0001 menu "Certificates for signature checking"
0003 config MODULE_SIG_KEY
0004 string "File name or PKCS#11 URI of module signing key"
0005 default "certs/signing_key.pem"
0006 depends on MODULE_SIG
0008 Provide the file name of a private key/certificate in PEM format,
0009 or a PKCS#11 URI according to RFC7512. The file should contain, or
0010 the URI should identify, both the certificate and its corresponding
0011 private key.
0013 If this option is unchanged from its default "certs/signing_key.pem",
0014 then the kernel will automatically generate the private key and
0015 certificate as described in Documentation/module-signing.txt
0017 config SYSTEM_TRUSTED_KEYRING
0018 bool "Provide system-wide ring of trusted keys"
0019 depends on KEYS
0020 depends on ASYMMETRIC_KEY_TYPE
0022 Provide a system keyring to which trusted keys can be added. Keys in
0023 the keyring are considered to be trusted. Keys may be added at will
0024 by the kernel from compiled-in data and from hardware key stores, but
0025 userspace may only add extra keys if those keys can be verified by
0026 keys already in the keyring.
0028 Keys in this keyring are used by module signature checking.
0030 config SYSTEM_TRUSTED_KEYS
0031 string "Additional X.509 keys for default system keyring"
0032 depends on SYSTEM_TRUSTED_KEYRING
0034 If set, this option should be the filename of a PEM-formatted file
0035 containing trusted X.509 certificates to be included in the default
0036 system keyring. Any certificate used for module signing is implicitly
0037 also trusted.
0039 NOTE: If you previously provided keys for the system keyring in the
0040 form of DER-encoded *.x509 files in the top-level build directory,
0041 those are no longer used. You will need to set this option instead.
0043 config SYSTEM_EXTRA_CERTIFICATE
0044 bool "Reserve area for inserting a certificate without recompiling"
0045 depends on SYSTEM_TRUSTED_KEYRING
0047 If set, space for an extra certificate will be reserved in the kernel
0048 image. This allows introducing a trusted certificate to the default
0049 system keyring without recompiling the kernel.
0051 config SYSTEM_EXTRA_CERTIFICATE_SIZE
0052 int "Number of bytes to reserve for the extra certificate"
0053 depends on SYSTEM_EXTRA_CERTIFICATE
0054 default 4096
0056 This is the number of bytes reserved in the kernel image for a
0057 certificate to be inserted.
0059 config SECONDARY_TRUSTED_KEYRING
0060 bool "Provide a keyring to which extra trustable keys may be added"
0061 depends on SYSTEM_TRUSTED_KEYRING
0063 If set, provide a keyring to which extra keys may be added, provided
0064 those keys are not blacklisted and are vouched for by a key built
0065 into the kernel or already in the secondary trusted keyring.