~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/keys/Kconfig (Version linux-6.12-rc7) and /security/keys/Kconfig (Version linux-5.15.171)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 # Key management configuration                      3 # Key management configuration
  4 #                                                   4 #
  5                                                     5 
  6 config KEYS                                         6 config KEYS
  7         bool "Enable access key retention supp      7         bool "Enable access key retention support"
  8         select ASSOCIATIVE_ARRAY                    8         select ASSOCIATIVE_ARRAY
  9         help                                        9         help
 10           This option provides support for ret     10           This option provides support for retaining authentication tokens and
 11           access keys in the kernel.               11           access keys in the kernel.
 12                                                    12 
 13           It also includes provision of method     13           It also includes provision of methods by which such keys might be
 14           associated with a process so that ne     14           associated with a process so that network filesystems, encryption
 15           support and the like can find them.      15           support and the like can find them.
 16                                                    16 
 17           Furthermore, a special type of key i     17           Furthermore, a special type of key is available that acts as keyring:
 18           a searchable sequence of keys. Each      18           a searchable sequence of keys. Each process is equipped with access
 19           to five standard keyrings: UID-speci     19           to five standard keyrings: UID-specific, GID-specific, session,
 20           process and thread.                      20           process and thread.
 21                                                    21 
 22           If you are unsure as to whether this     22           If you are unsure as to whether this is required, answer N.
 23                                                    23 
 24 config KEYS_REQUEST_CACHE                          24 config KEYS_REQUEST_CACHE
 25         bool "Enable temporary caching of the      25         bool "Enable temporary caching of the last request_key() result"
 26         depends on KEYS                            26         depends on KEYS
 27         help                                       27         help
 28           This option causes the result of the     28           This option causes the result of the last successful request_key()
 29           call that didn't upcall to the kerne     29           call that didn't upcall to the kernel to be cached temporarily in the
 30           task_struct.  The cache is cleared b     30           task_struct.  The cache is cleared by exit and just prior to the
 31           resumption of userspace.                 31           resumption of userspace.
 32                                                    32 
 33           This allows the key used for multipl     33           This allows the key used for multiple step processes where each step
 34           wants to request a key that is likel     34           wants to request a key that is likely the same as the one requested
 35           by the last step to save on the sear     35           by the last step to save on the searching.
 36                                                    36 
 37           An example of such a process is a pa     37           An example of such a process is a pathwalk through a network
 38           filesystem in which each method need     38           filesystem in which each method needs to request an authentication
 39           key.  Pathwalk will call multiple me     39           key.  Pathwalk will call multiple methods for each dentry traversed
 40           (permission, d_revalidate, lookup, g     40           (permission, d_revalidate, lookup, getxattr, getacl, ...).
 41                                                    41 
 42 config PERSISTENT_KEYRINGS                         42 config PERSISTENT_KEYRINGS
 43         bool "Enable register of persistent pe     43         bool "Enable register of persistent per-UID keyrings"
 44         depends on KEYS                            44         depends on KEYS
 45         help                                       45         help
 46           This option provides a register of p     46           This option provides a register of persistent per-UID keyrings,
 47           primarily aimed at Kerberos key stor     47           primarily aimed at Kerberos key storage.  The keyrings are persistent
 48           in the sense that they stay around a     48           in the sense that they stay around after all processes of that UID
 49           have exited, not that they survive t     49           have exited, not that they survive the machine being rebooted.
 50                                                    50 
 51           A particular keyring may be accessed     51           A particular keyring may be accessed by either the user whose keyring
 52           it is or by a process with administr     52           it is or by a process with administrative privileges.  The active
 53           LSMs gets to rule on which admin-lev     53           LSMs gets to rule on which admin-level processes get to access the
 54           cache.                                   54           cache.
 55                                                    55 
 56           Keyrings are created and added into      56           Keyrings are created and added into the register upon demand and get
 57           removed if they expire (a default ti     57           removed if they expire (a default timeout is set upon creation).
 58                                                    58 
 59 config BIG_KEYS                                    59 config BIG_KEYS
 60         bool "Large payload keys"                  60         bool "Large payload keys"
 61         depends on KEYS                            61         depends on KEYS
 62         depends on TMPFS                           62         depends on TMPFS
 63         depends on CRYPTO_LIB_CHACHA20POLY1305     63         depends on CRYPTO_LIB_CHACHA20POLY1305 = y
 64         help                                       64         help
 65           This option provides support for hol     65           This option provides support for holding large keys within the kernel
 66           (for example Kerberos ticket caches)     66           (for example Kerberos ticket caches).  The data may be stored out to
 67           swapspace by tmpfs.                      67           swapspace by tmpfs.
 68                                                    68 
 69           If you are unsure as to whether this     69           If you are unsure as to whether this is required, answer N.
 70                                                    70 
 71 config TRUSTED_KEYS                                71 config TRUSTED_KEYS
 72         tristate "TRUSTED KEYS"                    72         tristate "TRUSTED KEYS"
 73         depends on KEYS                        !!  73         depends on KEYS && TCG_TPM
                                                   >>  74         select CRYPTO
                                                   >>  75         select CRYPTO_HMAC
                                                   >>  76         select CRYPTO_SHA1
                                                   >>  77         select CRYPTO_HASH_INFO
                                                   >>  78         select ASN1_ENCODER
                                                   >>  79         select OID_REGISTRY
                                                   >>  80         select ASN1
 74         help                                       81         help
 75           This option provides support for cre     82           This option provides support for creating, sealing, and unsealing
 76           keys in the kernel. Trusted keys are     83           keys in the kernel. Trusted keys are random number symmetric keys,
 77           generated and sealed by a trust sour !!  84           generated and RSA-sealed by the TPM. The TPM only unseals the keys,
 78           Userspace will only ever see encrypt !!  85           if the boot PCRs and other criteria match.  Userspace will only ever
                                                   >>  86           see encrypted blobs.
 79                                                    87 
 80           If you are unsure as to whether this     88           If you are unsure as to whether this is required, answer N.
 81                                                    89 
 82 if TRUSTED_KEYS                                << 
 83 source "security/keys/trusted-keys/Kconfig"    << 
 84 endif                                          << 
 85                                                << 
 86 config ENCRYPTED_KEYS                              90 config ENCRYPTED_KEYS
 87         tristate "ENCRYPTED KEYS"                  91         tristate "ENCRYPTED KEYS"
 88         depends on KEYS                            92         depends on KEYS
 89         select CRYPTO                              93         select CRYPTO
 90         select CRYPTO_HMAC                         94         select CRYPTO_HMAC
 91         select CRYPTO_AES                          95         select CRYPTO_AES
 92         select CRYPTO_CBC                          96         select CRYPTO_CBC
 93         select CRYPTO_SHA256                       97         select CRYPTO_SHA256
 94         select CRYPTO_RNG                          98         select CRYPTO_RNG
 95         help                                       99         help
 96           This option provides support for cre    100           This option provides support for create/encrypting/decrypting keys
 97           in the kernel.  Encrypted keys are i !! 101           in the kernel.  Encrypted keys are kernel generated random numbers,
 98           generated random numbers or provided !! 102           which are encrypted/decrypted with a 'master' symmetric key. The
 99           encrypted/decrypted with a 'master'  !! 103           'master' key can be either a trusted-key or user-key type.
100           key can be either a trusted-key or u !! 104           Userspace only ever sees/stores encrypted blobs.
101           blobs are ever output to Userspace.  << 
102                                                << 
103           If you are unsure as to whether this << 
104                                                << 
105 config USER_DECRYPTED_DATA                     << 
106         bool "Allow encrypted keys with user d << 
107         depends on ENCRYPTED_KEYS              << 
108         help                                   << 
109           This option provides support for ins << 
110           user-provided decrypted data.  The d << 
111           encoded.                             << 
112                                                   105 
113           If you are unsure as to whether this    106           If you are unsure as to whether this is required, answer N.
114                                                   107 
115 config KEY_DH_OPERATIONS                          108 config KEY_DH_OPERATIONS
116        bool "Diffie-Hellman operations on reta    109        bool "Diffie-Hellman operations on retained keys"
117        depends on KEYS                            110        depends on KEYS
118        select CRYPTO                              111        select CRYPTO
119        select CRYPTO_KDF800108_CTR             !! 112        select CRYPTO_HASH
120        select CRYPTO_DH                           113        select CRYPTO_DH
121        help                                       114        help
122          This option provides support for calc    115          This option provides support for calculating Diffie-Hellman
123          public keys and shared secrets using     116          public keys and shared secrets using values stored as keys
124          in the kernel.                           117          in the kernel.
125                                                   118 
126          If you are unsure as to whether this     119          If you are unsure as to whether this is required, answer N.
127                                                   120 
128 config KEY_NOTIFICATIONS                          121 config KEY_NOTIFICATIONS
129         bool "Provide key/keyring change notif    122         bool "Provide key/keyring change notifications"
130         depends on KEYS && WATCH_QUEUE            123         depends on KEYS && WATCH_QUEUE
131         help                                      124         help
132           This option provides support for get    125           This option provides support for getting change notifications
133           on keys and keyrings on which the ca    126           on keys and keyrings on which the caller has View permission.
134           This makes use of pipes to handle th    127           This makes use of pipes to handle the notification buffer and
135           provides KEYCTL_WATCH_KEY to enable/    128           provides KEYCTL_WATCH_KEY to enable/disable watches.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php