ANDROID: add MODULE_SIG_PROTECT and MODULE_SIG_PROTECT_LIST options
MODULE_SIG_PROTECT_LIST - list of modules whose exports to protect MODULE_SIG_PROTECT - readonly, set automatically based on the value of MODULE_SIG_PROTECT_LIST; used for determining whether symbol exportion is enabled in scripts, Makefiles and preprocessor directives Bug: 393366754 Change-Id: I70bb82c24dcd18de5bb3db4924acca5799539fc9 Signed-off-by: Sid Nayyar <sidnayyar@google.com>
This commit is contained in:
Sid Nayyar
@@ -297,6 +297,24 @@ config MODULE_SIG_ALL
|
|||||||
comment "Do not forget to sign required modules with scripts/sign-file"
|
comment "Do not forget to sign required modules with scripts/sign-file"
|
||||||
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
|
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
|
||||||
|
|
||||||
|
config MODULE_SIG_PROTECT_LIST
|
||||||
|
string "File with signed module names whose exports are to be protected"
|
||||||
|
default ""
|
||||||
|
depends on MODULE_SIG && !MODULE_SIG_FORCE
|
||||||
|
help
|
||||||
|
Enables symbol export protection support for the listed signed
|
||||||
|
modules. This option prevents unsigned modules from exporting symbols
|
||||||
|
which are exported by the listed modules. Any unsigned module which
|
||||||
|
tries to export such a symbol will fail to load.
|
||||||
|
|
||||||
|
The value to set here is the path to a text file in the source
|
||||||
|
directory containing the list of module names, one per line. The path
|
||||||
|
can be absolute, or relative to the kernel source or obj tree.
|
||||||
|
|
||||||
|
config MODULE_SIG_PROTECT
|
||||||
|
def_bool y
|
||||||
|
depends on MODULE_SIG_PROTECT_LIST != ""
|
||||||
|
|
||||||
choice
|
choice
|
||||||
prompt "Hash algorithm to sign modules"
|
prompt "Hash algorithm to sign modules"
|
||||||
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
|
depends on MODULE_SIG || IMA_APPRAISE_MODSIG
|
||||||
|
|||||||
Reference in New Issue
Block a user