Commit | Line | Data |
---|---|---|
f381c272 MZ |
1 | # |
2 | config INTEGRITY | |
7ef84e65 DK |
3 | bool "Integrity subsystem" |
4 | depends on SECURITY | |
5 | default y | |
6 | help | |
7 | This option enables the integrity subsystem, which is comprised | |
8 | of a number of different components including the Integrity | |
9 | Measurement Architecture (IMA), Extended Verification Module | |
10 | (EVM), IMA-appraisal extension, digital signature verification | |
11 | extension and audit measurement log support. | |
12 | ||
13 | Each of these components can be enabled/disabled separately. | |
14 | Refer to the individual components for additional details. | |
15 | ||
16 | if INTEGRITY | |
f381c272 | 17 | |
f1be242c | 18 | config INTEGRITY_SIGNATURE |
6341e62b | 19 | bool "Digital signature verification using multiple keyrings" |
7ef84e65 | 20 | depends on KEYS |
8607c501 | 21 | default n |
5e8898e9 | 22 | select SIGNATURE |
8607c501 DK |
23 | help |
24 | This option enables digital signature verification support | |
25 | using multiple keyrings. It defines separate keyrings for each | |
26 | of the different use cases - evm, ima, and modules. | |
27 | Different keyrings improves search performance, but also allow | |
28 | to "lock" certain keyring to prevent adding new keys. | |
29 | This is useful for evm and module keyrings, when keys are | |
30 | usually only added from initramfs. | |
31 | ||
1ae8f41c | 32 | config INTEGRITY_ASYMMETRIC_KEYS |
6341e62b | 33 | bool "Enable asymmetric keys support" |
1ae8f41c DK |
34 | depends on INTEGRITY_SIGNATURE |
35 | default n | |
36 | select ASYMMETRIC_KEY_TYPE | |
37 | select ASYMMETRIC_PUBLIC_KEY_SUBTYPE | |
38 | select PUBLIC_KEY_ALGO_RSA | |
39 | select X509_CERTIFICATE_PARSER | |
40 | help | |
41 | This option enables digital signature verification using | |
42 | asymmetric keys. | |
43 | ||
d726d8d7 MZ |
44 | config INTEGRITY_AUDIT |
45 | bool "Enables integrity auditing support " | |
7ef84e65 | 46 | depends on AUDIT |
d726d8d7 MZ |
47 | default y |
48 | help | |
49 | In addition to enabling integrity auditing support, this | |
50 | option adds a kernel parameter 'integrity_audit', which | |
51 | controls the level of integrity auditing messages. | |
52 | 0 - basic integrity auditing messages (default) | |
53 | 1 - additional integrity auditing messages | |
54 | ||
55 | Additional informational integrity auditing messages would | |
56 | be enabled by specifying 'integrity_audit=1' on the kernel | |
57 | command line. | |
58 | ||
f381c272 | 59 | source security/integrity/ima/Kconfig |
66dbc325 | 60 | source security/integrity/evm/Kconfig |
7ef84e65 DK |
61 | |
62 | endif # if INTEGRITY |