Linux/security/integrity/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

1 # SPDX-License-Identifier: GPL-2.0-only << 2 # 1 # 3 config INTEGRITY 2 config INTEGRITY 4 bool "Integrity subsystem" 3 bool "Integrity subsystem" 5 depends on SECURITY 4 depends on SECURITY 6 default y 5 default y 7 help 6 help 8 This option enables the integrity su 7 This option enables the integrity subsystem, which is comprised 9 of a number of different components 8 of a number of different components including the Integrity 10 Measurement Architecture (IMA), Exte 9 Measurement Architecture (IMA), Extended Verification Module 11 (EVM), IMA-appraisal extension, digi 10 (EVM), IMA-appraisal extension, digital signature verification 12 extension and audit measurement log 11 extension and audit measurement log support. 13 12 14 Each of these components can be enab 13 Each of these components can be enabled/disabled separately. 15 Refer to the individual components f 14 Refer to the individual components for additional details. 16 15 17 if INTEGRITY 16 if INTEGRITY 18 17 19 config INTEGRITY_SIGNATURE 18 config INTEGRITY_SIGNATURE 20 bool "Digital signature verification u 19 bool "Digital signature verification using multiple keyrings" >> 20 depends on KEYS 21 default n 21 default n 22 select KEYS << 23 select SIGNATURE 22 select SIGNATURE 24 help 23 help 25 This option enables digital signatur 24 This option enables digital signature verification support 26 using multiple keyrings. It defines 25 using multiple keyrings. It defines separate keyrings for each 27 of the different use cases - evm, im 26 of the different use cases - evm, ima, and modules. 28 Different keyrings improves search p 27 Different keyrings improves search performance, but also allow 29 to "lock" certain keyring to prevent 28 to "lock" certain keyring to prevent adding new keys. 30 This is useful for evm and module ke 29 This is useful for evm and module keyrings, when keys are 31 usually only added from initramfs. 30 usually only added from initramfs. 32 31 33 config INTEGRITY_ASYMMETRIC_KEYS 32 config INTEGRITY_ASYMMETRIC_KEYS 34 bool "Enable asymmetric keys support" 33 bool "Enable asymmetric keys support" 35 depends on INTEGRITY_SIGNATURE 34 depends on INTEGRITY_SIGNATURE 36 default n 35 default n 37 select ASYMMETRIC_KEY_TYPE !! 36 select ASYMMETRIC_KEY_TYPE 38 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE !! 37 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39 select CRYPTO_RSA !! 38 select PUBLIC_KEY_ALGO_RSA 40 select X509_CERTIFICATE_PARSER !! 39 select X509_CERTIFICATE_PARSER 41 help 40 help 42 This option enables digital signatur 41 This option enables digital signature verification using 43 asymmetric keys. 42 asymmetric keys. 44 43 45 config INTEGRITY_TRUSTED_KEYRING << 46 bool "Require all keys on the integrit << 47 depends on SYSTEM_TRUSTED_KEYRING << 48 depends on INTEGRITY_ASYMMETRIC_KEYS << 49 default y << 50 help << 51 This option requires that all keys << 52 .evm keyrings be signed by a key on << 53 keyring. << 54 << 55 config INTEGRITY_PLATFORM_KEYRING << 56 bool "Provide keyring for platform/fir << 57 depends on INTEGRITY_ASYMMETRIC_KEYS << 58 depends on SYSTEM_BLACKLIST_KEYRING << 59 help << 60 Provide a separate, distinct keyring << 61 the kernel automatically populates d << 62 provided by the platform for verifyi << 63 and, possibly, the initramfs signatu << 64 << 65 config INTEGRITY_MACHINE_KEYRING << 66 bool "Provide a keyring to which Machi << 67 depends on SECONDARY_TRUSTED_KEYRING << 68 depends on INTEGRITY_ASYMMETRIC_KEYS << 69 depends on SYSTEM_BLACKLIST_KEYRING << 70 depends on LOAD_UEFI_KEYS || LOAD_PPC_ << 71 help << 72 If set, provide a keyring to which M << 73 be added. This keyring shall contain << 74 in the platform keyring, keys contai << 75 be trusted within the kernel. << 76 << 77 config INTEGRITY_CA_MACHINE_KEYRING << 78 bool "Enforce Machine Keyring CA Restr << 79 depends on INTEGRITY_MACHINE_KEYRING << 80 default n << 81 help << 82 The .machine keyring can be configur << 83 on any key added to it. By default << 84 and all Machine Owner Keys (MOK) are << 85 If enabled only CA keys are added to << 86 other MOK keys load into the platfor << 87 << 88 config INTEGRITY_CA_MACHINE_KEYRING_MAX << 89 bool "Only CA keys without DigitialSig << 90 depends on INTEGRITY_CA_MACHINE_KEYRIN << 91 default n << 92 help << 93 When selected, only load CA keys are << 94 keyring that contain the CA bit set << 95 Usage field. Keys containing the di << 96 will not be loaded. The remaining MO << 97 .platform keyring. << 98 << 99 config LOAD_UEFI_KEYS << 100 depends on INTEGRITY_PLATFORM_KEYRING << 101 depends on EFI << 102 def_bool y << 103 << 104 config LOAD_IPL_KEYS << 105 depends on INTEGRITY_PLATFORM_KEYRING << 106 depends on S390 << 107 def_bool y << 108 << 109 config LOAD_PPC_KEYS << 110 bool "Enable loading of platform and b << 111 depends on INTEGRITY_PLATFORM_KEYRING << 112 depends on PPC_SECURE_BOOT << 113 default y << 114 help << 115 Enable loading of keys to the .platf << 116 hashes to the .blacklist keyring for << 117 << 118 config INTEGRITY_AUDIT 44 config INTEGRITY_AUDIT 119 bool "Enables integrity auditing suppo 45 bool "Enables integrity auditing support " 120 depends on AUDIT 46 depends on AUDIT 121 default y 47 default y 122 help 48 help 123 In addition to enabling integrity au 49 In addition to enabling integrity auditing support, this 124 option adds a kernel parameter 'inte 50 option adds a kernel parameter 'integrity_audit', which 125 controls the level of integrity audi 51 controls the level of integrity auditing messages. 126 0 - basic integrity auditing message 52 0 - basic integrity auditing messages (default) 127 1 - additional integrity auditing me 53 1 - additional integrity auditing messages 128 54 129 Additional informational integrity a 55 Additional informational integrity auditing messages would 130 be enabled by specifying 'integrity_ 56 be enabled by specifying 'integrity_audit=1' on the kernel 131 command line. 57 command line. 132 58 133 source "security/integrity/ima/Kconfig" !! 59 source security/integrity/ima/Kconfig 134 source "security/integrity/evm/Kconfig" !! 60 source security/integrity/evm/Kconfig 135 61 136 endif # if INTEGRITY 62 endif # if INTEGRITY

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference
Linux/security/integrity/Kconfig

Diff markup

Differences between /security/integrity/Kconfig (Version linux-6.12-rc7) and /security/integrity/Kconfig (Version linux-4.4.302)

TOMOYO Linux Cross Reference Linux/security/integrity/Kconfig

Diff markup

Differences between /security/integrity/Kconfig (Version linux-6.12-rc7) and /security/integrity/Kconfig (Version linux-4.4.302)

TOMOYO Linux Cross Reference
Linux/security/integrity/Kconfig