~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/keys/Kconfig

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/keys/Kconfig (Version linux-6.12-rc7) and /security/keys/Kconfig (Version linux-5.8.18)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 #                                                   2 #
  3 # Key management configuration                      3 # Key management configuration
  4 #                                                   4 #
  5                                                     5 
  6 config KEYS                                         6 config KEYS
  7         bool "Enable access key retention supp      7         bool "Enable access key retention support"
  8         select ASSOCIATIVE_ARRAY                    8         select ASSOCIATIVE_ARRAY
  9         help                                        9         help
 10           This option provides support for ret     10           This option provides support for retaining authentication tokens and
 11           access keys in the kernel.               11           access keys in the kernel.
 12                                                    12 
 13           It also includes provision of method     13           It also includes provision of methods by which such keys might be
 14           associated with a process so that ne     14           associated with a process so that network filesystems, encryption
 15           support and the like can find them.      15           support and the like can find them.
 16                                                    16 
 17           Furthermore, a special type of key i     17           Furthermore, a special type of key is available that acts as keyring:
 18           a searchable sequence of keys. Each      18           a searchable sequence of keys. Each process is equipped with access
 19           to five standard keyrings: UID-speci     19           to five standard keyrings: UID-specific, GID-specific, session,
 20           process and thread.                      20           process and thread.
 21                                                    21 
 22           If you are unsure as to whether this     22           If you are unsure as to whether this is required, answer N.
 23                                                    23 
 24 config KEYS_REQUEST_CACHE                          24 config KEYS_REQUEST_CACHE
 25         bool "Enable temporary caching of the      25         bool "Enable temporary caching of the last request_key() result"
 26         depends on KEYS                            26         depends on KEYS
 27         help                                       27         help
 28           This option causes the result of the     28           This option causes the result of the last successful request_key()
 29           call that didn't upcall to the kerne     29           call that didn't upcall to the kernel to be cached temporarily in the
 30           task_struct.  The cache is cleared b     30           task_struct.  The cache is cleared by exit and just prior to the
 31           resumption of userspace.                 31           resumption of userspace.
 32                                                    32 
 33           This allows the key used for multipl     33           This allows the key used for multiple step processes where each step
 34           wants to request a key that is likel     34           wants to request a key that is likely the same as the one requested
 35           by the last step to save on the sear     35           by the last step to save on the searching.
 36                                                    36 
 37           An example of such a process is a pa     37           An example of such a process is a pathwalk through a network
 38           filesystem in which each method need     38           filesystem in which each method needs to request an authentication
 39           key.  Pathwalk will call multiple me     39           key.  Pathwalk will call multiple methods for each dentry traversed
 40           (permission, d_revalidate, lookup, g     40           (permission, d_revalidate, lookup, getxattr, getacl, ...).
 41                                                    41 
 42 config PERSISTENT_KEYRINGS                         42 config PERSISTENT_KEYRINGS
 43         bool "Enable register of persistent pe     43         bool "Enable register of persistent per-UID keyrings"
 44         depends on KEYS                            44         depends on KEYS
 45         help                                       45         help
 46           This option provides a register of p     46           This option provides a register of persistent per-UID keyrings,
 47           primarily aimed at Kerberos key stor     47           primarily aimed at Kerberos key storage.  The keyrings are persistent
 48           in the sense that they stay around a     48           in the sense that they stay around after all processes of that UID
 49           have exited, not that they survive t     49           have exited, not that they survive the machine being rebooted.
 50                                                    50 
 51           A particular keyring may be accessed     51           A particular keyring may be accessed by either the user whose keyring
 52           it is or by a process with administr     52           it is or by a process with administrative privileges.  The active
 53           LSMs gets to rule on which admin-lev     53           LSMs gets to rule on which admin-level processes get to access the
 54           cache.                                   54           cache.
 55                                                    55 
 56           Keyrings are created and added into      56           Keyrings are created and added into the register upon demand and get
 57           removed if they expire (a default ti     57           removed if they expire (a default timeout is set upon creation).
 58                                                    58 
 59 config BIG_KEYS                                    59 config BIG_KEYS
 60         bool "Large payload keys"                  60         bool "Large payload keys"
 61         depends on KEYS                            61         depends on KEYS
 62         depends on TMPFS                           62         depends on TMPFS
 63         depends on CRYPTO_LIB_CHACHA20POLY1305     63         depends on CRYPTO_LIB_CHACHA20POLY1305 = y
 64         help                                       64         help
 65           This option provides support for hol     65           This option provides support for holding large keys within the kernel
 66           (for example Kerberos ticket caches)     66           (for example Kerberos ticket caches).  The data may be stored out to
 67           swapspace by tmpfs.                      67           swapspace by tmpfs.
 68                                                    68 
 69           If you are unsure as to whether this     69           If you are unsure as to whether this is required, answer N.
 70                                                    70 
 71 config TRUSTED_KEYS                                71 config TRUSTED_KEYS
 72         tristate "TRUSTED KEYS"                    72         tristate "TRUSTED KEYS"
 73         depends on KEYS                        !!  73         depends on KEYS && TCG_TPM
                                                   >>  74         select CRYPTO
                                                   >>  75         select CRYPTO_HMAC
                                                   >>  76         select CRYPTO_SHA1
                                                   >>  77         select CRYPTO_HASH_INFO
 74         help                                       78         help
 75           This option provides support for cre     79           This option provides support for creating, sealing, and unsealing
 76           keys in the kernel. Trusted keys are     80           keys in the kernel. Trusted keys are random number symmetric keys,
 77           generated and sealed by a trust sour !!  81           generated and RSA-sealed by the TPM. The TPM only unseals the keys,
 78           Userspace will only ever see encrypt !!  82           if the boot PCRs and other criteria match.  Userspace will only ever
                                                   >>  83           see encrypted blobs.
 79                                                    84 
 80           If you are unsure as to whether this     85           If you are unsure as to whether this is required, answer N.
 81                                                    86 
 82 if TRUSTED_KEYS                                << 
 83 source "security/keys/trusted-keys/Kconfig"    << 
 84 endif                                          << 
 85                                                << 
 86 config ENCRYPTED_KEYS                              87 config ENCRYPTED_KEYS
 87         tristate "ENCRYPTED KEYS"                  88         tristate "ENCRYPTED KEYS"
 88         depends on KEYS                            89         depends on KEYS
 89         select CRYPTO                              90         select CRYPTO
 90         select CRYPTO_HMAC                         91         select CRYPTO_HMAC
 91         select CRYPTO_AES                          92         select CRYPTO_AES
 92         select CRYPTO_CBC                          93         select CRYPTO_CBC
 93         select CRYPTO_SHA256                       94         select CRYPTO_SHA256
 94         select CRYPTO_RNG                          95         select CRYPTO_RNG
 95         help                                       96         help
 96           This option provides support for cre     97           This option provides support for create/encrypting/decrypting keys
 97           in the kernel.  Encrypted keys are i !!  98           in the kernel.  Encrypted keys are kernel generated random numbers,
 98           generated random numbers or provided !!  99           which are encrypted/decrypted with a 'master' symmetric key. The
 99           encrypted/decrypted with a 'master'  !! 100           'master' key can be either a trusted-key or user-key type.
100           key can be either a trusted-key or u !! 101           Userspace only ever sees/stores encrypted blobs.
101           blobs are ever output to Userspace.  << 
102                                                << 
103           If you are unsure as to whether this << 
104                                                << 
105 config USER_DECRYPTED_DATA                     << 
106         bool "Allow encrypted keys with user d << 
107         depends on ENCRYPTED_KEYS              << 
108         help                                   << 
109           This option provides support for ins << 
110           user-provided decrypted data.  The d << 
111           encoded.                             << 
112                                                   102 
113           If you are unsure as to whether this    103           If you are unsure as to whether this is required, answer N.
114                                                   104 
115 config KEY_DH_OPERATIONS                          105 config KEY_DH_OPERATIONS
116        bool "Diffie-Hellman operations on reta    106        bool "Diffie-Hellman operations on retained keys"
117        depends on KEYS                            107        depends on KEYS
118        select CRYPTO                              108        select CRYPTO
119        select CRYPTO_KDF800108_CTR             !! 109        select CRYPTO_HASH
120        select CRYPTO_DH                           110        select CRYPTO_DH
121        help                                       111        help
122          This option provides support for calc    112          This option provides support for calculating Diffie-Hellman
123          public keys and shared secrets using     113          public keys and shared secrets using values stored as keys
124          in the kernel.                           114          in the kernel.
125                                                   115 
126          If you are unsure as to whether this     116          If you are unsure as to whether this is required, answer N.
127                                                   117 
128 config KEY_NOTIFICATIONS                          118 config KEY_NOTIFICATIONS
129         bool "Provide key/keyring change notif    119         bool "Provide key/keyring change notifications"
130         depends on KEYS && WATCH_QUEUE            120         depends on KEYS && WATCH_QUEUE
131         help                                      121         help
132           This option provides support for get !! 122           This option provides support for getting change notifications on keys
133           on keys and keyrings on which the ca !! 123           and keyrings on which the caller has View permission.  This makes use
134           This makes use of pipes to handle th !! 124           of the /dev/watch_queue misc device to handle the notification
135           provides KEYCTL_WATCH_KEY to enable/ !! 125           buffer and provides KEYCTL_WATCH_KEY to enable/disable watches.
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php