Blame view
security/integrity/Kconfig
3.33 KB
ec8f24b7f treewide: Add SPD... |
1 |
# SPDX-License-Identifier: GPL-2.0-only |
f381c2722 integrity: move i... |
2 3 |
# config INTEGRITY |
7ef84e65e integrity: base i... |
4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
bool "Integrity subsystem" depends on SECURITY default y help This option enables the integrity subsystem, which is comprised of a number of different components including the Integrity Measurement Architecture (IMA), Extended Verification Module (EVM), IMA-appraisal extension, digital signature verification extension and audit measurement log support. Each of these components can be enabled/disabled separately. Refer to the individual components for additional details. if INTEGRITY |
f381c2722 integrity: move i... |
18 |
|
f1be242c9 integrity: digita... |
19 |
config INTEGRITY_SIGNATURE |
6341e62b2 kconfig: use bool... |
20 |
bool "Digital signature verification using multiple keyrings" |
8607c5014 integrity: digita... |
21 |
default n |
cf38fed1e integrity: Select... |
22 |
select KEYS |
5e8898e97 lib: digital sign... |
23 |
select SIGNATURE |
8607c5014 integrity: digita... |
24 25 26 27 28 29 30 31 |
help This option enables digital signature verification support using multiple keyrings. It defines separate keyrings for each of the different use cases - evm, ima, and modules. Different keyrings improves search performance, but also allow to "lock" certain keyring to prevent adding new keys. This is useful for evm and module keyrings, when keys are usually only added from initramfs. |
1ae8f41c2 integrity: move a... |
32 |
config INTEGRITY_ASYMMETRIC_KEYS |
6341e62b2 kconfig: use bool... |
33 |
bool "Enable asymmetric keys support" |
1ae8f41c2 integrity: move a... |
34 35 36 37 |
depends on INTEGRITY_SIGNATURE default n select ASYMMETRIC_KEY_TYPE select ASYMMETRIC_PUBLIC_KEY_SUBTYPE |
eb5798f2e integrity: conver... |
38 |
select CRYPTO_RSA |
1ae8f41c2 integrity: move a... |
39 40 41 42 |
select X509_CERTIFICATE_PARSER help This option enables digital signature verification using asymmetric keys. |
f4dc37785 integrity: define... |
43 44 45 46 |
config INTEGRITY_TRUSTED_KEYRING bool "Require all keys on the integrity keyrings be signed" depends on SYSTEM_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS |
f4dc37785 integrity: define... |
47 48 49 50 51 |
default y help This option requires that all keys added to the .ima and .evm keyrings be signed by a key on the system trusted keyring. |
9dc92c451 integrity: Define... |
52 53 54 55 |
config INTEGRITY_PLATFORM_KEYRING bool "Provide keyring for platform/firmware trusted keys" depends on INTEGRITY_ASYMMETRIC_KEYS depends on SYSTEM_BLACKLIST_KEYRING |
9dc92c451 integrity: Define... |
56 57 58 59 60 |
help Provide a separate, distinct keyring for platform trusted keys, which the kernel automatically populates during initialization from values provided by the platform for verifying the kexec'ed kerned image and, possibly, the initramfs signature. |
9641b8cc7 s390/ipl: read IP... |
61 62 63 64 65 66 67 68 69 |
config LOAD_UEFI_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on EFI def_bool y config LOAD_IPL_KEYS depends on INTEGRITY_PLATFORM_KEYRING depends on S390 def_bool y |
8220e22d1 powerpc: Load fir... |
70 71 72 73 74 75 76 77 |
config LOAD_PPC_KEYS bool "Enable loading of platform and blacklisted keys for POWER" depends on INTEGRITY_PLATFORM_KEYRING depends on PPC_SECURE_BOOT default y help Enable loading of keys to the .platform keyring and blacklisted hashes to the .blacklist keyring for powerpc based platforms. |
d726d8d71 integrity: move i... |
78 79 |
config INTEGRITY_AUDIT bool "Enables integrity auditing support " |
7ef84e65e integrity: base i... |
80 |
depends on AUDIT |
d726d8d71 integrity: move i... |
81 82 83 84 85 86 87 88 89 90 91 |
default y help In addition to enabling integrity auditing support, this option adds a kernel parameter 'integrity_audit', which controls the level of integrity auditing messages. 0 - basic integrity auditing messages (default) 1 - additional integrity auditing messages Additional informational integrity auditing messages would be enabled by specifying 'integrity_audit=1' on the kernel command line. |
8636a1f96 treewide: surroun... |
92 93 |
source "security/integrity/ima/Kconfig" source "security/integrity/evm/Kconfig" |
7ef84e65e integrity: base i... |
94 95 |
endif # if INTEGRITY |