Back to home page

LXR

 
 

    


0001 menu "Certificates for signature checking"
0002 
0003 config MODULE_SIG_KEY
0004         string "File name or PKCS#11 URI of module signing key"
0005         default "certs/signing_key.pem"
0006         depends on MODULE_SIG
0007         help
0008          Provide the file name of a private key/certificate in PEM format,
0009          or a PKCS#11 URI according to RFC7512. The file should contain, or
0010          the URI should identify, both the certificate and its corresponding
0011          private key.
0012 
0013          If this option is unchanged from its default "certs/signing_key.pem",
0014          then the kernel will automatically generate the private key and
0015          certificate as described in Documentation/module-signing.txt
0016 
0017 config SYSTEM_TRUSTED_KEYRING
0018         bool "Provide system-wide ring of trusted keys"
0019         depends on KEYS
0020         depends on ASYMMETRIC_KEY_TYPE
0021         help
0022           Provide a system keyring to which trusted keys can be added.  Keys in
0023           the keyring are considered to be trusted.  Keys may be added at will
0024           by the kernel from compiled-in data and from hardware key stores, but
0025           userspace may only add extra keys if those keys can be verified by
0026           keys already in the keyring.
0027 
0028           Keys in this keyring are used by module signature checking.
0029 
0030 config SYSTEM_TRUSTED_KEYS
0031         string "Additional X.509 keys for default system keyring"
0032         depends on SYSTEM_TRUSTED_KEYRING
0033         help
0034           If set, this option should be the filename of a PEM-formatted file
0035           containing trusted X.509 certificates to be included in the default
0036           system keyring. Any certificate used for module signing is implicitly
0037           also trusted.
0038 
0039           NOTE: If you previously provided keys for the system keyring in the
0040           form of DER-encoded *.x509 files in the top-level build directory,
0041           those are no longer used. You will need to set this option instead.
0042 
0043 config SYSTEM_EXTRA_CERTIFICATE
0044         bool "Reserve area for inserting a certificate without recompiling"
0045         depends on SYSTEM_TRUSTED_KEYRING
0046         help
0047           If set, space for an extra certificate will be reserved in the kernel
0048           image. This allows introducing a trusted certificate to the default
0049           system keyring without recompiling the kernel.
0050 
0051 config SYSTEM_EXTRA_CERTIFICATE_SIZE
0052         int "Number of bytes to reserve for the extra certificate"
0053         depends on SYSTEM_EXTRA_CERTIFICATE
0054         default 4096
0055         help
0056           This is the number of bytes reserved in the kernel image for a
0057           certificate to be inserted.
0058 
0059 config SECONDARY_TRUSTED_KEYRING
0060         bool "Provide a keyring to which extra trustable keys may be added"
0061         depends on SYSTEM_TRUSTED_KEYRING
0062         help
0063           If set, provide a keyring to which extra keys may be added, provided
0064           those keys are not blacklisted and are vouched for by a key built
0065           into the kernel or already in the secondary trusted keyring.
0066 
0067 endmenu