~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/integrity/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/integrity/Kconfig (Version linux-6.12-rc7) and /security/integrity/Kconfig (Version linux-4.12.14)


  1 # SPDX-License-Identifier: GPL-2.0-only        << 
  2 #                                                   1 #
  3 config INTEGRITY                                    2 config INTEGRITY
  4         bool "Integrity subsystem"                  3         bool "Integrity subsystem"
  5         depends on SECURITY                         4         depends on SECURITY
  6         default y                                   5         default y
  7         help                                        6         help
  8           This option enables the integrity su      7           This option enables the integrity subsystem, which is comprised
  9           of a number of different components       8           of a number of different components including the Integrity
 10           Measurement Architecture (IMA), Exte      9           Measurement Architecture (IMA), Extended Verification Module
 11           (EVM), IMA-appraisal extension, digi     10           (EVM), IMA-appraisal extension, digital signature verification
 12           extension and audit measurement log      11           extension and audit measurement log support.
 13                                                    12 
 14           Each of these components can be enab     13           Each of these components can be enabled/disabled separately.
 15           Refer to the individual components f     14           Refer to the individual components for additional details.
 16                                                    15 
 17 if INTEGRITY                                       16 if INTEGRITY
 18                                                    17 
 19 config INTEGRITY_SIGNATURE                         18 config INTEGRITY_SIGNATURE
 20         bool "Digital signature verification u     19         bool "Digital signature verification using multiple keyrings"
                                                   >>  20         depends on KEYS
 21         default n                                  21         default n
 22         select KEYS                            << 
 23         select SIGNATURE                           22         select SIGNATURE
 24         help                                       23         help
 25           This option enables digital signatur     24           This option enables digital signature verification support
 26           using multiple keyrings. It defines      25           using multiple keyrings. It defines separate keyrings for each
 27           of the different use cases - evm, im     26           of the different use cases - evm, ima, and modules.
 28           Different keyrings improves search p     27           Different keyrings improves search performance, but also allow
 29           to "lock" certain keyring to prevent     28           to "lock" certain keyring to prevent adding new keys.
 30           This is useful for evm and module ke     29           This is useful for evm and module keyrings, when keys are
 31           usually only added from initramfs.       30           usually only added from initramfs.
 32                                                    31 
 33 config INTEGRITY_ASYMMETRIC_KEYS                   32 config INTEGRITY_ASYMMETRIC_KEYS
 34         bool "Enable asymmetric keys support"      33         bool "Enable asymmetric keys support"
 35         depends on INTEGRITY_SIGNATURE             34         depends on INTEGRITY_SIGNATURE
 36         default n                                  35         default n
 37         select ASYMMETRIC_KEY_TYPE             !!  36         select ASYMMETRIC_KEY_TYPE
 38         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE   !!  37         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 39         select CRYPTO_RSA                      !!  38         select CRYPTO_RSA
 40         select X509_CERTIFICATE_PARSER         !!  39         select X509_CERTIFICATE_PARSER
 41         help                                       40         help
 42           This option enables digital signatur     41           This option enables digital signature verification using
 43           asymmetric keys.                         42           asymmetric keys.
 44                                                    43 
 45 config INTEGRITY_TRUSTED_KEYRING                   44 config INTEGRITY_TRUSTED_KEYRING
 46         bool "Require all keys on the integrit     45         bool "Require all keys on the integrity keyrings be signed"
 47         depends on SYSTEM_TRUSTED_KEYRING          46         depends on SYSTEM_TRUSTED_KEYRING
 48         depends on INTEGRITY_ASYMMETRIC_KEYS       47         depends on INTEGRITY_ASYMMETRIC_KEYS
 49         default y                                  48         default y
 50         help                                       49         help
 51            This option requires that all keys      50            This option requires that all keys added to the .ima and
 52            .evm keyrings be signed by a key on     51            .evm keyrings be signed by a key on the system trusted
 53            keyring.                                52            keyring.
 54                                                    53 
 55 config INTEGRITY_PLATFORM_KEYRING              << 
 56         bool "Provide keyring for platform/fir << 
 57         depends on INTEGRITY_ASYMMETRIC_KEYS   << 
 58         depends on SYSTEM_BLACKLIST_KEYRING    << 
 59         help                                   << 
 60           Provide a separate, distinct keyring << 
 61           the kernel automatically populates d << 
 62           provided by the platform for verifyi << 
 63           and, possibly, the initramfs signatu << 
 64                                                << 
 65 config INTEGRITY_MACHINE_KEYRING               << 
 66         bool "Provide a keyring to which Machi << 
 67         depends on SECONDARY_TRUSTED_KEYRING   << 
 68         depends on INTEGRITY_ASYMMETRIC_KEYS   << 
 69         depends on SYSTEM_BLACKLIST_KEYRING    << 
 70         depends on LOAD_UEFI_KEYS || LOAD_PPC_ << 
 71         help                                   << 
 72           If set, provide a keyring to which M << 
 73           be added. This keyring shall contain << 
 74           in the platform keyring, keys contai << 
 75           be trusted within the kernel.        << 
 76                                                << 
 77 config INTEGRITY_CA_MACHINE_KEYRING            << 
 78         bool "Enforce Machine Keyring CA Restr << 
 79         depends on INTEGRITY_MACHINE_KEYRING   << 
 80         default n                              << 
 81         help                                   << 
 82           The .machine keyring can be configur << 
 83           on any key added to it.  By default  << 
 84           and all Machine Owner Keys (MOK) are << 
 85           If enabled only CA keys are added to << 
 86           other MOK keys load into the platfor << 
 87                                                << 
 88 config INTEGRITY_CA_MACHINE_KEYRING_MAX        << 
 89         bool "Only CA keys without DigitialSig << 
 90         depends on INTEGRITY_CA_MACHINE_KEYRIN << 
 91         default n                              << 
 92         help                                   << 
 93           When selected, only load CA keys are << 
 94           keyring that contain the CA bit set  << 
 95           Usage field.  Keys containing the di << 
 96           will not be loaded. The remaining MO << 
 97           .platform keyring.                   << 
 98                                                << 
 99 config LOAD_UEFI_KEYS                          << 
100         depends on INTEGRITY_PLATFORM_KEYRING  << 
101         depends on EFI                         << 
102         def_bool y                             << 
103                                                << 
104 config LOAD_IPL_KEYS                           << 
105         depends on INTEGRITY_PLATFORM_KEYRING  << 
106         depends on S390                        << 
107         def_bool y                             << 
108                                                << 
109 config LOAD_PPC_KEYS                           << 
110         bool "Enable loading of platform and b << 
111         depends on INTEGRITY_PLATFORM_KEYRING  << 
112         depends on PPC_SECURE_BOOT             << 
113         default y                              << 
114         help                                   << 
115           Enable loading of keys to the .platf << 
116           hashes to the .blacklist keyring for << 
117                                                << 
118 config INTEGRITY_AUDIT                             54 config INTEGRITY_AUDIT
119         bool "Enables integrity auditing suppo     55         bool "Enables integrity auditing support "
120         depends on AUDIT                           56         depends on AUDIT
121         default y                                  57         default y
122         help                                       58         help
123           In addition to enabling integrity au     59           In addition to enabling integrity auditing support, this
124           option adds a kernel parameter 'inte     60           option adds a kernel parameter 'integrity_audit', which
125           controls the level of integrity audi     61           controls the level of integrity auditing messages.
126           0 - basic integrity auditing message     62           0 - basic integrity auditing messages (default)
127           1 - additional integrity auditing me     63           1 - additional integrity auditing messages
128                                                    64 
129           Additional informational integrity a     65           Additional informational integrity auditing messages would
130           be enabled by specifying 'integrity_     66           be enabled by specifying 'integrity_audit=1' on the kernel
131           command line.                            67           command line.
132                                                    68 
133 source "security/integrity/ima/Kconfig"        !!  69 source security/integrity/ima/Kconfig
134 source "security/integrity/evm/Kconfig"        !!  70 source security/integrity/evm/Kconfig
135                                                    71 
136 endif   # if INTEGRITY                             72 endif   # if INTEGRITY
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php