~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/keys/Kconfig (Version linux-6.12-rc7) and /security/keys/Kconfig (Version linux-6.10.14)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 # Key management configuration                      3 # Key management configuration
  4 #                                                   4 #
  5                                                     5 
  6 config KEYS                                         6 config KEYS
  7         bool "Enable access key retention supp      7         bool "Enable access key retention support"
  8         select ASSOCIATIVE_ARRAY                    8         select ASSOCIATIVE_ARRAY
  9         help                                        9         help
 10           This option provides support for ret     10           This option provides support for retaining authentication tokens and
 11           access keys in the kernel.               11           access keys in the kernel.
 12                                                    12 
 13           It also includes provision of method     13           It also includes provision of methods by which such keys might be
 14           associated with a process so that ne     14           associated with a process so that network filesystems, encryption
 15           support and the like can find them.      15           support and the like can find them.
 16                                                    16 
 17           Furthermore, a special type of key i     17           Furthermore, a special type of key is available that acts as keyring:
 18           a searchable sequence of keys. Each      18           a searchable sequence of keys. Each process is equipped with access
 19           to five standard keyrings: UID-speci     19           to five standard keyrings: UID-specific, GID-specific, session,
 20           process and thread.                      20           process and thread.
 21                                                    21 
 22           If you are unsure as to whether this     22           If you are unsure as to whether this is required, answer N.
 23                                                    23 
 24 config KEYS_REQUEST_CACHE                          24 config KEYS_REQUEST_CACHE
 25         bool "Enable temporary caching of the      25         bool "Enable temporary caching of the last request_key() result"
 26         depends on KEYS                            26         depends on KEYS
 27         help                                       27         help
 28           This option causes the result of the     28           This option causes the result of the last successful request_key()
 29           call that didn't upcall to the kerne     29           call that didn't upcall to the kernel to be cached temporarily in the
 30           task_struct.  The cache is cleared b     30           task_struct.  The cache is cleared by exit and just prior to the
 31           resumption of userspace.                 31           resumption of userspace.
 32                                                    32 
 33           This allows the key used for multipl     33           This allows the key used for multiple step processes where each step
 34           wants to request a key that is likel     34           wants to request a key that is likely the same as the one requested
 35           by the last step to save on the sear     35           by the last step to save on the searching.
 36                                                    36 
 37           An example of such a process is a pa     37           An example of such a process is a pathwalk through a network
 38           filesystem in which each method need     38           filesystem in which each method needs to request an authentication
 39           key.  Pathwalk will call multiple me     39           key.  Pathwalk will call multiple methods for each dentry traversed
 40           (permission, d_revalidate, lookup, g     40           (permission, d_revalidate, lookup, getxattr, getacl, ...).
 41                                                    41 
 42 config PERSISTENT_KEYRINGS                         42 config PERSISTENT_KEYRINGS
 43         bool "Enable register of persistent pe     43         bool "Enable register of persistent per-UID keyrings"
 44         depends on KEYS                            44         depends on KEYS
 45         help                                       45         help
 46           This option provides a register of p     46           This option provides a register of persistent per-UID keyrings,
 47           primarily aimed at Kerberos key stor     47           primarily aimed at Kerberos key storage.  The keyrings are persistent
 48           in the sense that they stay around a     48           in the sense that they stay around after all processes of that UID
 49           have exited, not that they survive t     49           have exited, not that they survive the machine being rebooted.
 50                                                    50 
 51           A particular keyring may be accessed     51           A particular keyring may be accessed by either the user whose keyring
 52           it is or by a process with administr     52           it is or by a process with administrative privileges.  The active
 53           LSMs gets to rule on which admin-lev     53           LSMs gets to rule on which admin-level processes get to access the
 54           cache.                                   54           cache.
 55                                                    55 
 56           Keyrings are created and added into      56           Keyrings are created and added into the register upon demand and get
 57           removed if they expire (a default ti     57           removed if they expire (a default timeout is set upon creation).
 58                                                    58 
 59 config BIG_KEYS                                    59 config BIG_KEYS
 60         bool "Large payload keys"                  60         bool "Large payload keys"
 61         depends on KEYS                            61         depends on KEYS
 62         depends on TMPFS                           62         depends on TMPFS
 63         depends on CRYPTO_LIB_CHACHA20POLY1305     63         depends on CRYPTO_LIB_CHACHA20POLY1305 = y
 64         help                                       64         help
 65           This option provides support for hol     65           This option provides support for holding large keys within the kernel
 66           (for example Kerberos ticket caches)     66           (for example Kerberos ticket caches).  The data may be stored out to
 67           swapspace by tmpfs.                      67           swapspace by tmpfs.
 68                                                    68 
 69           If you are unsure as to whether this     69           If you are unsure as to whether this is required, answer N.
 70                                                    70 
 71 config TRUSTED_KEYS                                71 config TRUSTED_KEYS
 72         tristate "TRUSTED KEYS"                    72         tristate "TRUSTED KEYS"
 73         depends on KEYS                            73         depends on KEYS
 74         help                                       74         help
 75           This option provides support for cre     75           This option provides support for creating, sealing, and unsealing
 76           keys in the kernel. Trusted keys are     76           keys in the kernel. Trusted keys are random number symmetric keys,
 77           generated and sealed by a trust sour     77           generated and sealed by a trust source selected at kernel boot-time.
 78           Userspace will only ever see encrypt     78           Userspace will only ever see encrypted blobs.
 79                                                    79 
 80           If you are unsure as to whether this     80           If you are unsure as to whether this is required, answer N.
 81                                                    81 
 82 if TRUSTED_KEYS                                    82 if TRUSTED_KEYS
 83 source "security/keys/trusted-keys/Kconfig"        83 source "security/keys/trusted-keys/Kconfig"
 84 endif                                              84 endif
 85                                                    85 
 86 config ENCRYPTED_KEYS                              86 config ENCRYPTED_KEYS
 87         tristate "ENCRYPTED KEYS"                  87         tristate "ENCRYPTED KEYS"
 88         depends on KEYS                            88         depends on KEYS
 89         select CRYPTO                              89         select CRYPTO
 90         select CRYPTO_HMAC                         90         select CRYPTO_HMAC
 91         select CRYPTO_AES                          91         select CRYPTO_AES
 92         select CRYPTO_CBC                          92         select CRYPTO_CBC
 93         select CRYPTO_SHA256                       93         select CRYPTO_SHA256
 94         select CRYPTO_RNG                          94         select CRYPTO_RNG
 95         help                                       95         help
 96           This option provides support for cre     96           This option provides support for create/encrypting/decrypting keys
 97           in the kernel.  Encrypted keys are i     97           in the kernel.  Encrypted keys are instantiated using kernel
 98           generated random numbers or provided     98           generated random numbers or provided decrypted data, and are
 99           encrypted/decrypted with a 'master'      99           encrypted/decrypted with a 'master' symmetric key. The 'master'
100           key can be either a trusted-key or u    100           key can be either a trusted-key or user-key type. Only encrypted
101           blobs are ever output to Userspace.     101           blobs are ever output to Userspace.
102                                                   102 
103           If you are unsure as to whether this    103           If you are unsure as to whether this is required, answer N.
104                                                   104 
105 config USER_DECRYPTED_DATA                        105 config USER_DECRYPTED_DATA
106         bool "Allow encrypted keys with user d    106         bool "Allow encrypted keys with user decrypted data"
107         depends on ENCRYPTED_KEYS                 107         depends on ENCRYPTED_KEYS
108         help                                      108         help
109           This option provides support for ins    109           This option provides support for instantiating encrypted keys using
110           user-provided decrypted data.  The d    110           user-provided decrypted data.  The decrypted data must be hex-ascii
111           encoded.                                111           encoded.
112                                                   112 
113           If you are unsure as to whether this    113           If you are unsure as to whether this is required, answer N.
114                                                   114 
115 config KEY_DH_OPERATIONS                          115 config KEY_DH_OPERATIONS
116        bool "Diffie-Hellman operations on reta    116        bool "Diffie-Hellman operations on retained keys"
117        depends on KEYS                            117        depends on KEYS
118        select CRYPTO                              118        select CRYPTO
119        select CRYPTO_KDF800108_CTR                119        select CRYPTO_KDF800108_CTR
120        select CRYPTO_DH                           120        select CRYPTO_DH
121        help                                       121        help
122          This option provides support for calc    122          This option provides support for calculating Diffie-Hellman
123          public keys and shared secrets using     123          public keys and shared secrets using values stored as keys
124          in the kernel.                           124          in the kernel.
125                                                   125 
126          If you are unsure as to whether this     126          If you are unsure as to whether this is required, answer N.
127                                                   127 
128 config KEY_NOTIFICATIONS                          128 config KEY_NOTIFICATIONS
129         bool "Provide key/keyring change notif    129         bool "Provide key/keyring change notifications"
130         depends on KEYS && WATCH_QUEUE            130         depends on KEYS && WATCH_QUEUE
131         help                                      131         help
132           This option provides support for get    132           This option provides support for getting change notifications
133           on keys and keyrings on which the ca    133           on keys and keyrings on which the caller has View permission.
134           This makes use of pipes to handle th    134           This makes use of pipes to handle the notification buffer and
135           provides KEYCTL_WATCH_KEY to enable/    135           provides KEYCTL_WATCH_KEY to enable/disable watches.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php