1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 config INTEGRITY
4 bool "Integrity subsystem"
5 depends on SECURITY
6 default y
7 help
8 This option enables the integrity su
9 of a number of different components
10 Measurement Architecture (IMA), Exte
11 (EVM), IMA-appraisal extension, digi
12 extension and audit measurement log
13
14 Each of these components can be enab
15 Refer to the individual components f
16
17 if INTEGRITY
18
19 config INTEGRITY_SIGNATURE
20 bool "Digital signature verification u
21 default n
22 select KEYS
23 select SIGNATURE
24 help
25 This option enables digital signatur
26 using multiple keyrings. It defines
27 of the different use cases - evm, im
28 Different keyrings improves search p
29 to "lock" certain keyring to prevent
30 This is useful for evm and module ke
31 usually only added from initramfs.
32
33 config INTEGRITY_ASYMMETRIC_KEYS
34 bool "Enable asymmetric keys support"
35 depends on INTEGRITY_SIGNATURE
36 default n
37 select ASYMMETRIC_KEY_TYPE
38 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
39 select CRYPTO_RSA
40 select X509_CERTIFICATE_PARSER
41 help
42 This option enables digital signatur
43 asymmetric keys.
44
45 config INTEGRITY_TRUSTED_KEYRING
46 bool "Require all keys on the integrit
47 depends on SYSTEM_TRUSTED_KEYRING
48 depends on INTEGRITY_ASYMMETRIC_KEYS
49 default y
50 help
51 This option requires that all keys
52 .evm keyrings be signed by a key on
53 keyring.
54
55 config INTEGRITY_PLATFORM_KEYRING
56 bool "Provide keyring for platform/fir
57 depends on INTEGRITY_ASYMMETRIC_KEYS
58 depends on SYSTEM_BLACKLIST_KEYRING
59 help
60 Provide a separate, distinct keyring
61 the kernel automatically populates d
62 provided by the platform for verifyi
63 and, possibly, the initramfs signatu
64
65 config INTEGRITY_MACHINE_KEYRING
66 bool "Provide a keyring to which Machi
67 depends on SECONDARY_TRUSTED_KEYRING
68 depends on INTEGRITY_ASYMMETRIC_KEYS
69 depends on SYSTEM_BLACKLIST_KEYRING
70 depends on LOAD_UEFI_KEYS || LOAD_PPC_
71 help
72 If set, provide a keyring to which M
73 be added. This keyring shall contain
74 in the platform keyring, keys contai
75 be trusted within the kernel.
76
77 config INTEGRITY_CA_MACHINE_KEYRING
78 bool "Enforce Machine Keyring CA Restr
79 depends on INTEGRITY_MACHINE_KEYRING
80 default n
81 help
82 The .machine keyring can be configur
83 on any key added to it. By default
84 and all Machine Owner Keys (MOK) are
85 If enabled only CA keys are added to
86 other MOK keys load into the platfor
87
88 config INTEGRITY_CA_MACHINE_KEYRING_MAX
89 bool "Only CA keys without DigitialSig
90 depends on INTEGRITY_CA_MACHINE_KEYRIN
91 default n
92 help
93 When selected, only load CA keys are
94 keyring that contain the CA bit set
95 Usage field. Keys containing the di
96 will not be loaded. The remaining MO
97 .platform keyring.
98
99 config LOAD_UEFI_KEYS
100 depends on INTEGRITY_PLATFORM_KEYRING
101 depends on EFI
102 def_bool y
103
104 config LOAD_IPL_KEYS
105 depends on INTEGRITY_PLATFORM_KEYRING
106 depends on S390
107 def_bool y
108
109 config LOAD_PPC_KEYS
110 bool "Enable loading of platform and b
111 depends on INTEGRITY_PLATFORM_KEYRING
112 depends on PPC_SECURE_BOOT
113 default y
114 help
115 Enable loading of keys to the .platf
116 hashes to the .blacklist keyring for
117
118 config INTEGRITY_AUDIT
119 bool "Enables integrity auditing suppo
120 depends on AUDIT
121 default y
122 help
123 In addition to enabling integrity au
124 option adds a kernel parameter 'inte
125 controls the level of integrity audi
126 0 - basic integrity auditing message
127 1 - additional integrity auditing me
128
129 Additional informational integrity a
130 be enabled by specifying 'integrity_
131 command line.
132
133 source "security/integrity/ima/Kconfig"
134 source "security/integrity/evm/Kconfig"
135
136 endif # if INTEGRITY
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.