Back to home page

OSCL-LXR
 
 

     

0001 # SPDX-License-Identifier: GPL-2.0-only
0002 #
0003 config INTEGRITY
0004         bool "Integrity subsystem"
0005         depends on SECURITY
0006         default y
0007         help
0008           This option enables the integrity subsystem, which is comprised
0009           of a number of different components including the Integrity
0010           Measurement Architecture (IMA), Extended Verification Module
0011           (EVM), IMA-appraisal extension, digital signature verification
0012           extension and audit measurement log support.
0013 
0014           Each of these components can be enabled/disabled separately.
0015           Refer to the individual components for additional details.
0016 
0017 if INTEGRITY
0018 
0019 config INTEGRITY_SIGNATURE
0020         bool "Digital signature verification using multiple keyrings"
0021         default n
0022         select KEYS
0023         select SIGNATURE
0024         help
0025           This option enables digital signature verification support
0026           using multiple keyrings. It defines separate keyrings for each
0027           of the different use cases - evm, ima, and modules.
0028           Different keyrings improves search performance, but also allow
0029           to "lock" certain keyring to prevent adding new keys.
0030           This is useful for evm and module keyrings, when keys are
0031           usually only added from initramfs.
0032 
0033 config INTEGRITY_ASYMMETRIC_KEYS
0034         bool "Enable asymmetric keys support"
0035         depends on INTEGRITY_SIGNATURE
0036         default n
0037         select ASYMMETRIC_KEY_TYPE
0038         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
0039         select CRYPTO_RSA
0040         select X509_CERTIFICATE_PARSER
0041         help
0042           This option enables digital signature verification using
0043           asymmetric keys.
0044 
0045 config INTEGRITY_TRUSTED_KEYRING
0046         bool "Require all keys on the integrity keyrings be signed"
0047         depends on SYSTEM_TRUSTED_KEYRING
0048         depends on INTEGRITY_ASYMMETRIC_KEYS
0049         default y
0050         help
0051            This option requires that all keys added to the .ima and
0052            .evm keyrings be signed by a key on the system trusted
0053            keyring.
0054 
0055 config INTEGRITY_PLATFORM_KEYRING
0056         bool "Provide keyring for platform/firmware trusted keys"
0057         depends on INTEGRITY_ASYMMETRIC_KEYS
0058         depends on SYSTEM_BLACKLIST_KEYRING
0059         help
0060          Provide a separate, distinct keyring for platform trusted keys, which
0061          the kernel automatically populates during initialization from values
0062          provided by the platform for verifying the kexec'ed kerned image
0063          and, possibly, the initramfs signature.
0064 
0065 config INTEGRITY_MACHINE_KEYRING
0066         bool "Provide a keyring to which Machine Owner Keys may be added"
0067         depends on SECONDARY_TRUSTED_KEYRING
0068         depends on INTEGRITY_ASYMMETRIC_KEYS
0069         depends on SYSTEM_BLACKLIST_KEYRING
0070         depends on LOAD_UEFI_KEYS
0071         depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
0072         help
0073          If set, provide a keyring to which Machine Owner Keys (MOK) may
0074          be added. This keyring shall contain just MOK keys.  Unlike keys
0075          in the platform keyring, keys contained in the .machine keyring will
0076          be trusted within the kernel.
0077 
0078 config LOAD_UEFI_KEYS
0079        depends on INTEGRITY_PLATFORM_KEYRING
0080        depends on EFI
0081        def_bool y
0082 
0083 config LOAD_IPL_KEYS
0084        depends on INTEGRITY_PLATFORM_KEYRING
0085        depends on S390
0086        def_bool y
0087 
0088 config LOAD_PPC_KEYS
0089         bool "Enable loading of platform and blacklisted keys for POWER"
0090         depends on INTEGRITY_PLATFORM_KEYRING
0091         depends on PPC_SECURE_BOOT
0092         default y
0093         help
0094           Enable loading of keys to the .platform keyring and blacklisted
0095           hashes to the .blacklist keyring for powerpc based platforms.
0096 
0097 config INTEGRITY_AUDIT
0098         bool "Enables integrity auditing support "
0099         depends on AUDIT
0100         default y
0101         help
0102           In addition to enabling integrity auditing support, this
0103           option adds a kernel parameter 'integrity_audit', which
0104           controls the level of integrity auditing messages.
0105           0 - basic integrity auditing messages (default)
0106           1 - additional integrity auditing messages
0107 
0108           Additional informational integrity auditing messages would
0109           be enabled by specifying 'integrity_audit=1' on the kernel
0110           command line.
0111 
0112 source "security/integrity/ima/Kconfig"
0113 source "security/integrity/evm/Kconfig"
0114 
0115 endif   # if INTEGRITY
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!