~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/integrity/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/integrity/Kconfig (Version linux-6.12-rc7) and /security/integrity/Kconfig (Version linux-6.8.12)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 config INTEGRITY                                    3 config INTEGRITY
  4         bool "Integrity subsystem"                  4         bool "Integrity subsystem"
  5         depends on SECURITY                         5         depends on SECURITY
  6         default y                                   6         default y
  7         help                                        7         help
  8           This option enables the integrity su      8           This option enables the integrity subsystem, which is comprised
  9           of a number of different components       9           of a number of different components including the Integrity
 10           Measurement Architecture (IMA), Exte     10           Measurement Architecture (IMA), Extended Verification Module
 11           (EVM), IMA-appraisal extension, digi     11           (EVM), IMA-appraisal extension, digital signature verification
 12           extension and audit measurement log      12           extension and audit measurement log support.
 13                                                    13 
 14           Each of these components can be enab     14           Each of these components can be enabled/disabled separately.
 15           Refer to the individual components f     15           Refer to the individual components for additional details.
 16                                                    16 
 17 if INTEGRITY                                       17 if INTEGRITY
 18                                                    18 
 19 config INTEGRITY_SIGNATURE                         19 config INTEGRITY_SIGNATURE
 20         bool "Digital signature verification u     20         bool "Digital signature verification using multiple keyrings"
 21         default n                                  21         default n
 22         select KEYS                                22         select KEYS
 23         select SIGNATURE                           23         select SIGNATURE
 24         help                                       24         help
 25           This option enables digital signatur     25           This option enables digital signature verification support
 26           using multiple keyrings. It defines      26           using multiple keyrings. It defines separate keyrings for each
 27           of the different use cases - evm, im     27           of the different use cases - evm, ima, and modules.
 28           Different keyrings improves search p     28           Different keyrings improves search performance, but also allow
 29           to "lock" certain keyring to prevent     29           to "lock" certain keyring to prevent adding new keys.
 30           This is useful for evm and module ke     30           This is useful for evm and module keyrings, when keys are
 31           usually only added from initramfs.       31           usually only added from initramfs.
 32                                                    32 
 33 config INTEGRITY_ASYMMETRIC_KEYS                   33 config INTEGRITY_ASYMMETRIC_KEYS
 34         bool "Enable asymmetric keys support"      34         bool "Enable asymmetric keys support"
 35         depends on INTEGRITY_SIGNATURE             35         depends on INTEGRITY_SIGNATURE
 36         default n                                  36         default n
 37         select ASYMMETRIC_KEY_TYPE                 37         select ASYMMETRIC_KEY_TYPE
 38         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE       38         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
 39         select CRYPTO_RSA                          39         select CRYPTO_RSA
 40         select X509_CERTIFICATE_PARSER             40         select X509_CERTIFICATE_PARSER
 41         help                                       41         help
 42           This option enables digital signatur     42           This option enables digital signature verification using
 43           asymmetric keys.                         43           asymmetric keys.
 44                                                    44 
 45 config INTEGRITY_TRUSTED_KEYRING                   45 config INTEGRITY_TRUSTED_KEYRING
 46         bool "Require all keys on the integrit     46         bool "Require all keys on the integrity keyrings be signed"
 47         depends on SYSTEM_TRUSTED_KEYRING          47         depends on SYSTEM_TRUSTED_KEYRING
 48         depends on INTEGRITY_ASYMMETRIC_KEYS       48         depends on INTEGRITY_ASYMMETRIC_KEYS
 49         default y                                  49         default y
 50         help                                       50         help
 51            This option requires that all keys      51            This option requires that all keys added to the .ima and
 52            .evm keyrings be signed by a key on     52            .evm keyrings be signed by a key on the system trusted
 53            keyring.                                53            keyring.
 54                                                    54 
 55 config INTEGRITY_PLATFORM_KEYRING                  55 config INTEGRITY_PLATFORM_KEYRING
 56         bool "Provide keyring for platform/fir     56         bool "Provide keyring for platform/firmware trusted keys"
 57         depends on INTEGRITY_ASYMMETRIC_KEYS       57         depends on INTEGRITY_ASYMMETRIC_KEYS
 58         depends on SYSTEM_BLACKLIST_KEYRING        58         depends on SYSTEM_BLACKLIST_KEYRING
 59         help                                       59         help
 60           Provide a separate, distinct keyring     60           Provide a separate, distinct keyring for platform trusted keys, which
 61           the kernel automatically populates d     61           the kernel automatically populates during initialization from values
 62           provided by the platform for verifyi     62           provided by the platform for verifying the kexec'ed kerned image
 63           and, possibly, the initramfs signatu     63           and, possibly, the initramfs signature.
 64                                                    64 
 65 config INTEGRITY_MACHINE_KEYRING                   65 config INTEGRITY_MACHINE_KEYRING
 66         bool "Provide a keyring to which Machi     66         bool "Provide a keyring to which Machine Owner Keys may be added"
 67         depends on SECONDARY_TRUSTED_KEYRING       67         depends on SECONDARY_TRUSTED_KEYRING
 68         depends on INTEGRITY_ASYMMETRIC_KEYS       68         depends on INTEGRITY_ASYMMETRIC_KEYS
 69         depends on SYSTEM_BLACKLIST_KEYRING        69         depends on SYSTEM_BLACKLIST_KEYRING
 70         depends on LOAD_UEFI_KEYS || LOAD_PPC_     70         depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
 71         help                                       71         help
 72           If set, provide a keyring to which M     72           If set, provide a keyring to which Machine Owner Keys (MOK) may
 73           be added. This keyring shall contain     73           be added. This keyring shall contain just MOK keys.  Unlike keys
 74           in the platform keyring, keys contai     74           in the platform keyring, keys contained in the .machine keyring will
 75           be trusted within the kernel.            75           be trusted within the kernel.
 76                                                    76 
 77 config INTEGRITY_CA_MACHINE_KEYRING                77 config INTEGRITY_CA_MACHINE_KEYRING
 78         bool "Enforce Machine Keyring CA Restr     78         bool "Enforce Machine Keyring CA Restrictions"
 79         depends on INTEGRITY_MACHINE_KEYRING       79         depends on INTEGRITY_MACHINE_KEYRING
 80         default n                                  80         default n
 81         help                                       81         help
 82           The .machine keyring can be configur     82           The .machine keyring can be configured to enforce CA restriction
 83           on any key added to it.  By default      83           on any key added to it.  By default no restrictions are in place
 84           and all Machine Owner Keys (MOK) are     84           and all Machine Owner Keys (MOK) are added to the machine keyring.
 85           If enabled only CA keys are added to     85           If enabled only CA keys are added to the machine keyring, all
 86           other MOK keys load into the platfor     86           other MOK keys load into the platform keyring.
 87                                                    87 
 88 config INTEGRITY_CA_MACHINE_KEYRING_MAX            88 config INTEGRITY_CA_MACHINE_KEYRING_MAX
 89         bool "Only CA keys without DigitialSig     89         bool "Only CA keys without DigitialSignature usage set"
 90         depends on INTEGRITY_CA_MACHINE_KEYRIN     90         depends on INTEGRITY_CA_MACHINE_KEYRING
 91         default n                                  91         default n
 92         help                                       92         help
 93           When selected, only load CA keys are     93           When selected, only load CA keys are loaded into the machine
 94           keyring that contain the CA bit set      94           keyring that contain the CA bit set along with the keyCertSign
 95           Usage field.  Keys containing the di     95           Usage field.  Keys containing the digitialSignature Usage field
 96           will not be loaded. The remaining MO     96           will not be loaded. The remaining MOK keys are loaded into the
 97           .platform keyring.                       97           .platform keyring.
 98                                                    98 
 99 config LOAD_UEFI_KEYS                              99 config LOAD_UEFI_KEYS
100         depends on INTEGRITY_PLATFORM_KEYRING     100         depends on INTEGRITY_PLATFORM_KEYRING
101         depends on EFI                            101         depends on EFI
102         def_bool y                                102         def_bool y
103                                                   103 
104 config LOAD_IPL_KEYS                              104 config LOAD_IPL_KEYS
105         depends on INTEGRITY_PLATFORM_KEYRING     105         depends on INTEGRITY_PLATFORM_KEYRING
106         depends on S390                           106         depends on S390
107         def_bool y                                107         def_bool y
108                                                   108 
109 config LOAD_PPC_KEYS                              109 config LOAD_PPC_KEYS
110         bool "Enable loading of platform and b    110         bool "Enable loading of platform and blacklisted keys for POWER"
111         depends on INTEGRITY_PLATFORM_KEYRING     111         depends on INTEGRITY_PLATFORM_KEYRING
112         depends on PPC_SECURE_BOOT                112         depends on PPC_SECURE_BOOT
113         default y                                 113         default y
114         help                                      114         help
115           Enable loading of keys to the .platf    115           Enable loading of keys to the .platform keyring and blacklisted
116           hashes to the .blacklist keyring for    116           hashes to the .blacklist keyring for powerpc based platforms.
117                                                   117 
118 config INTEGRITY_AUDIT                            118 config INTEGRITY_AUDIT
119         bool "Enables integrity auditing suppo    119         bool "Enables integrity auditing support "
120         depends on AUDIT                          120         depends on AUDIT
121         default y                                 121         default y
122         help                                      122         help
123           In addition to enabling integrity au    123           In addition to enabling integrity auditing support, this
124           option adds a kernel parameter 'inte    124           option adds a kernel parameter 'integrity_audit', which
125           controls the level of integrity audi    125           controls the level of integrity auditing messages.
126           0 - basic integrity auditing message    126           0 - basic integrity auditing messages (default)
127           1 - additional integrity auditing me    127           1 - additional integrity auditing messages
128                                                   128 
129           Additional informational integrity a    129           Additional informational integrity auditing messages would
130           be enabled by specifying 'integrity_    130           be enabled by specifying 'integrity_audit=1' on the kernel
131           command line.                           131           command line.
132                                                   132 
133 source "security/integrity/ima/Kconfig"           133 source "security/integrity/ima/Kconfig"
134 source "security/integrity/evm/Kconfig"           134 source "security/integrity/evm/Kconfig"
135                                                   135 
136 endif   # if INTEGRITY                            136 endif   # if INTEGRITY
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php