Commit | Line | Data |
---|---|---|
b2441318 | 1 | # SPDX-License-Identifier: GPL-2.0 |
cfc411e7 DH |
2 | menu "Certificates for signature checking" |
3 | ||
4 | config MODULE_SIG_KEY | |
5 | string "File name or PKCS#11 URI of module signing key" | |
6 | default "certs/signing_key.pem" | |
781a5739 | 7 | depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) |
cfc411e7 DH |
8 | help |
9 | Provide the file name of a private key/certificate in PEM format, | |
10 | or a PKCS#11 URI according to RFC7512. The file should contain, or | |
11 | the URI should identify, both the certificate and its corresponding | |
12 | private key. | |
13 | ||
14 | If this option is unchanged from its default "certs/signing_key.pem", | |
15 | then the kernel will automatically generate the private key and | |
5fb94e9c | 16 | certificate as described in Documentation/admin-guide/module-signing.rst |
cfc411e7 | 17 | |
a4aed36e SB |
18 | choice |
19 | prompt "Type of module signing key to be generated" | |
be0d5fa7 | 20 | depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) |
a4aed36e SB |
21 | help |
22 | The type of module signing key type to generate. This option | |
23 | does not apply if a #PKCS11 URI is used. | |
24 | ||
25 | config MODULE_SIG_KEY_TYPE_RSA | |
26 | bool "RSA" | |
a4aed36e SB |
27 | help |
28 | Use an RSA key for module signing. | |
29 | ||
30 | config MODULE_SIG_KEY_TYPE_ECDSA | |
31 | bool "ECDSA" | |
32 | select CRYPTO_ECDSA | |
a4aed36e SB |
33 | help |
34 | Use an elliptic curve key (NIST P384) for module signing. Consider | |
35 | using a strong hash like sha256 or sha384 for hashing modules. | |
36 | ||
37 | Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, | |
38 | when falling back to building Linux 5.14 and older kernels. | |
39 | ||
40 | endchoice | |
41 | ||
cfc411e7 DH |
42 | config SYSTEM_TRUSTED_KEYRING |
43 | bool "Provide system-wide ring of trusted keys" | |
44 | depends on KEYS | |
99716b7c | 45 | depends on ASYMMETRIC_KEY_TYPE |
e9088629 | 46 | depends on X509_CERTIFICATE_PARSER |
cfc411e7 DH |
47 | help |
48 | Provide a system keyring to which trusted keys can be added. Keys in | |
49 | the keyring are considered to be trusted. Keys may be added at will | |
50 | by the kernel from compiled-in data and from hardware key stores, but | |
51 | userspace may only add extra keys if those keys can be verified by | |
52 | keys already in the keyring. | |
53 | ||
54 | Keys in this keyring are used by module signature checking. | |
55 | ||
56 | config SYSTEM_TRUSTED_KEYS | |
57 | string "Additional X.509 keys for default system keyring" | |
58 | depends on SYSTEM_TRUSTED_KEYRING | |
59 | help | |
60 | If set, this option should be the filename of a PEM-formatted file | |
61 | containing trusted X.509 certificates to be included in the default | |
62 | system keyring. Any certificate used for module signing is implicitly | |
63 | also trusted. | |
64 | ||
65 | NOTE: If you previously provided keys for the system keyring in the | |
66 | form of DER-encoded *.x509 files in the top-level build directory, | |
67 | those are no longer used. You will need to set this option instead. | |
68 | ||
c4c36105 MK |
69 | config SYSTEM_EXTRA_CERTIFICATE |
70 | bool "Reserve area for inserting a certificate without recompiling" | |
71 | depends on SYSTEM_TRUSTED_KEYRING | |
72 | help | |
73 | If set, space for an extra certificate will be reserved in the kernel | |
74 | image. This allows introducing a trusted certificate to the default | |
75 | system keyring without recompiling the kernel. | |
76 | ||
77 | config SYSTEM_EXTRA_CERTIFICATE_SIZE | |
78 | int "Number of bytes to reserve for the extra certificate" | |
79 | depends on SYSTEM_EXTRA_CERTIFICATE | |
80 | default 4096 | |
81 | help | |
82 | This is the number of bytes reserved in the kernel image for a | |
83 | certificate to be inserted. | |
84 | ||
d3bfe841 DH |
85 | config SECONDARY_TRUSTED_KEYRING |
86 | bool "Provide a keyring to which extra trustable keys may be added" | |
87 | depends on SYSTEM_TRUSTED_KEYRING | |
88 | help | |
89 | If set, provide a keyring to which extra keys may be added, provided | |
90 | those keys are not blacklisted and are vouched for by a key built | |
91 | into the kernel or already in the secondary trusted keyring. | |
92 | ||
734114f8 DH |
93 | config SYSTEM_BLACKLIST_KEYRING |
94 | bool "Provide system-wide ring of blacklisted keys" | |
95 | depends on KEYS | |
96 | help | |
97 | Provide a system keyring to which blacklisted keys can be added. | |
98 | Keys in the keyring are considered entirely untrusted. Keys in this | |
99 | keyring are used by the module signature checking to reject loading | |
100 | of modules signed with a blacklisted key. | |
101 | ||
102 | config SYSTEM_BLACKLIST_HASH_LIST | |
103 | string "Hashes to be preloaded into the system blacklist keyring" | |
104 | depends on SYSTEM_BLACKLIST_KEYRING | |
105 | help | |
106 | If set, this option should be the filename of a list of hashes in the | |
107 | form "<hash>", "<hash>", ... . This will be included into a C | |
addf4663 MS |
108 | wrapper to incorporate the list into the kernel. Each <hash> must be a |
109 | string starting with a prefix ("tbs" or "bin"), then a colon (":"), and | |
110 | finally an even number of hexadecimal lowercase characters (up to 128). | |
111 | Certificate hashes can be generated with | |
112 | tools/certs/print-cert-tbs-hash.sh . | |
734114f8 | 113 | |
56c58126 ES |
114 | config SYSTEM_REVOCATION_LIST |
115 | bool "Provide system-wide ring of revocation certificates" | |
116 | depends on SYSTEM_BLACKLIST_KEYRING | |
117 | depends on PKCS7_MESSAGE_PARSER=y | |
118 | help | |
119 | If set, this allows revocation certificates to be stored in the | |
120 | blacklist keyring and implements a hook whereby a PKCS#7 message can | |
121 | be checked to see if it matches such a certificate. | |
122 | ||
d1f04410 ES |
123 | config SYSTEM_REVOCATION_KEYS |
124 | string "X.509 certificates to be preloaded into the system blacklist keyring" | |
125 | depends on SYSTEM_REVOCATION_LIST | |
126 | help | |
127 | If set, this option should be the filename of a PEM-formatted file | |
128 | containing X.509 certificates to be included in the default blacklist | |
129 | keyring. | |
130 | ||
6364d106 MS |
131 | config SYSTEM_BLACKLIST_AUTH_UPDATE |
132 | bool "Allow root to add signed blacklist keys" | |
133 | depends on SYSTEM_BLACKLIST_KEYRING | |
134 | depends on SYSTEM_DATA_VERIFICATION | |
135 | help | |
136 | If set, provide the ability to load new blacklist keys at run time if | |
137 | they are signed and vouched by a certificate from the builtin trusted | |
138 | keyring. The PKCS#7 signature of the description is set in the key | |
139 | payload. Blacklist keys cannot be removed. | |
140 | ||
cfc411e7 | 141 | endmenu |