Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
f381c272 MZ |
2 | # |
3 | config INTEGRITY | |
7ef84e65 DK |
4 | bool "Integrity subsystem" |
5 | depends on SECURITY | |
6 | default y | |
7 | help | |
8 | This option enables the integrity subsystem, which is comprised | |
9 | of a number of different components including the Integrity | |
10 | Measurement Architecture (IMA), Extended Verification Module | |
11 | (EVM), IMA-appraisal extension, digital signature verification | |
12 | extension and audit measurement log support. | |
13 | ||
14 | Each of these components can be enabled/disabled separately. | |
15 | Refer to the individual components for additional details. | |
16 | ||
17 | if INTEGRITY | |
f381c272 | 18 | |
f1be242c | 19 | config INTEGRITY_SIGNATURE |
6341e62b | 20 | bool "Digital signature verification using multiple keyrings" |
8607c501 | 21 | default n |
cf38fed1 | 22 | select KEYS |
5e8898e9 | 23 | select SIGNATURE |
8607c501 DK |
24 | help |
25 | This option enables digital signature verification support | |
26 | using multiple keyrings. It defines separate keyrings for each | |
27 | of the different use cases - evm, ima, and modules. | |
28 | Different keyrings improves search performance, but also allow | |
29 | to "lock" certain keyring to prevent adding new keys. | |
30 | This is useful for evm and module keyrings, when keys are | |
31 | usually only added from initramfs. | |
32 | ||
1ae8f41c | 33 | config INTEGRITY_ASYMMETRIC_KEYS |
6341e62b | 34 | bool "Enable asymmetric keys support" |
1ae8f41c DK |
35 | depends on INTEGRITY_SIGNATURE |
36 | default n | |
7b5c3086 PP |
37 | select ASYMMETRIC_KEY_TYPE |
38 | select ASYMMETRIC_PUBLIC_KEY_SUBTYPE | |
39 | select CRYPTO_RSA | |
40 | select X509_CERTIFICATE_PARSER | |
1ae8f41c DK |
41 | help |
42 | This option enables digital signature verification using | |
43 | asymmetric keys. | |
44 | ||
f4dc3778 DK |
45 | config INTEGRITY_TRUSTED_KEYRING |
46 | bool "Require all keys on the integrity keyrings be signed" | |
47 | depends on SYSTEM_TRUSTED_KEYRING | |
48 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
f4dc3778 DK |
49 | default y |
50 | help | |
51 | This option requires that all keys added to the .ima and | |
52 | .evm keyrings be signed by a key on the system trusted | |
53 | keyring. | |
54 | ||
9dc92c45 | 55 | config INTEGRITY_PLATFORM_KEYRING |
7b5c3086 PP |
56 | bool "Provide keyring for platform/firmware trusted keys" |
57 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
58 | depends on SYSTEM_BLACKLIST_KEYRING | |
59 | help | |
60 | Provide a separate, distinct keyring for platform trusted keys, which | |
61 | the kernel automatically populates during initialization from values | |
62 | provided by the platform for verifying the kexec'ed kerned image | |
63 | and, possibly, the initramfs signature. | |
9dc92c45 | 64 | |
d1996776 ES |
65 | config INTEGRITY_MACHINE_KEYRING |
66 | bool "Provide a keyring to which Machine Owner Keys may be added" | |
67 | depends on SECONDARY_TRUSTED_KEYRING | |
68 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
69 | depends on SYSTEM_BLACKLIST_KEYRING | |
d7d91c47 | 70 | depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS |
d1996776 | 71 | help |
7b5c3086 PP |
72 | If set, provide a keyring to which Machine Owner Keys (MOK) may |
73 | be added. This keyring shall contain just MOK keys. Unlike keys | |
74 | in the platform keyring, keys contained in the .machine keyring will | |
75 | be trusted within the kernel. | |
d1996776 | 76 | |
099f26f2 ES |
77 | config INTEGRITY_CA_MACHINE_KEYRING |
78 | bool "Enforce Machine Keyring CA Restrictions" | |
79 | depends on INTEGRITY_MACHINE_KEYRING | |
80 | default n | |
81 | help | |
82 | The .machine keyring can be configured to enforce CA restriction | |
83 | on any key added to it. By default no restrictions are in place | |
84 | and all Machine Owner Keys (MOK) are added to the machine keyring. | |
85 | If enabled only CA keys are added to the machine keyring, all | |
86 | other MOK keys load into the platform keyring. | |
87 | ||
88 | config INTEGRITY_CA_MACHINE_KEYRING_MAX | |
89 | bool "Only CA keys without DigitialSignature usage set" | |
90 | depends on INTEGRITY_CA_MACHINE_KEYRING | |
91 | default n | |
92 | help | |
93 | When selected, only load CA keys are loaded into the machine | |
94 | keyring that contain the CA bit set along with the keyCertSign | |
95 | Usage field. Keys containing the digitialSignature Usage field | |
96 | will not be loaded. The remaining MOK keys are loaded into the | |
97 | .platform keyring. | |
98 | ||
9641b8cc | 99 | config LOAD_UEFI_KEYS |
7b5c3086 PP |
100 | depends on INTEGRITY_PLATFORM_KEYRING |
101 | depends on EFI | |
102 | def_bool y | |
9641b8cc MS |
103 | |
104 | config LOAD_IPL_KEYS | |
7b5c3086 PP |
105 | depends on INTEGRITY_PLATFORM_KEYRING |
106 | depends on S390 | |
107 | def_bool y | |
9641b8cc | 108 | |
8220e22d NJ |
109 | config LOAD_PPC_KEYS |
110 | bool "Enable loading of platform and blacklisted keys for POWER" | |
111 | depends on INTEGRITY_PLATFORM_KEYRING | |
112 | depends on PPC_SECURE_BOOT | |
113 | default y | |
114 | help | |
115 | Enable loading of keys to the .platform keyring and blacklisted | |
116 | hashes to the .blacklist keyring for powerpc based platforms. | |
117 | ||
d726d8d7 MZ |
118 | config INTEGRITY_AUDIT |
119 | bool "Enables integrity auditing support " | |
7ef84e65 | 120 | depends on AUDIT |
d726d8d7 MZ |
121 | default y |
122 | help | |
123 | In addition to enabling integrity auditing support, this | |
124 | option adds a kernel parameter 'integrity_audit', which | |
125 | controls the level of integrity auditing messages. | |
126 | 0 - basic integrity auditing messages (default) | |
127 | 1 - additional integrity auditing messages | |
128 | ||
129 | Additional informational integrity auditing messages would | |
130 | be enabled by specifying 'integrity_audit=1' on the kernel | |
131 | command line. | |
132 | ||
8636a1f9 MY |
133 | source "security/integrity/ima/Kconfig" |
134 | source "security/integrity/evm/Kconfig" | |
7ef84e65 DK |
135 | |
136 | endif # if INTEGRITY |