~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/integrity/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/integrity/Kconfig (Version linux-6.12-rc7) and /security/integrity/Kconfig (Version linux-5.13.19)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 config INTEGRITY                                    3 config INTEGRITY
  4         bool "Integrity subsystem"                  4         bool "Integrity subsystem"
  5         depends on SECURITY                         5         depends on SECURITY
  6         default y                                   6         default y
  7         help                                        7         help
  8           This option enables the integrity su      8           This option enables the integrity subsystem, which is comprised
  9           of a number of different components       9           of a number of different components including the Integrity
 10           Measurement Architecture (IMA), Exte     10           Measurement Architecture (IMA), Extended Verification Module
 11           (EVM), IMA-appraisal extension, digi     11           (EVM), IMA-appraisal extension, digital signature verification
 12           extension and audit measurement log      12           extension and audit measurement log support.
 13                                                    13 
 14           Each of these components can be enab     14           Each of these components can be enabled/disabled separately.
 15           Refer to the individual components f     15           Refer to the individual components for additional details.
 16                                                    16 
 17 if INTEGRITY                                       17 if INTEGRITY
 18                                                    18 
 19 config INTEGRITY_SIGNATURE                         19 config INTEGRITY_SIGNATURE
 20         bool "Digital signature verification u     20         bool "Digital signature verification using multiple keyrings"
 21         default n                                  21         default n
 22         select KEYS                                22         select KEYS
 23         select SIGNATURE                           23         select SIGNATURE
 24         help                                       24         help
 25           This option enables digital signatur     25           This option enables digital signature verification support
 26           using multiple keyrings. It defines      26           using multiple keyrings. It defines separate keyrings for each
 27           of the different use cases - evm, im     27           of the different use cases - evm, ima, and modules.
 28           Different keyrings improves search p     28           Different keyrings improves search performance, but also allow
 29           to "lock" certain keyring to prevent     29           to "lock" certain keyring to prevent adding new keys.
 30           This is useful for evm and module ke     30           This is useful for evm and module keyrings, when keys are
 31           usually only added from initramfs.       31           usually only added from initramfs.
 32                                                    32 
 33 config INTEGRITY_ASYMMETRIC_KEYS                   33 config INTEGRITY_ASYMMETRIC_KEYS
 34         bool "Enable asymmetric keys support"      34         bool "Enable asymmetric keys support"
 35         depends on INTEGRITY_SIGNATURE             35         depends on INTEGRITY_SIGNATURE
 36         default n                                  36         default n
 37         select ASYMMETRIC_KEY_TYPE             !!  37         select ASYMMETRIC_KEY_TYPE
 38         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE   !!  38         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 39         select CRYPTO_RSA                      !!  39         select CRYPTO_RSA
 40         select X509_CERTIFICATE_PARSER         !!  40         select X509_CERTIFICATE_PARSER
 41         help                                       41         help
 42           This option enables digital signatur     42           This option enables digital signature verification using
 43           asymmetric keys.                         43           asymmetric keys.
 44                                                    44 
 45 config INTEGRITY_TRUSTED_KEYRING                   45 config INTEGRITY_TRUSTED_KEYRING
 46         bool "Require all keys on the integrit     46         bool "Require all keys on the integrity keyrings be signed"
 47         depends on SYSTEM_TRUSTED_KEYRING          47         depends on SYSTEM_TRUSTED_KEYRING
 48         depends on INTEGRITY_ASYMMETRIC_KEYS       48         depends on INTEGRITY_ASYMMETRIC_KEYS
 49         default y                                  49         default y
 50         help                                       50         help
 51            This option requires that all keys      51            This option requires that all keys added to the .ima and
 52            .evm keyrings be signed by a key on     52            .evm keyrings be signed by a key on the system trusted
 53            keyring.                                53            keyring.
 54                                                    54 
 55 config INTEGRITY_PLATFORM_KEYRING                  55 config INTEGRITY_PLATFORM_KEYRING
 56         bool "Provide keyring for platform/fir !!  56         bool "Provide keyring for platform/firmware trusted keys"
 57         depends on INTEGRITY_ASYMMETRIC_KEYS   !!  57         depends on INTEGRITY_ASYMMETRIC_KEYS
 58         depends on SYSTEM_BLACKLIST_KEYRING    !!  58         depends on SYSTEM_BLACKLIST_KEYRING
 59         help                                   !!  59         help
 60           Provide a separate, distinct keyring !!  60          Provide a separate, distinct keyring for platform trusted keys, which
 61           the kernel automatically populates d !!  61          the kernel automatically populates during initialization from values
 62           provided by the platform for verifyi !!  62          provided by the platform for verifying the kexec'ed kerned image
 63           and, possibly, the initramfs signatu !!  63          and, possibly, the initramfs signature.
 64                                                << 
 65 config INTEGRITY_MACHINE_KEYRING               << 
 66         bool "Provide a keyring to which Machi << 
 67         depends on SECONDARY_TRUSTED_KEYRING   << 
 68         depends on INTEGRITY_ASYMMETRIC_KEYS   << 
 69         depends on SYSTEM_BLACKLIST_KEYRING    << 
 70         depends on LOAD_UEFI_KEYS || LOAD_PPC_ << 
 71         help                                   << 
 72           If set, provide a keyring to which M << 
 73           be added. This keyring shall contain << 
 74           in the platform keyring, keys contai << 
 75           be trusted within the kernel.        << 
 76                                                << 
 77 config INTEGRITY_CA_MACHINE_KEYRING            << 
 78         bool "Enforce Machine Keyring CA Restr << 
 79         depends on INTEGRITY_MACHINE_KEYRING   << 
 80         default n                              << 
 81         help                                   << 
 82           The .machine keyring can be configur << 
 83           on any key added to it.  By default  << 
 84           and all Machine Owner Keys (MOK) are << 
 85           If enabled only CA keys are added to << 
 86           other MOK keys load into the platfor << 
 87                                                << 
 88 config INTEGRITY_CA_MACHINE_KEYRING_MAX        << 
 89         bool "Only CA keys without DigitialSig << 
 90         depends on INTEGRITY_CA_MACHINE_KEYRIN << 
 91         default n                              << 
 92         help                                   << 
 93           When selected, only load CA keys are << 
 94           keyring that contain the CA bit set  << 
 95           Usage field.  Keys containing the di << 
 96           will not be loaded. The remaining MO << 
 97           .platform keyring.                   << 
 98                                                    64 
 99 config LOAD_UEFI_KEYS                              65 config LOAD_UEFI_KEYS
100         depends on INTEGRITY_PLATFORM_KEYRING  !!  66        depends on INTEGRITY_PLATFORM_KEYRING
101         depends on EFI                         !!  67        depends on EFI
102         def_bool y                             !!  68        def_bool y
103                                                    69 
104 config LOAD_IPL_KEYS                               70 config LOAD_IPL_KEYS
105         depends on INTEGRITY_PLATFORM_KEYRING  !!  71        depends on INTEGRITY_PLATFORM_KEYRING
106         depends on S390                        !!  72        depends on S390
107         def_bool y                             !!  73        def_bool y
108                                                    74 
109 config LOAD_PPC_KEYS                               75 config LOAD_PPC_KEYS
110         bool "Enable loading of platform and b     76         bool "Enable loading of platform and blacklisted keys for POWER"
111         depends on INTEGRITY_PLATFORM_KEYRING      77         depends on INTEGRITY_PLATFORM_KEYRING
112         depends on PPC_SECURE_BOOT                 78         depends on PPC_SECURE_BOOT
113         default y                                  79         default y
114         help                                       80         help
115           Enable loading of keys to the .platf     81           Enable loading of keys to the .platform keyring and blacklisted
116           hashes to the .blacklist keyring for     82           hashes to the .blacklist keyring for powerpc based platforms.
117                                                    83 
118 config INTEGRITY_AUDIT                             84 config INTEGRITY_AUDIT
119         bool "Enables integrity auditing suppo     85         bool "Enables integrity auditing support "
120         depends on AUDIT                           86         depends on AUDIT
121         default y                                  87         default y
122         help                                       88         help
123           In addition to enabling integrity au     89           In addition to enabling integrity auditing support, this
124           option adds a kernel parameter 'inte     90           option adds a kernel parameter 'integrity_audit', which
125           controls the level of integrity audi     91           controls the level of integrity auditing messages.
126           0 - basic integrity auditing message     92           0 - basic integrity auditing messages (default)
127           1 - additional integrity auditing me     93           1 - additional integrity auditing messages
128                                                    94 
129           Additional informational integrity a     95           Additional informational integrity auditing messages would
130           be enabled by specifying 'integrity_     96           be enabled by specifying 'integrity_audit=1' on the kernel
131           command line.                            97           command line.
132                                                    98 
133 source "security/integrity/ima/Kconfig"            99 source "security/integrity/ima/Kconfig"
134 source "security/integrity/evm/Kconfig"           100 source "security/integrity/evm/Kconfig"
135                                                   101 
136 endif   # if INTEGRITY                            102 endif   # if INTEGRITY
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php