1 # SPDX-License-Identifier: GPL-2.0-only <<
2 # 1 #
3 config INTEGRITY 2 config INTEGRITY
4 bool "Integrity subsystem" !! 3 def_bool y
5 depends on SECURITY !! 4 depends on IMA || EVM
6 default y <<
7 help <<
8 This option enables the integrity su <<
9 of a number of different components <<
10 Measurement Architecture (IMA), Exte <<
11 (EVM), IMA-appraisal extension, digi <<
12 extension and audit measurement log <<
13 <<
14 Each of these components can be enab <<
15 Refer to the individual components f <<
16 <<
17 if INTEGRITY <<
18 5
19 config INTEGRITY_SIGNATURE 6 config INTEGRITY_SIGNATURE
20 bool "Digital signature verification u !! 7 boolean "Digital signature verification using multiple keyrings"
>> 8 depends on INTEGRITY && KEYS
21 default n 9 default n
22 select KEYS <<
23 select SIGNATURE 10 select SIGNATURE
24 help 11 help
25 This option enables digital signatur 12 This option enables digital signature verification support
26 using multiple keyrings. It defines 13 using multiple keyrings. It defines separate keyrings for each
27 of the different use cases - evm, im 14 of the different use cases - evm, ima, and modules.
28 Different keyrings improves search p 15 Different keyrings improves search performance, but also allow
29 to "lock" certain keyring to prevent 16 to "lock" certain keyring to prevent adding new keys.
30 This is useful for evm and module ke 17 This is useful for evm and module keyrings, when keys are
31 usually only added from initramfs. 18 usually only added from initramfs.
32 19
33 config INTEGRITY_ASYMMETRIC_KEYS 20 config INTEGRITY_ASYMMETRIC_KEYS
34 bool "Enable asymmetric keys support" !! 21 boolean "Enable asymmetric keys support"
35 depends on INTEGRITY_SIGNATURE 22 depends on INTEGRITY_SIGNATURE
36 default n 23 default n
37 select ASYMMETRIC_KEY_TYPE !! 24 select ASYMMETRIC_KEY_TYPE
38 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE !! 25 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
39 select CRYPTO_RSA !! 26 select PUBLIC_KEY_ALGO_RSA
40 select X509_CERTIFICATE_PARSER !! 27 select X509_CERTIFICATE_PARSER
41 help 28 help
42 This option enables digital signatur 29 This option enables digital signature verification using
43 asymmetric keys. 30 asymmetric keys.
44 31
45 config INTEGRITY_TRUSTED_KEYRING !! 32 source security/integrity/ima/Kconfig
46 bool "Require all keys on the integrit !! 33 source security/integrity/evm/Kconfig
47 depends on SYSTEM_TRUSTED_KEYRING <<
48 depends on INTEGRITY_ASYMMETRIC_KEYS <<
49 default y <<
50 help <<
51 This option requires that all keys <<
52 .evm keyrings be signed by a key on <<
53 keyring. <<
54 <<
55 config INTEGRITY_PLATFORM_KEYRING <<
56 bool "Provide keyring for platform/fir <<
57 depends on INTEGRITY_ASYMMETRIC_KEYS <<
58 depends on SYSTEM_BLACKLIST_KEYRING <<
59 help <<
60 Provide a separate, distinct keyring <<
61 the kernel automatically populates d <<
62 provided by the platform for verifyi <<
63 and, possibly, the initramfs signatu <<
64 <<
65 config INTEGRITY_MACHINE_KEYRING <<
66 bool "Provide a keyring to which Machi <<
67 depends on SECONDARY_TRUSTED_KEYRING <<
68 depends on INTEGRITY_ASYMMETRIC_KEYS <<
69 depends on SYSTEM_BLACKLIST_KEYRING <<
70 depends on LOAD_UEFI_KEYS || LOAD_PPC_ <<
71 help <<
72 If set, provide a keyring to which M <<
73 be added. This keyring shall contain <<
74 in the platform keyring, keys contai <<
75 be trusted within the kernel. <<
76 <<
77 config INTEGRITY_CA_MACHINE_KEYRING <<
78 bool "Enforce Machine Keyring CA Restr <<
79 depends on INTEGRITY_MACHINE_KEYRING <<
80 default n <<
81 help <<
82 The .machine keyring can be configur <<
83 on any key added to it. By default <<
84 and all Machine Owner Keys (MOK) are <<
85 If enabled only CA keys are added to <<
86 other MOK keys load into the platfor <<
87 <<
88 config INTEGRITY_CA_MACHINE_KEYRING_MAX <<
89 bool "Only CA keys without DigitialSig <<
90 depends on INTEGRITY_CA_MACHINE_KEYRIN <<
91 default n <<
92 help <<
93 When selected, only load CA keys are <<
94 keyring that contain the CA bit set <<
95 Usage field. Keys containing the di <<
96 will not be loaded. The remaining MO <<
97 .platform keyring. <<
98 <<
99 config LOAD_UEFI_KEYS <<
100 depends on INTEGRITY_PLATFORM_KEYRING <<
101 depends on EFI <<
102 def_bool y <<
103 <<
104 config LOAD_IPL_KEYS <<
105 depends on INTEGRITY_PLATFORM_KEYRING <<
106 depends on S390 <<
107 def_bool y <<
108 <<
109 config LOAD_PPC_KEYS <<
110 bool "Enable loading of platform and b <<
111 depends on INTEGRITY_PLATFORM_KEYRING <<
112 depends on PPC_SECURE_BOOT <<
113 default y <<
114 help <<
115 Enable loading of keys to the .platf <<
116 hashes to the .blacklist keyring for <<
117 <<
118 config INTEGRITY_AUDIT <<
119 bool "Enables integrity auditing suppo <<
120 depends on AUDIT <<
121 default y <<
122 help <<
123 In addition to enabling integrity au <<
124 option adds a kernel parameter 'inte <<
125 controls the level of integrity audi <<
126 0 - basic integrity auditing message <<
127 1 - additional integrity auditing me <<
128 <<
129 Additional informational integrity a <<
130 be enabled by specifying 'integrity_ <<
131 command line. <<
132 <<
133 source "security/integrity/ima/Kconfig" <<
134 source "security/integrity/evm/Kconfig" <<
135 <<
136 endif # if INTEGRITY <<
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.