7 @@ -629,6 +629,8 @@ CONFIG_HW_RANDOM_TIMERIOMEM=m CONFIG_HW_RANDOM_VIRTIO=m CONFIG_RAW_DRIVER=m CONFIG_MAX_RAW_DEVS=8192 +CONFIG_TCG_TPM=y +CONFIG_TCG_TIS=y CONFIG_TCG_TIS_I2C_ATMEL=m CONFIG_TCG_TIS_I2C_INFINEON=m CONFIG_TCG_TIS_I2C_NUVOTON=m @@ -801,9 +803,21 @@ CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_NETWORK_XFRM=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y +CONFIG_IMA=y +CONFIG_IMA_MEASURE_PCR_IDX=10 +CONFIG_IMA_LSM_RULES=y +CONFIG_IMA_NG_TEMPLATE=y +CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" +CONFIG_IMA_DEFAULT_HASH_SHA1=y +CONFIG_IMA_DEFAULT_HASH="sha1" +CONFIG_IMA_WRITE_POLICY=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_APPRAISE=y # CONFIG_CRYPTO_MANAGER_DISABLE_TESTS is not set CONFIG_CRYPTO_CTS=m CONFIG_CRYPTO_GCM=m +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_USER_API_HASH=m CONFIG_CRYPTO_USER_API_SKCIPHER=m CONFIG_SIGNED_PE_FILE_VERIFICATION=y From 89f0bf511fad39966125cd80cafc44722cd1e206 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 16 Aug 2016 16:40:38 -0700 Subject: [PATCH 4/4] sys-kernel: Bump kernel version Bump the kernel version to deal with the configuration updates. --- ...oreos-kernel-4.7.0-r3.ebuild => coreos-kernel-4.7.0-r4.ebuild} | 0 ...eos-modules-4.7.0-r3.ebuild => coreos-modules-4.7.0-r4.ebuild} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.7.0-r3.ebuild => coreos-kernel-4.7.0-r4.ebuild} (100%) rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.7.0-r3.ebuild => coreos-modules-4.7.0-r4.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.7.0-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.7.0-r4.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.7.0-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.7.0-r4.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.7.0-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.7.0-r4.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.7.0-r3.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.7.0-r4.ebuild