~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/keys/Kconfig (Version linux-6.12-rc7) and /security/keys/Kconfig (Version linux-5.7.19)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 # Key management configuration                      3 # Key management configuration
  4 #                                                   4 #
  5                                                     5 
  6 config KEYS                                         6 config KEYS
  7         bool "Enable access key retention supp      7         bool "Enable access key retention support"
  8         select ASSOCIATIVE_ARRAY                    8         select ASSOCIATIVE_ARRAY
  9         help                                        9         help
 10           This option provides support for ret     10           This option provides support for retaining authentication tokens and
 11           access keys in the kernel.               11           access keys in the kernel.
 12                                                    12 
 13           It also includes provision of method     13           It also includes provision of methods by which such keys might be
 14           associated with a process so that ne     14           associated with a process so that network filesystems, encryption
 15           support and the like can find them.      15           support and the like can find them.
 16                                                    16 
 17           Furthermore, a special type of key i     17           Furthermore, a special type of key is available that acts as keyring:
 18           a searchable sequence of keys. Each      18           a searchable sequence of keys. Each process is equipped with access
 19           to five standard keyrings: UID-speci     19           to five standard keyrings: UID-specific, GID-specific, session,
 20           process and thread.                      20           process and thread.
 21                                                    21 
 22           If you are unsure as to whether this     22           If you are unsure as to whether this is required, answer N.
 23                                                    23 
 24 config KEYS_REQUEST_CACHE                          24 config KEYS_REQUEST_CACHE
 25         bool "Enable temporary caching of the      25         bool "Enable temporary caching of the last request_key() result"
 26         depends on KEYS                            26         depends on KEYS
 27         help                                       27         help
 28           This option causes the result of the     28           This option causes the result of the last successful request_key()
 29           call that didn't upcall to the kerne     29           call that didn't upcall to the kernel to be cached temporarily in the
 30           task_struct.  The cache is cleared b     30           task_struct.  The cache is cleared by exit and just prior to the
 31           resumption of userspace.                 31           resumption of userspace.
 32                                                    32 
 33           This allows the key used for multipl     33           This allows the key used for multiple step processes where each step
 34           wants to request a key that is likel     34           wants to request a key that is likely the same as the one requested
 35           by the last step to save on the sear     35           by the last step to save on the searching.
 36                                                    36 
 37           An example of such a process is a pa     37           An example of such a process is a pathwalk through a network
 38           filesystem in which each method need     38           filesystem in which each method needs to request an authentication
 39           key.  Pathwalk will call multiple me     39           key.  Pathwalk will call multiple methods for each dentry traversed
 40           (permission, d_revalidate, lookup, g     40           (permission, d_revalidate, lookup, getxattr, getacl, ...).
 41                                                    41 
 42 config PERSISTENT_KEYRINGS                         42 config PERSISTENT_KEYRINGS
 43         bool "Enable register of persistent pe     43         bool "Enable register of persistent per-UID keyrings"
 44         depends on KEYS                            44         depends on KEYS
 45         help                                       45         help
 46           This option provides a register of p     46           This option provides a register of persistent per-UID keyrings,
 47           primarily aimed at Kerberos key stor     47           primarily aimed at Kerberos key storage.  The keyrings are persistent
 48           in the sense that they stay around a     48           in the sense that they stay around after all processes of that UID
 49           have exited, not that they survive t     49           have exited, not that they survive the machine being rebooted.
 50                                                    50 
 51           A particular keyring may be accessed     51           A particular keyring may be accessed by either the user whose keyring
 52           it is or by a process with administr     52           it is or by a process with administrative privileges.  The active
 53           LSMs gets to rule on which admin-lev     53           LSMs gets to rule on which admin-level processes get to access the
 54           cache.                                   54           cache.
 55                                                    55 
 56           Keyrings are created and added into      56           Keyrings are created and added into the register upon demand and get
 57           removed if they expire (a default ti     57           removed if they expire (a default timeout is set upon creation).
 58                                                    58 
 59 config BIG_KEYS                                    59 config BIG_KEYS
 60         bool "Large payload keys"                  60         bool "Large payload keys"
 61         depends on KEYS                            61         depends on KEYS
 62         depends on TMPFS                           62         depends on TMPFS
 63         depends on CRYPTO_LIB_CHACHA20POLY1305 !!  63         select CRYPTO
                                                   >>  64         select CRYPTO_AES
                                                   >>  65         select CRYPTO_GCM
 64         help                                       66         help
 65           This option provides support for hol     67           This option provides support for holding large keys within the kernel
 66           (for example Kerberos ticket caches)     68           (for example Kerberos ticket caches).  The data may be stored out to
 67           swapspace by tmpfs.                      69           swapspace by tmpfs.
 68                                                    70 
 69           If you are unsure as to whether this     71           If you are unsure as to whether this is required, answer N.
 70                                                    72 
 71 config TRUSTED_KEYS                                73 config TRUSTED_KEYS
 72         tristate "TRUSTED KEYS"                    74         tristate "TRUSTED KEYS"
 73         depends on KEYS                        !!  75         depends on KEYS && TCG_TPM
                                                   >>  76         select CRYPTO
                                                   >>  77         select CRYPTO_HMAC
                                                   >>  78         select CRYPTO_SHA1
                                                   >>  79         select CRYPTO_HASH_INFO
 74         help                                       80         help
 75           This option provides support for cre     81           This option provides support for creating, sealing, and unsealing
 76           keys in the kernel. Trusted keys are     82           keys in the kernel. Trusted keys are random number symmetric keys,
 77           generated and sealed by a trust sour !!  83           generated and RSA-sealed by the TPM. The TPM only unseals the keys,
 78           Userspace will only ever see encrypt !!  84           if the boot PCRs and other criteria match.  Userspace will only ever
                                                   >>  85           see encrypted blobs.
 79                                                    86 
 80           If you are unsure as to whether this     87           If you are unsure as to whether this is required, answer N.
 81                                                    88 
 82 if TRUSTED_KEYS                                << 
 83 source "security/keys/trusted-keys/Kconfig"    << 
 84 endif                                          << 
 85                                                << 
 86 config ENCRYPTED_KEYS                              89 config ENCRYPTED_KEYS
 87         tristate "ENCRYPTED KEYS"                  90         tristate "ENCRYPTED KEYS"
 88         depends on KEYS                            91         depends on KEYS
 89         select CRYPTO                              92         select CRYPTO
 90         select CRYPTO_HMAC                         93         select CRYPTO_HMAC
 91         select CRYPTO_AES                          94         select CRYPTO_AES
 92         select CRYPTO_CBC                          95         select CRYPTO_CBC
 93         select CRYPTO_SHA256                       96         select CRYPTO_SHA256
 94         select CRYPTO_RNG                          97         select CRYPTO_RNG
 95         help                                       98         help
 96           This option provides support for cre     99           This option provides support for create/encrypting/decrypting keys
 97           in the kernel.  Encrypted keys are i !! 100           in the kernel.  Encrypted keys are kernel generated random numbers,
 98           generated random numbers or provided !! 101           which are encrypted/decrypted with a 'master' symmetric key. The
 99           encrypted/decrypted with a 'master'  !! 102           'master' key can be either a trusted-key or user-key type.
100           key can be either a trusted-key or u !! 103           Userspace only ever sees/stores encrypted blobs.
101           blobs are ever output to Userspace.  << 
102                                                << 
103           If you are unsure as to whether this << 
104                                                << 
105 config USER_DECRYPTED_DATA                     << 
106         bool "Allow encrypted keys with user d << 
107         depends on ENCRYPTED_KEYS              << 
108         help                                   << 
109           This option provides support for ins << 
110           user-provided decrypted data.  The d << 
111           encoded.                             << 
112                                                   104 
113           If you are unsure as to whether this    105           If you are unsure as to whether this is required, answer N.
114                                                   106 
115 config KEY_DH_OPERATIONS                          107 config KEY_DH_OPERATIONS
116        bool "Diffie-Hellman operations on reta    108        bool "Diffie-Hellman operations on retained keys"
117        depends on KEYS                            109        depends on KEYS
118        select CRYPTO                              110        select CRYPTO
119        select CRYPTO_KDF800108_CTR             !! 111        select CRYPTO_HASH
120        select CRYPTO_DH                           112        select CRYPTO_DH
121        help                                       113        help
122          This option provides support for calc    114          This option provides support for calculating Diffie-Hellman
123          public keys and shared secrets using     115          public keys and shared secrets using values stored as keys
124          in the kernel.                           116          in the kernel.
125                                                   117 
126          If you are unsure as to whether this     118          If you are unsure as to whether this is required, answer N.
127                                                << 
128 config KEY_NOTIFICATIONS                       << 
129         bool "Provide key/keyring change notif << 
130         depends on KEYS && WATCH_QUEUE         << 
131         help                                   << 
132           This option provides support for get << 
133           on keys and keyrings on which the ca << 
134           This makes use of pipes to handle th << 
135           provides KEYCTL_WATCH_KEY to enable/ << 
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php