projects / linux-2.6-block.git / blame
| Commit | Line | Data |
|---|---|---|
| ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| f381c272 MZ |
2 | # |
| 3 | config INTEGRITY | |
| 7ef84e65 DK |
4 | bool "Integrity subsystem" |
| 5 | depends on SECURITY | |
| 6 | default y | |
| 7 | help | |
| 8 | This option enables the integrity subsystem, which is comprised | |
| 9 | of a number of different components including the Integrity | |
| 10 | Measurement Architecture (IMA), Extended Verification Module | |
| 11 | (EVM), IMA-appraisal extension, digital signature verification | |
| 12 | extension and audit measurement log support. | |
| 13 | ||
| 14 | Each of these components can be enabled/disabled separately. | |
| 15 | Refer to the individual components for additional details. | |
| 16 | ||
| 17 | if INTEGRITY | |
| f381c272 | 18 | |
| f1be242c | 19 | config INTEGRITY_SIGNATURE |
| 6341e62b | 20 | bool "Digital signature verification using multiple keyrings" |
| 8607c501 | 21 | default n |
| cf38fed1 | 22 | select KEYS |
| 5e8898e9 | 23 | select SIGNATURE |
| 8607c501 DK |
24 | help |
| 25 | This option enables digital signature verification support | |
| 26 | using multiple keyrings. It defines separate keyrings for each | |
| 27 | of the different use cases - evm, ima, and modules. | |
| 28 | Different keyrings improves search performance, but also allow | |
| 29 | to "lock" certain keyring to prevent adding new keys. | |
| 30 | This is useful for evm and module keyrings, when keys are | |
| 31 | usually only added from initramfs. | |
| 32 | ||
| 1ae8f41c | 33 | config INTEGRITY_ASYMMETRIC_KEYS |
| 6341e62b | 34 | bool "Enable asymmetric keys support" |
| 1ae8f41c DK |
35 | depends on INTEGRITY_SIGNATURE |
| 36 | default n | |
| 37 | select ASYMMETRIC_KEY_TYPE | |
| 38 | select ASYMMETRIC_PUBLIC_KEY_SUBTYPE | |
| eb5798f2 | 39 | select CRYPTO_RSA |
| 1ae8f41c DK |
40 | select X509_CERTIFICATE_PARSER |
| 41 | help | |
| 42 | This option enables digital signature verification using | |
| 43 | asymmetric keys. | |
| 44 | ||
| f4dc3778 DK |
45 | config INTEGRITY_TRUSTED_KEYRING |
| 46 | bool "Require all keys on the integrity keyrings be signed" | |
| 47 | depends on SYSTEM_TRUSTED_KEYRING | |
| 48 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
| f4dc3778 DK |
49 | default y |
| 50 | help | |
| 51 | This option requires that all keys added to the .ima and | |
| 52 | .evm keyrings be signed by a key on the system trusted | |
| 53 | keyring. | |
| 54 | ||
| 9dc92c45 NJ |
55 | config INTEGRITY_PLATFORM_KEYRING |
| 56 | bool "Provide keyring for platform/firmware trusted keys" | |
| 57 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
| 58 | depends on SYSTEM_BLACKLIST_KEYRING | |
| 9dc92c45 NJ |
59 | help |
| 60 | Provide a separate, distinct keyring for platform trusted keys, which | |
| 61 | the kernel automatically populates during initialization from values | |
| 62 | provided by the platform for verifying the kexec'ed kerned image | |
| 63 | and, possibly, the initramfs signature. | |
| 64 | ||
| d1996776 ES |
65 | config INTEGRITY_MACHINE_KEYRING |
| 66 | bool "Provide a keyring to which Machine Owner Keys may be added" | |
| 67 | depends on SECONDARY_TRUSTED_KEYRING | |
| 68 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
| 69 | depends on SYSTEM_BLACKLIST_KEYRING | |
| 70 | depends on LOAD_UEFI_KEYS | |
| 71 | depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY | |
| 72 | help | |
| 73 | If set, provide a keyring to which Machine Owner Keys (MOK) may | |
| 74 | be added. This keyring shall contain just MOK keys. Unlike keys | |
| 75 | in the platform keyring, keys contained in the .machine keyring will | |
| 76 | be trusted within the kernel. | |
| 77 | ||
| 9641b8cc MS |
78 | config LOAD_UEFI_KEYS |
| 79 | depends on INTEGRITY_PLATFORM_KEYRING | |
| 80 | depends on EFI | |
| 81 | def_bool y | |
| 82 | ||
| 83 | config LOAD_IPL_KEYS | |
| 84 | depends on INTEGRITY_PLATFORM_KEYRING | |
| 85 | depends on S390 | |
| 86 | def_bool y | |
| 87 | ||
| 8220e22d NJ |
88 | config LOAD_PPC_KEYS |
| 89 | bool "Enable loading of platform and blacklisted keys for POWER" | |
| 90 | depends on INTEGRITY_PLATFORM_KEYRING | |
| 91 | depends on PPC_SECURE_BOOT | |
| 92 | default y | |
| 93 | help | |
| 94 | Enable loading of keys to the .platform keyring and blacklisted | |
| 95 | hashes to the .blacklist keyring for powerpc based platforms. | |
| 96 | ||
| d726d8d7 MZ |
97 | config INTEGRITY_AUDIT |
| 98 | bool "Enables integrity auditing support " | |
| 7ef84e65 | 99 | depends on AUDIT |
| d726d8d7 MZ |
100 | default y |
| 101 | help | |
| 102 | In addition to enabling integrity auditing support, this | |
| 103 | option adds a kernel parameter 'integrity_audit', which | |
| 104 | controls the level of integrity auditing messages. | |
| 105 | 0 - basic integrity auditing messages (default) | |
| 106 | 1 - additional integrity auditing messages | |
| 107 | ||
| 108 | Additional informational integrity auditing messages would | |
| 109 | be enabled by specifying 'integrity_audit=1' on the kernel | |
| 110 | command line. | |
| 111 | ||
| 8636a1f9 MY |
112 | source "security/integrity/ima/Kconfig" |
| 113 | source "security/integrity/evm/Kconfig" | |
| 7ef84e65 DK |
114 | |
| 115 | endif # if INTEGRITY |