1 # SPDX-License-Identifier: GPL-2.0-only << 2 # 1 # 3 config INTEGRITY 2 config INTEGRITY 4 bool "Integrity subsystem" 3 bool "Integrity subsystem" 5 depends on SECURITY 4 depends on SECURITY 6 default y 5 default y 7 help 6 help 8 This option enables the integrity su 7 This option enables the integrity subsystem, which is comprised 9 of a number of different components 8 of a number of different components including the Integrity 10 Measurement Architecture (IMA), Exte 9 Measurement Architecture (IMA), Extended Verification Module 11 (EVM), IMA-appraisal extension, digi 10 (EVM), IMA-appraisal extension, digital signature verification 12 extension and audit measurement log 11 extension and audit measurement log support. 13 12 14 Each of these components can be enab 13 Each of these components can be enabled/disabled separately. 15 Refer to the individual components f 14 Refer to the individual components for additional details. 16 15 17 if INTEGRITY 16 if INTEGRITY 18 17 19 config INTEGRITY_SIGNATURE 18 config INTEGRITY_SIGNATURE 20 bool "Digital signature verification u 19 bool "Digital signature verification using multiple keyrings" >> 20 depends on KEYS 21 default n 21 default n 22 select KEYS << 23 select SIGNATURE 22 select SIGNATURE 24 help 23 help 25 This option enables digital signatur 24 This option enables digital signature verification support 26 using multiple keyrings. It defines 25 using multiple keyrings. It defines separate keyrings for each 27 of the different use cases - evm, im 26 of the different use cases - evm, ima, and modules. 28 Different keyrings improves search p 27 Different keyrings improves search performance, but also allow 29 to "lock" certain keyring to prevent 28 to "lock" certain keyring to prevent adding new keys. 30 This is useful for evm and module ke 29 This is useful for evm and module keyrings, when keys are 31 usually only added from initramfs. 30 usually only added from initramfs. 32 31 33 config INTEGRITY_ASYMMETRIC_KEYS 32 config INTEGRITY_ASYMMETRIC_KEYS 34 bool "Enable asymmetric keys support" 33 bool "Enable asymmetric keys support" 35 depends on INTEGRITY_SIGNATURE 34 depends on INTEGRITY_SIGNATURE 36 default n 35 default n 37 select ASYMMETRIC_KEY_TYPE !! 36 select ASYMMETRIC_KEY_TYPE 38 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE !! 37 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39 select CRYPTO_RSA !! 38 select CRYPTO_RSA 40 select X509_CERTIFICATE_PARSER !! 39 select X509_CERTIFICATE_PARSER 41 help 40 help 42 This option enables digital signatur 41 This option enables digital signature verification using 43 asymmetric keys. 42 asymmetric keys. 44 43 45 config INTEGRITY_TRUSTED_KEYRING 44 config INTEGRITY_TRUSTED_KEYRING 46 bool "Require all keys on the integrit 45 bool "Require all keys on the integrity keyrings be signed" 47 depends on SYSTEM_TRUSTED_KEYRING 46 depends on SYSTEM_TRUSTED_KEYRING 48 depends on INTEGRITY_ASYMMETRIC_KEYS 47 depends on INTEGRITY_ASYMMETRIC_KEYS 49 default y 48 default y 50 help 49 help 51 This option requires that all keys 50 This option requires that all keys added to the .ima and 52 .evm keyrings be signed by a key on 51 .evm keyrings be signed by a key on the system trusted 53 keyring. 52 keyring. 54 53 55 config INTEGRITY_PLATFORM_KEYRING 54 config INTEGRITY_PLATFORM_KEYRING 56 bool "Provide keyring for platform/fir !! 55 bool "Provide keyring for platform/firmware trusted keys" 57 depends on INTEGRITY_ASYMMETRIC_KEYS !! 56 depends on INTEGRITY_ASYMMETRIC_KEYS 58 depends on SYSTEM_BLACKLIST_KEYRING !! 57 depends on SYSTEM_BLACKLIST_KEYRING 59 help !! 58 depends on EFI 60 Provide a separate, distinct keyring !! 59 help 61 the kernel automatically populates d !! 60 Provide a separate, distinct keyring for platform trusted keys, which 62 provided by the platform for verifyi !! 61 the kernel automatically populates during initialization from values 63 and, possibly, the initramfs signatu !! 62 provided by the platform for verifying the kexec'ed kerned image 64 !! 63 and, possibly, the initramfs signature. 65 config INTEGRITY_MACHINE_KEYRING << 66 bool "Provide a keyring to which Machi << 67 depends on SECONDARY_TRUSTED_KEYRING << 68 depends on INTEGRITY_ASYMMETRIC_KEYS << 69 depends on SYSTEM_BLACKLIST_KEYRING << 70 depends on LOAD_UEFI_KEYS || LOAD_PPC_ << 71 help << 72 If set, provide a keyring to which M << 73 be added. This keyring shall contain << 74 in the platform keyring, keys contai << 75 be trusted within the kernel. << 76 << 77 config INTEGRITY_CA_MACHINE_KEYRING << 78 bool "Enforce Machine Keyring CA Restr << 79 depends on INTEGRITY_MACHINE_KEYRING << 80 default n << 81 help << 82 The .machine keyring can be configur << 83 on any key added to it. By default << 84 and all Machine Owner Keys (MOK) are << 85 If enabled only CA keys are added to << 86 other MOK keys load into the platfor << 87 << 88 config INTEGRITY_CA_MACHINE_KEYRING_MAX << 89 bool "Only CA keys without DigitialSig << 90 depends on INTEGRITY_CA_MACHINE_KEYRIN << 91 default n << 92 help << 93 When selected, only load CA keys are << 94 keyring that contain the CA bit set << 95 Usage field. Keys containing the di << 96 will not be loaded. The remaining MO << 97 .platform keyring. << 98 << 99 config LOAD_UEFI_KEYS << 100 depends on INTEGRITY_PLATFORM_KEYRING << 101 depends on EFI << 102 def_bool y << 103 << 104 config LOAD_IPL_KEYS << 105 depends on INTEGRITY_PLATFORM_KEYRING << 106 depends on S390 << 107 def_bool y << 108 << 109 config LOAD_PPC_KEYS << 110 bool "Enable loading of platform and b << 111 depends on INTEGRITY_PLATFORM_KEYRING << 112 depends on PPC_SECURE_BOOT << 113 default y << 114 help << 115 Enable loading of keys to the .platf << 116 hashes to the .blacklist keyring for << 117 64 118 config INTEGRITY_AUDIT 65 config INTEGRITY_AUDIT 119 bool "Enables integrity auditing suppo 66 bool "Enables integrity auditing support " 120 depends on AUDIT 67 depends on AUDIT 121 default y 68 default y 122 help 69 help 123 In addition to enabling integrity au 70 In addition to enabling integrity auditing support, this 124 option adds a kernel parameter 'inte 71 option adds a kernel parameter 'integrity_audit', which 125 controls the level of integrity audi 72 controls the level of integrity auditing messages. 126 0 - basic integrity auditing message 73 0 - basic integrity auditing messages (default) 127 1 - additional integrity auditing me 74 1 - additional integrity auditing messages 128 75 129 Additional informational integrity a 76 Additional informational integrity auditing messages would 130 be enabled by specifying 'integrity_ 77 be enabled by specifying 'integrity_audit=1' on the kernel 131 command line. 78 command line. 132 79 133 source "security/integrity/ima/Kconfig" 80 source "security/integrity/ima/Kconfig" 134 source "security/integrity/evm/Kconfig" 81 source "security/integrity/evm/Kconfig" 135 82 136 endif # if INTEGRITY 83 endif # if INTEGRITY
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.