1 # SPDX-License-Identifier: GPL-2.0-only 1 # SPDX-License-Identifier: GPL-2.0-only
2 # 2 #
3 # Integrity Policy Enforcement (IPE) configura 3 # Integrity Policy Enforcement (IPE) configuration
4 # 4 #
5 5
6 menuconfig SECURITY_IPE 6 menuconfig SECURITY_IPE
7 bool "Integrity Policy Enforcement (IP 7 bool "Integrity Policy Enforcement (IPE)"
8 depends on SECURITY && SECURITYFS && A 8 depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
9 select PKCS7_MESSAGE_PARSER 9 select PKCS7_MESSAGE_PARSER
10 select SYSTEM_DATA_VERIFICATION 10 select SYSTEM_DATA_VERIFICATION
11 select IPE_PROP_DM_VERITY if DM_VERITY 11 select IPE_PROP_DM_VERITY if DM_VERITY
12 select IPE_PROP_DM_VERITY_SIGNATURE if 12 select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
13 select IPE_PROP_FS_VERITY if FS_VERITY 13 select IPE_PROP_FS_VERITY if FS_VERITY
14 select IPE_PROP_FS_VERITY_BUILTIN_SIG 14 select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
15 help 15 help
16 This option enables the Integrity Po 16 This option enables the Integrity Policy Enforcement LSM
17 allowing users to define a policy to 17 allowing users to define a policy to enforce a trust-based access
18 control. A key feature of IPE is a c 18 control. A key feature of IPE is a customizable policy to allow
19 admins to reconfigure trust requirem 19 admins to reconfigure trust requirements on the fly.
20 20
21 If unsure, answer N. 21 If unsure, answer N.
22 22
23 if SECURITY_IPE 23 if SECURITY_IPE
24 config IPE_BOOT_POLICY 24 config IPE_BOOT_POLICY
25 string "Integrity policy to apply on s 25 string "Integrity policy to apply on system startup"
26 help 26 help
27 This option specifies a filepath to 27 This option specifies a filepath to an IPE policy that is compiled
28 into the kernel. This policy will be 28 into the kernel. This policy will be enforced until a policy update
29 is deployed via the $securityfs/ipe/ 29 is deployed via the $securityfs/ipe/policies/$policy_name/active
30 interface. 30 interface.
31 31
32 If unsure, leave blank. 32 If unsure, leave blank.
33 33
34 config IPE_POLICY_SIG_SECONDARY_KEYRING 34 config IPE_POLICY_SIG_SECONDARY_KEYRING
35 bool "IPE policy update verification w 35 bool "IPE policy update verification with secondary keyring"
36 default y 36 default y
37 depends on SECONDARY_TRUSTED_KEYRING 37 depends on SECONDARY_TRUSTED_KEYRING
38 help 38 help
39 Also allow the secondary trusted key 39 Also allow the secondary trusted keyring to verify IPE policy
40 updates. 40 updates.
41 41
42 If unsure, answer Y. 42 If unsure, answer Y.
43 43
44 config IPE_POLICY_SIG_PLATFORM_KEYRING 44 config IPE_POLICY_SIG_PLATFORM_KEYRING
45 bool "IPE policy update verification w 45 bool "IPE policy update verification with platform keyring"
46 default y 46 default y
47 depends on INTEGRITY_PLATFORM_KEYRING 47 depends on INTEGRITY_PLATFORM_KEYRING
48 help 48 help
49 Also allow the platform keyring to v 49 Also allow the platform keyring to verify IPE policy updates.
50 50
51 If unsure, answer Y. 51 If unsure, answer Y.
52 52
53 menu "IPE Trust Providers" 53 menu "IPE Trust Providers"
54 54
55 config IPE_PROP_DM_VERITY 55 config IPE_PROP_DM_VERITY
56 bool "Enable support for dm-verity bas 56 bool "Enable support for dm-verity based on root hash"
57 depends on DM_VERITY 57 depends on DM_VERITY
58 help 58 help
59 This option enables the 'dmverity_ro 59 This option enables the 'dmverity_roothash' property within IPE
60 policies. The property evaluates to 60 policies. The property evaluates to TRUE when a file from a dm-verity
61 volume is evaluated, and the volume' 61 volume is evaluated, and the volume's root hash matches the value
62 supplied in the policy. 62 supplied in the policy.
63 63
64 config IPE_PROP_DM_VERITY_SIGNATURE 64 config IPE_PROP_DM_VERITY_SIGNATURE
65 bool "Enable support for dm-verity bas 65 bool "Enable support for dm-verity based on root hash signature"
66 depends on DM_VERITY && DM_VERITY_VERI 66 depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
67 help 67 help
68 This option enables the 'dmverity_si 68 This option enables the 'dmverity_signature' property within IPE
69 policies. The property evaluates to 69 policies. The property evaluates to TRUE when a file from a dm-verity
70 volume, which has been mounted with 70 volume, which has been mounted with a valid signed root hash,
71 is evaluated. 71 is evaluated.
72 72
73 If unsure, answer Y. 73 If unsure, answer Y.
74 74
75 config IPE_PROP_FS_VERITY 75 config IPE_PROP_FS_VERITY
76 bool "Enable support for fs-verity bas 76 bool "Enable support for fs-verity based on file digest"
77 depends on FS_VERITY 77 depends on FS_VERITY
78 help 78 help
79 This option enables the 'fsverity_di 79 This option enables the 'fsverity_digest' property within IPE
80 policies. The property evaluates to 80 policies. The property evaluates to TRUE when a file is fsverity
81 enabled and its digest matches the s 81 enabled and its digest matches the supplied digest value in the
82 policy. 82 policy.
83 83
84 if unsure, answer Y. 84 if unsure, answer Y.
85 85
86 config IPE_PROP_FS_VERITY_BUILTIN_SIG 86 config IPE_PROP_FS_VERITY_BUILTIN_SIG
87 bool "Enable support for fs-verity bas 87 bool "Enable support for fs-verity based on builtin signature"
88 depends on FS_VERITY && FS_VERITY_BUIL 88 depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
89 help 89 help
90 This option enables the 'fsverity_si 90 This option enables the 'fsverity_signature' property within IPE
91 policies. The property evaluates to 91 policies. The property evaluates to TRUE when a file is fsverity
92 enabled and it has a valid builtin s 92 enabled and it has a valid builtin signature whose signing cert
93 is in the .fs-verity keyring. 93 is in the .fs-verity keyring.
94 94
95 if unsure, answer Y. 95 if unsure, answer Y.
96 96
97 endmenu 97 endmenu
98 98
99 config SECURITY_IPE_KUNIT_TEST 99 config SECURITY_IPE_KUNIT_TEST
100 bool "Build KUnit tests for IPE" if !K 100 bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
101 depends on KUNIT=y 101 depends on KUNIT=y
102 default KUNIT_ALL_TESTS 102 default KUNIT_ALL_TESTS
103 help 103 help
104 This builds the IPE KUnit tests. 104 This builds the IPE KUnit tests.
105 105
106 KUnit tests run during boot and outp 106 KUnit tests run during boot and output the results to the debug log
107 in TAP format (https://testanything. 107 in TAP format (https://testanything.org/). Only useful for kernel devs
108 running KUnit test harness and are n 108 running KUnit test harness and are not for inclusion into a
109 production build. 109 production build.
110 110
111 For more information on KUnit and un 111 For more information on KUnit and unit tests in general please refer
112 to the KUnit documentation in Docume 112 to the KUnit documentation in Documentation/dev-tools/kunit/.
113 113
114 If unsure, say N. 114 If unsure, say N.
115 115
116 endif 116 endif
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.