~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/keys/Kconfig (Version linux-6.12-rc7) and /security/keys/Kconfig (Version linux-5.3.18)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 # Key management configuration                      3 # Key management configuration
  4 #                                                   4 #
  5                                                     5 
  6 config KEYS                                         6 config KEYS
  7         bool "Enable access key retention supp      7         bool "Enable access key retention support"
  8         select ASSOCIATIVE_ARRAY                    8         select ASSOCIATIVE_ARRAY
  9         help                                        9         help
 10           This option provides support for ret     10           This option provides support for retaining authentication tokens and
 11           access keys in the kernel.               11           access keys in the kernel.
 12                                                    12 
 13           It also includes provision of method     13           It also includes provision of methods by which such keys might be
 14           associated with a process so that ne     14           associated with a process so that network filesystems, encryption
 15           support and the like can find them.      15           support and the like can find them.
 16                                                    16 
 17           Furthermore, a special type of key i     17           Furthermore, a special type of key is available that acts as keyring:
 18           a searchable sequence of keys. Each      18           a searchable sequence of keys. Each process is equipped with access
 19           to five standard keyrings: UID-speci     19           to five standard keyrings: UID-specific, GID-specific, session,
 20           process and thread.                      20           process and thread.
 21                                                    21 
 22           If you are unsure as to whether this     22           If you are unsure as to whether this is required, answer N.
 23                                                    23 
                                                   >>  24 config KEYS_COMPAT
                                                   >>  25         def_bool y
                                                   >>  26         depends on COMPAT && KEYS
                                                   >>  27 
 24 config KEYS_REQUEST_CACHE                          28 config KEYS_REQUEST_CACHE
 25         bool "Enable temporary caching of the      29         bool "Enable temporary caching of the last request_key() result"
 26         depends on KEYS                            30         depends on KEYS
 27         help                                       31         help
 28           This option causes the result of the     32           This option causes the result of the last successful request_key()
 29           call that didn't upcall to the kerne     33           call that didn't upcall to the kernel to be cached temporarily in the
 30           task_struct.  The cache is cleared b     34           task_struct.  The cache is cleared by exit and just prior to the
 31           resumption of userspace.                 35           resumption of userspace.
 32                                                    36 
 33           This allows the key used for multipl     37           This allows the key used for multiple step processes where each step
 34           wants to request a key that is likel     38           wants to request a key that is likely the same as the one requested
 35           by the last step to save on the sear     39           by the last step to save on the searching.
 36                                                    40 
 37           An example of such a process is a pa     41           An example of such a process is a pathwalk through a network
 38           filesystem in which each method need     42           filesystem in which each method needs to request an authentication
 39           key.  Pathwalk will call multiple me     43           key.  Pathwalk will call multiple methods for each dentry traversed
 40           (permission, d_revalidate, lookup, g     44           (permission, d_revalidate, lookup, getxattr, getacl, ...).
 41                                                    45 
 42 config PERSISTENT_KEYRINGS                         46 config PERSISTENT_KEYRINGS
 43         bool "Enable register of persistent pe     47         bool "Enable register of persistent per-UID keyrings"
 44         depends on KEYS                            48         depends on KEYS
 45         help                                       49         help
 46           This option provides a register of p     50           This option provides a register of persistent per-UID keyrings,
 47           primarily aimed at Kerberos key stor     51           primarily aimed at Kerberos key storage.  The keyrings are persistent
 48           in the sense that they stay around a     52           in the sense that they stay around after all processes of that UID
 49           have exited, not that they survive t     53           have exited, not that they survive the machine being rebooted.
 50                                                    54 
 51           A particular keyring may be accessed     55           A particular keyring may be accessed by either the user whose keyring
 52           it is or by a process with administr     56           it is or by a process with administrative privileges.  The active
 53           LSMs gets to rule on which admin-lev     57           LSMs gets to rule on which admin-level processes get to access the
 54           cache.                                   58           cache.
 55                                                    59 
 56           Keyrings are created and added into      60           Keyrings are created and added into the register upon demand and get
 57           removed if they expire (a default ti     61           removed if they expire (a default timeout is set upon creation).
 58                                                    62 
 59 config BIG_KEYS                                    63 config BIG_KEYS
 60         bool "Large payload keys"                  64         bool "Large payload keys"
 61         depends on KEYS                            65         depends on KEYS
 62         depends on TMPFS                           66         depends on TMPFS
 63         depends on CRYPTO_LIB_CHACHA20POLY1305 !!  67         select CRYPTO
                                                   >>  68         select CRYPTO_AES
                                                   >>  69         select CRYPTO_GCM
 64         help                                       70         help
 65           This option provides support for hol     71           This option provides support for holding large keys within the kernel
 66           (for example Kerberos ticket caches)     72           (for example Kerberos ticket caches).  The data may be stored out to
 67           swapspace by tmpfs.                      73           swapspace by tmpfs.
 68                                                    74 
 69           If you are unsure as to whether this     75           If you are unsure as to whether this is required, answer N.
 70                                                    76 
 71 config TRUSTED_KEYS                                77 config TRUSTED_KEYS
 72         tristate "TRUSTED KEYS"                    78         tristate "TRUSTED KEYS"
 73         depends on KEYS                        !!  79         depends on KEYS && TCG_TPM
                                                   >>  80         select CRYPTO
                                                   >>  81         select CRYPTO_HMAC
                                                   >>  82         select CRYPTO_SHA1
                                                   >>  83         select CRYPTO_HASH_INFO
 74         help                                       84         help
 75           This option provides support for cre     85           This option provides support for creating, sealing, and unsealing
 76           keys in the kernel. Trusted keys are     86           keys in the kernel. Trusted keys are random number symmetric keys,
 77           generated and sealed by a trust sour !!  87           generated and RSA-sealed by the TPM. The TPM only unseals the keys,
 78           Userspace will only ever see encrypt !!  88           if the boot PCRs and other criteria match.  Userspace will only ever
                                                   >>  89           see encrypted blobs.
 79                                                    90 
 80           If you are unsure as to whether this     91           If you are unsure as to whether this is required, answer N.
 81                                                    92 
 82 if TRUSTED_KEYS                                << 
 83 source "security/keys/trusted-keys/Kconfig"    << 
 84 endif                                          << 
 85                                                << 
 86 config ENCRYPTED_KEYS                              93 config ENCRYPTED_KEYS
 87         tristate "ENCRYPTED KEYS"                  94         tristate "ENCRYPTED KEYS"
 88         depends on KEYS                            95         depends on KEYS
 89         select CRYPTO                              96         select CRYPTO
 90         select CRYPTO_HMAC                         97         select CRYPTO_HMAC
 91         select CRYPTO_AES                          98         select CRYPTO_AES
 92         select CRYPTO_CBC                          99         select CRYPTO_CBC
 93         select CRYPTO_SHA256                      100         select CRYPTO_SHA256
 94         select CRYPTO_RNG                         101         select CRYPTO_RNG
 95         help                                      102         help
 96           This option provides support for cre    103           This option provides support for create/encrypting/decrypting keys
 97           in the kernel.  Encrypted keys are i !! 104           in the kernel.  Encrypted keys are kernel generated random numbers,
 98           generated random numbers or provided !! 105           which are encrypted/decrypted with a 'master' symmetric key. The
 99           encrypted/decrypted with a 'master'  !! 106           'master' key can be either a trusted-key or user-key type.
100           key can be either a trusted-key or u !! 107           Userspace only ever sees/stores encrypted blobs.
101           blobs are ever output to Userspace.  << 
102                                                << 
103           If you are unsure as to whether this << 
104                                                << 
105 config USER_DECRYPTED_DATA                     << 
106         bool "Allow encrypted keys with user d << 
107         depends on ENCRYPTED_KEYS              << 
108         help                                   << 
109           This option provides support for ins << 
110           user-provided decrypted data.  The d << 
111           encoded.                             << 
112                                                   108 
113           If you are unsure as to whether this    109           If you are unsure as to whether this is required, answer N.
114                                                   110 
115 config KEY_DH_OPERATIONS                          111 config KEY_DH_OPERATIONS
116        bool "Diffie-Hellman operations on reta    112        bool "Diffie-Hellman operations on retained keys"
117        depends on KEYS                            113        depends on KEYS
118        select CRYPTO                              114        select CRYPTO
119        select CRYPTO_KDF800108_CTR             !! 115        select CRYPTO_HASH
120        select CRYPTO_DH                           116        select CRYPTO_DH
121        help                                       117        help
122          This option provides support for calc    118          This option provides support for calculating Diffie-Hellman
123          public keys and shared secrets using     119          public keys and shared secrets using values stored as keys
124          in the kernel.                           120          in the kernel.
125                                                   121 
126          If you are unsure as to whether this     122          If you are unsure as to whether this is required, answer N.
127                                                << 
128 config KEY_NOTIFICATIONS                       << 
129         bool "Provide key/keyring change notif << 
130         depends on KEYS && WATCH_QUEUE         << 
131         help                                   << 
132           This option provides support for get << 
133           on keys and keyrings on which the ca << 
134           This makes use of pipes to handle th << 
135           provides KEYCTL_WATCH_KEY to enable/ << 
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php