~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/ipe/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/ipe/Kconfig (Architecture sparc64) and /security/ipe/Kconfig (Architecture sparc)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 # Integrity Policy Enforcement (IPE) configura      3 # Integrity Policy Enforcement (IPE) configuration
  4 #                                                   4 #
  5                                                     5 
  6 menuconfig SECURITY_IPE                             6 menuconfig SECURITY_IPE
  7         bool "Integrity Policy Enforcement (IP      7         bool "Integrity Policy Enforcement (IPE)"
  8         depends on SECURITY && SECURITYFS && A      8         depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
  9         select PKCS7_MESSAGE_PARSER                 9         select PKCS7_MESSAGE_PARSER
 10         select SYSTEM_DATA_VERIFICATION            10         select SYSTEM_DATA_VERIFICATION
 11         select IPE_PROP_DM_VERITY if DM_VERITY     11         select IPE_PROP_DM_VERITY if DM_VERITY
 12         select IPE_PROP_DM_VERITY_SIGNATURE if     12         select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
 13         select IPE_PROP_FS_VERITY if FS_VERITY     13         select IPE_PROP_FS_VERITY if FS_VERITY
 14         select IPE_PROP_FS_VERITY_BUILTIN_SIG      14         select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
 15         help                                       15         help
 16           This option enables the Integrity Po     16           This option enables the Integrity Policy Enforcement LSM
 17           allowing users to define a policy to     17           allowing users to define a policy to enforce a trust-based access
 18           control. A key feature of IPE is a c     18           control. A key feature of IPE is a customizable policy to allow
 19           admins to reconfigure trust requirem     19           admins to reconfigure trust requirements on the fly.
 20                                                    20 
 21           If unsure, answer N.                     21           If unsure, answer N.
 22                                                    22 
 23 if SECURITY_IPE                                    23 if SECURITY_IPE
 24 config IPE_BOOT_POLICY                             24 config IPE_BOOT_POLICY
 25         string "Integrity policy to apply on s     25         string "Integrity policy to apply on system startup"
 26         help                                       26         help
 27           This option specifies a filepath to      27           This option specifies a filepath to an IPE policy that is compiled
 28           into the kernel. This policy will be     28           into the kernel. This policy will be enforced until a policy update
 29           is deployed via the $securityfs/ipe/     29           is deployed via the $securityfs/ipe/policies/$policy_name/active
 30           interface.                               30           interface.
 31                                                    31 
 32           If unsure, leave blank.                  32           If unsure, leave blank.
 33                                                    33 
 34 config IPE_POLICY_SIG_SECONDARY_KEYRING            34 config IPE_POLICY_SIG_SECONDARY_KEYRING
 35         bool "IPE policy update verification w     35         bool "IPE policy update verification with secondary keyring"
 36         default y                                  36         default y
 37         depends on SECONDARY_TRUSTED_KEYRING       37         depends on SECONDARY_TRUSTED_KEYRING
 38         help                                       38         help
 39           Also allow the secondary trusted key     39           Also allow the secondary trusted keyring to verify IPE policy
 40           updates.                                 40           updates.
 41                                                    41 
 42           If unsure, answer Y.                     42           If unsure, answer Y.
 43                                                    43 
 44 config IPE_POLICY_SIG_PLATFORM_KEYRING             44 config IPE_POLICY_SIG_PLATFORM_KEYRING
 45         bool "IPE policy update verification w     45         bool "IPE policy update verification with platform keyring"
 46         default y                                  46         default y
 47         depends on INTEGRITY_PLATFORM_KEYRING      47         depends on INTEGRITY_PLATFORM_KEYRING
 48         help                                       48         help
 49           Also allow the platform keyring to v     49           Also allow the platform keyring to verify IPE policy updates.
 50                                                    50 
 51           If unsure, answer Y.                     51           If unsure, answer Y.
 52                                                    52 
 53 menu "IPE Trust Providers"                         53 menu "IPE Trust Providers"
 54                                                    54 
 55 config IPE_PROP_DM_VERITY                          55 config IPE_PROP_DM_VERITY
 56         bool "Enable support for dm-verity bas     56         bool "Enable support for dm-verity based on root hash"
 57         depends on DM_VERITY                       57         depends on DM_VERITY
 58         help                                       58         help
 59           This option enables the 'dmverity_ro     59           This option enables the 'dmverity_roothash' property within IPE
 60           policies. The property evaluates to      60           policies. The property evaluates to TRUE when a file from a dm-verity
 61           volume is evaluated, and the volume'     61           volume is evaluated, and the volume's root hash matches the value
 62           supplied in the policy.                  62           supplied in the policy.
 63                                                    63 
 64 config IPE_PROP_DM_VERITY_SIGNATURE                64 config IPE_PROP_DM_VERITY_SIGNATURE
 65         bool "Enable support for dm-verity bas     65         bool "Enable support for dm-verity based on root hash signature"
 66         depends on DM_VERITY && DM_VERITY_VERI     66         depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
 67         help                                       67         help
 68           This option enables the 'dmverity_si     68           This option enables the 'dmverity_signature' property within IPE
 69           policies. The property evaluates to      69           policies. The property evaluates to TRUE when a file from a dm-verity
 70           volume, which has been mounted with      70           volume, which has been mounted with a valid signed root hash,
 71           is evaluated.                            71           is evaluated.
 72                                                    72 
 73           If unsure, answer Y.                     73           If unsure, answer Y.
 74                                                    74 
 75 config IPE_PROP_FS_VERITY                          75 config IPE_PROP_FS_VERITY
 76         bool "Enable support for fs-verity bas     76         bool "Enable support for fs-verity based on file digest"
 77         depends on FS_VERITY                       77         depends on FS_VERITY
 78         help                                       78         help
 79           This option enables the 'fsverity_di     79           This option enables the 'fsverity_digest' property within IPE
 80           policies. The property evaluates to      80           policies. The property evaluates to TRUE when a file is fsverity
 81           enabled and its digest matches the s     81           enabled and its digest matches the supplied digest value in the
 82           policy.                                  82           policy.
 83                                                    83 
 84           if unsure, answer Y.                     84           if unsure, answer Y.
 85                                                    85 
 86 config IPE_PROP_FS_VERITY_BUILTIN_SIG              86 config IPE_PROP_FS_VERITY_BUILTIN_SIG
 87         bool "Enable support for fs-verity bas     87         bool "Enable support for fs-verity based on builtin signature"
 88         depends on FS_VERITY && FS_VERITY_BUIL     88         depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
 89         help                                       89         help
 90           This option enables the 'fsverity_si     90           This option enables the 'fsverity_signature' property within IPE
 91           policies. The property evaluates to      91           policies. The property evaluates to TRUE when a file is fsverity
 92           enabled and it has a valid builtin s     92           enabled and it has a valid builtin signature whose signing cert
 93           is in the .fs-verity keyring.            93           is in the .fs-verity keyring.
 94                                                    94 
 95           if unsure, answer Y.                     95           if unsure, answer Y.
 96                                                    96 
 97 endmenu                                            97 endmenu
 98                                                    98 
 99 config SECURITY_IPE_KUNIT_TEST                     99 config SECURITY_IPE_KUNIT_TEST
100         bool "Build KUnit tests for IPE" if !K    100         bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
101         depends on KUNIT=y                        101         depends on KUNIT=y
102         default KUNIT_ALL_TESTS                   102         default KUNIT_ALL_TESTS
103         help                                      103         help
104           This builds the IPE KUnit tests.        104           This builds the IPE KUnit tests.
105                                                   105 
106           KUnit tests run during boot and outp    106           KUnit tests run during boot and output the results to the debug log
107           in TAP format (https://testanything.    107           in TAP format (https://testanything.org/). Only useful for kernel devs
108           running KUnit test harness and are n    108           running KUnit test harness and are not for inclusion into a
109           production build.                       109           production build.
110                                                   110 
111           For more information on KUnit and un    111           For more information on KUnit and unit tests in general please refer
112           to the KUnit documentation in Docume    112           to the KUnit documentation in Documentation/dev-tools/kunit/.
113                                                   113 
114           If unsure, say N.                       114           If unsure, say N.
115                                                   115 
116 endif                                             116 endif
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php