1 # SPDX-License-Identifier: GPL-2.0
2 menu "Certificates for signature checking"
3
4 config MODULE_SIG_KEY
5 string "File name or PKCS#11 URI of mo
6 default "certs/signing_key.pem"
7 depends on MODULE_SIG || (IMA_APPRAISE
8 help
9 Provide the file name of a private ke
10 or a PKCS#11 URI according to RFC7512
11 the URI should identify, both the cer
12 private key.
13
14 If this option is unchanged from its
15 then the kernel will automatically ge
16 certificate as described in Documenta
17
18 choice
19 prompt "Type of module signing key to
20 depends on MODULE_SIG || (IMA_APPRAISE
21 help
22 The type of module signing key type t
23 does not apply if a #PKCS11 URI is us
24
25 config MODULE_SIG_KEY_TYPE_RSA
26 bool "RSA"
27 help
28 Use an RSA key for module signing.
29
30 config MODULE_SIG_KEY_TYPE_ECDSA
31 bool "ECDSA"
32 select CRYPTO_ECDSA
33 depends on !(MODULE_SIG_SHA256 || MODU
34 help
35 Use an elliptic curve key (NIST P384)
36 a strong hash of same or higher bit l
37 sha512 for hashing modules.
38
39 Note: Remove all ECDSA signing keys,
40 when falling back to building Linux 5
41
42 endchoice
43
44 config SYSTEM_TRUSTED_KEYRING
45 bool "Provide system-wide ring of trus
46 depends on KEYS
47 depends on ASYMMETRIC_KEY_TYPE
48 depends on X509_CERTIFICATE_PARSER = y
49 help
50 Provide a system keyring to which tr
51 the keyring are considered to be tru
52 by the kernel from compiled-in data
53 userspace may only add extra keys if
54 keys already in the keyring.
55
56 Keys in this keyring are used by mod
57
58 config SYSTEM_TRUSTED_KEYS
59 string "Additional X.509 keys for defa
60 depends on SYSTEM_TRUSTED_KEYRING
61 help
62 If set, this option should be the fi
63 containing trusted X.509 certificate
64 system keyring. Any certificate used
65 also trusted.
66
67 NOTE: If you previously provided key
68 form of DER-encoded *.x509 files in
69 those are no longer used. You will n
70
71 config SYSTEM_EXTRA_CERTIFICATE
72 bool "Reserve area for inserting a cer
73 depends on SYSTEM_TRUSTED_KEYRING
74 help
75 If set, space for an extra certifica
76 image. This allows introducing a tru
77 system keyring without recompiling t
78
79 config SYSTEM_EXTRA_CERTIFICATE_SIZE
80 int "Number of bytes to reserve for th
81 depends on SYSTEM_EXTRA_CERTIFICATE
82 default 4096
83 help
84 This is the number of bytes reserved
85 certificate to be inserted.
86
87 config SECONDARY_TRUSTED_KEYRING
88 bool "Provide a keyring to which extra
89 depends on SYSTEM_TRUSTED_KEYRING
90 help
91 If set, provide a keyring to which e
92 those keys are not blacklisted and a
93 into the kernel, machine keyring (if
94 secondary trusted keyring.
95
96 config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUI
97 bool "Only allow additional certs sign
98 depends on SECONDARY_TRUSTED_KEYRING
99 help
100 If set, only certificates signed by
101 keyring may be loaded onto the secon
102
103 Note: The machine keyring, if config
104 secondary keyring. When enabling th
105 to also configure INTEGRITY_CA_MACHI
106 linking code signing keys with imput
107 trusted keyring.
108
109 config SYSTEM_BLACKLIST_KEYRING
110 bool "Provide system-wide ring of blac
111 depends on KEYS
112 help
113 Provide a system keyring to which bl
114 Keys in the keyring are considered e
115 keyring are used by the module signa
116 of modules signed with a blacklisted
117
118 config SYSTEM_BLACKLIST_HASH_LIST
119 string "Hashes to be preloaded into th
120 depends on SYSTEM_BLACKLIST_KEYRING
121 help
122 If set, this option should be the fi
123 form "<hash>", "<hash>", ... . This
124 wrapper to incorporate the list into
125 string starting with a prefix ("tbs"
126 finally an even number of hexadecima
127 Certificate hashes can be generated
128 tools/certs/print-cert-tbs-hash.sh .
129
130 config SYSTEM_REVOCATION_LIST
131 bool "Provide system-wide ring of revo
132 depends on SYSTEM_BLACKLIST_KEYRING
133 depends on PKCS7_MESSAGE_PARSER=y
134 help
135 If set, this allows revocation certi
136 blacklist keyring and implements a h
137 be checked to see if it matches such
138
139 config SYSTEM_REVOCATION_KEYS
140 string "X.509 certificates to be prelo
141 depends on SYSTEM_REVOCATION_LIST
142 help
143 If set, this option should be the fi
144 containing X.509 certificates to be
145 keyring.
146
147 config SYSTEM_BLACKLIST_AUTH_UPDATE
148 bool "Allow root to add signed blackli
149 depends on SYSTEM_BLACKLIST_KEYRING
150 depends on SYSTEM_DATA_VERIFICATION
151 help
152 If set, provide the ability to load
153 they are signed and vouched by a cer
154 keyring. The PKCS#7 signature of th
155 payload. Blacklist keys cannot be r
156
157 endmenu
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.