1 # SPDX-License-Identifier: GPL-2.0 <<
2 menu "Certificates for signature checking" 1 menu "Certificates for signature checking"
3 2
4 config MODULE_SIG_KEY 3 config MODULE_SIG_KEY
5 string "File name or PKCS#11 URI of mo 4 string "File name or PKCS#11 URI of module signing key"
6 default "certs/signing_key.pem" 5 default "certs/signing_key.pem"
7 depends on MODULE_SIG || (IMA_APPRAISE !! 6 depends on MODULE_SIG
8 help 7 help
9 Provide the file name of a private ke 8 Provide the file name of a private key/certificate in PEM format,
10 or a PKCS#11 URI according to RFC7512 9 or a PKCS#11 URI according to RFC7512. The file should contain, or
11 the URI should identify, both the cer 10 the URI should identify, both the certificate and its corresponding
12 private key. 11 private key.
13 12
14 If this option is unchanged from its 13 If this option is unchanged from its default "certs/signing_key.pem",
15 then the kernel will automatically ge 14 then the kernel will automatically generate the private key and
16 certificate as described in Documenta !! 15 certificate as described in Documentation/module-signing.txt
17 <<
18 choice <<
19 prompt "Type of module signing key to <<
20 depends on MODULE_SIG || (IMA_APPRAISE <<
21 help <<
22 The type of module signing key type t <<
23 does not apply if a #PKCS11 URI is us <<
24 <<
25 config MODULE_SIG_KEY_TYPE_RSA <<
26 bool "RSA" <<
27 help <<
28 Use an RSA key for module signing. <<
29 <<
30 config MODULE_SIG_KEY_TYPE_ECDSA <<
31 bool "ECDSA" <<
32 select CRYPTO_ECDSA <<
33 depends on !(MODULE_SIG_SHA256 || MODU <<
34 help <<
35 Use an elliptic curve key (NIST P384) <<
36 a strong hash of same or higher bit l <<
37 sha512 for hashing modules. <<
38 <<
39 Note: Remove all ECDSA signing keys, <<
40 when falling back to building Linux 5 <<
41 <<
42 endchoice <<
43 16
44 config SYSTEM_TRUSTED_KEYRING 17 config SYSTEM_TRUSTED_KEYRING
45 bool "Provide system-wide ring of trus 18 bool "Provide system-wide ring of trusted keys"
46 depends on KEYS 19 depends on KEYS
47 depends on ASYMMETRIC_KEY_TYPE <<
48 depends on X509_CERTIFICATE_PARSER = y <<
49 help 20 help
50 Provide a system keyring to which tr 21 Provide a system keyring to which trusted keys can be added. Keys in
51 the keyring are considered to be tru 22 the keyring are considered to be trusted. Keys may be added at will
52 by the kernel from compiled-in data 23 by the kernel from compiled-in data and from hardware key stores, but
53 userspace may only add extra keys if 24 userspace may only add extra keys if those keys can be verified by
54 keys already in the keyring. 25 keys already in the keyring.
55 26
56 Keys in this keyring are used by mod 27 Keys in this keyring are used by module signature checking.
57 28
58 config SYSTEM_TRUSTED_KEYS 29 config SYSTEM_TRUSTED_KEYS
59 string "Additional X.509 keys for defa 30 string "Additional X.509 keys for default system keyring"
60 depends on SYSTEM_TRUSTED_KEYRING 31 depends on SYSTEM_TRUSTED_KEYRING
61 help 32 help
62 If set, this option should be the fi 33 If set, this option should be the filename of a PEM-formatted file
63 containing trusted X.509 certificate 34 containing trusted X.509 certificates to be included in the default
64 system keyring. Any certificate used 35 system keyring. Any certificate used for module signing is implicitly
65 also trusted. 36 also trusted.
66 37
67 NOTE: If you previously provided key 38 NOTE: If you previously provided keys for the system keyring in the
68 form of DER-encoded *.x509 files in 39 form of DER-encoded *.x509 files in the top-level build directory,
69 those are no longer used. You will n 40 those are no longer used. You will need to set this option instead.
70 <<
71 config SYSTEM_EXTRA_CERTIFICATE <<
72 bool "Reserve area for inserting a cer <<
73 depends on SYSTEM_TRUSTED_KEYRING <<
74 help <<
75 If set, space for an extra certifica <<
76 image. This allows introducing a tru <<
77 system keyring without recompiling t <<
78 <<
79 config SYSTEM_EXTRA_CERTIFICATE_SIZE <<
80 int "Number of bytes to reserve for th <<
81 depends on SYSTEM_EXTRA_CERTIFICATE <<
82 default 4096 <<
83 help <<
84 This is the number of bytes reserved <<
85 certificate to be inserted. <<
86 <<
87 config SECONDARY_TRUSTED_KEYRING <<
88 bool "Provide a keyring to which extra <<
89 depends on SYSTEM_TRUSTED_KEYRING <<
90 help <<
91 If set, provide a keyring to which e <<
92 those keys are not blacklisted and a <<
93 into the kernel, machine keyring (if <<
94 secondary trusted keyring. <<
95 <<
96 config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUI <<
97 bool "Only allow additional certs sign <<
98 depends on SECONDARY_TRUSTED_KEYRING <<
99 help <<
100 If set, only certificates signed by <<
101 keyring may be loaded onto the secon <<
102 <<
103 Note: The machine keyring, if config <<
104 secondary keyring. When enabling th <<
105 to also configure INTEGRITY_CA_MACHI <<
106 linking code signing keys with imput <<
107 trusted keyring. <<
108 <<
109 config SYSTEM_BLACKLIST_KEYRING <<
110 bool "Provide system-wide ring of blac <<
111 depends on KEYS <<
112 help <<
113 Provide a system keyring to which bl <<
114 Keys in the keyring are considered e <<
115 keyring are used by the module signa <<
116 of modules signed with a blacklisted <<
117 <<
118 config SYSTEM_BLACKLIST_HASH_LIST <<
119 string "Hashes to be preloaded into th <<
120 depends on SYSTEM_BLACKLIST_KEYRING <<
121 help <<
122 If set, this option should be the fi <<
123 form "<hash>", "<hash>", ... . This <<
124 wrapper to incorporate the list into <<
125 string starting with a prefix ("tbs" <<
126 finally an even number of hexadecima <<
127 Certificate hashes can be generated <<
128 tools/certs/print-cert-tbs-hash.sh . <<
129 <<
130 config SYSTEM_REVOCATION_LIST <<
131 bool "Provide system-wide ring of revo <<
132 depends on SYSTEM_BLACKLIST_KEYRING <<
133 depends on PKCS7_MESSAGE_PARSER=y <<
134 help <<
135 If set, this allows revocation certi <<
136 blacklist keyring and implements a h <<
137 be checked to see if it matches such <<
138 <<
139 config SYSTEM_REVOCATION_KEYS <<
140 string "X.509 certificates to be prelo <<
141 depends on SYSTEM_REVOCATION_LIST <<
142 help <<
143 If set, this option should be the fi <<
144 containing X.509 certificates to be <<
145 keyring. <<
146 <<
147 config SYSTEM_BLACKLIST_AUTH_UPDATE <<
148 bool "Allow root to add signed blackli <<
149 depends on SYSTEM_BLACKLIST_KEYRING <<
150 depends on SYSTEM_DATA_VERIFICATION <<
151 help <<
152 If set, provide the ability to load <<
153 they are signed and vouched by a cer <<
154 keyring. The PKCS#7 signature of th <<
155 payload. Blacklist keys cannot be r <<
156 41
157 endmenu 42 endmenu
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.