Kconfig 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197
  1. # SPDX-License-Identifier: GPL-2.0
  2. menu "Certificates for signature checking"
  3. config MODULE_SIG_KEY
  4. string "File name or PKCS#11 URI of module signing key"
  5. default "certs/signing_key.pem"
  6. depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
  7. help
  8. Provide the file name of a private key/certificate in PEM format,
  9. or a PKCS#11 URI according to RFC7512. The file should contain, or
  10. the URI should identify, both the certificate and its corresponding
  11. private key.
  12. If this option is unchanged from its default "certs/signing_key.pem",
  13. then the kernel will automatically generate the private key and
  14. certificate as described in Documentation/admin-guide/module-signing.rst
  15. choice
  16. prompt "Type of module signing key to be generated"
  17. depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
  18. help
  19. The type of module signing key type to generate. This option
  20. does not apply if a #PKCS11 URI is used.
  21. config MODULE_SIG_KEY_TYPE_RSA
  22. bool "RSA"
  23. help
  24. Use an RSA key for module signing.
  25. config MODULE_SIG_KEY_TYPE_ECDSA
  26. bool "ECDSA"
  27. select CRYPTO_ECDSA
  28. depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)
  29. help
  30. Use an elliptic curve key (NIST P384) for module signing. Use
  31. a strong hash of same or higher bit length, i.e. sha384 or
  32. sha512 for hashing modules.
  33. Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem,
  34. when falling back to building Linux 5.14 and older kernels.
  35. config MODULE_SIG_KEY_TYPE_MLDSA_44
  36. bool "ML-DSA-44"
  37. select CRYPTO_MLDSA
  38. depends on OPENSSL_SUPPORTS_ML_DSA
  39. help
  40. Use an ML-DSA-44 key (NIST FIPS 204) for module signing. ML-DSA
  41. support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With
  42. the latter, the entire module body will be signed; with the former,
  43. signedAttrs will be used as it lacks support for CMS_NOATTR with
  44. ML-DSA.
  45. config MODULE_SIG_KEY_TYPE_MLDSA_65
  46. bool "ML-DSA-65"
  47. select CRYPTO_MLDSA
  48. depends on OPENSSL_SUPPORTS_ML_DSA
  49. help
  50. Use an ML-DSA-65 key (NIST FIPS 204) for module signing. ML-DSA
  51. support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With
  52. the latter, the entire module body will be signed; with the former,
  53. signedAttrs will be used as it lacks support for CMS_NOATTR with
  54. ML-DSA.
  55. config MODULE_SIG_KEY_TYPE_MLDSA_87
  56. bool "ML-DSA-87"
  57. select CRYPTO_MLDSA
  58. depends on OPENSSL_SUPPORTS_ML_DSA
  59. help
  60. Use an ML-DSA-87 key (NIST FIPS 204) for module signing. ML-DSA
  61. support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With
  62. the latter, the entire module body will be signed; with the former,
  63. signedAttrs will be used as it lacks support for CMS_NOATTR with
  64. ML-DSA.
  65. endchoice
  66. config SYSTEM_TRUSTED_KEYRING
  67. bool "Provide system-wide ring of trusted keys"
  68. depends on KEYS
  69. depends on ASYMMETRIC_KEY_TYPE
  70. depends on X509_CERTIFICATE_PARSER = y
  71. help
  72. Provide a system keyring to which trusted keys can be added. Keys in
  73. the keyring are considered to be trusted. Keys may be added at will
  74. by the kernel from compiled-in data and from hardware key stores, but
  75. userspace may only add extra keys if those keys can be verified by
  76. keys already in the keyring.
  77. Keys in this keyring are used by module signature checking.
  78. config SYSTEM_TRUSTED_KEYS
  79. string "Additional X.509 keys for default system keyring"
  80. depends on SYSTEM_TRUSTED_KEYRING
  81. help
  82. If set, this option should be the filename of a PEM-formatted file
  83. containing trusted X.509 certificates to be included in the default
  84. system keyring. Any certificate used for module signing is implicitly
  85. also trusted.
  86. NOTE: If you previously provided keys for the system keyring in the
  87. form of DER-encoded *.x509 files in the top-level build directory,
  88. those are no longer used. You will need to set this option instead.
  89. config SYSTEM_EXTRA_CERTIFICATE
  90. bool "Reserve area for inserting a certificate without recompiling"
  91. depends on SYSTEM_TRUSTED_KEYRING
  92. help
  93. If set, space for an extra certificate will be reserved in the kernel
  94. image. This allows introducing a trusted certificate to the default
  95. system keyring without recompiling the kernel.
  96. config SYSTEM_EXTRA_CERTIFICATE_SIZE
  97. int "Number of bytes to reserve for the extra certificate"
  98. depends on SYSTEM_EXTRA_CERTIFICATE
  99. default 4096
  100. help
  101. This is the number of bytes reserved in the kernel image for a
  102. certificate to be inserted.
  103. config SECONDARY_TRUSTED_KEYRING
  104. bool "Provide a keyring to which extra trustable keys may be added"
  105. depends on SYSTEM_TRUSTED_KEYRING
  106. help
  107. If set, provide a keyring to which extra keys may be added, provided
  108. those keys are not blacklisted and are vouched for by a key built
  109. into the kernel, machine keyring (if configured), or already in the
  110. secondary trusted keyring.
  111. config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN
  112. bool "Only allow additional certs signed by keys on the builtin trusted keyring"
  113. depends on SECONDARY_TRUSTED_KEYRING
  114. help
  115. If set, only certificates signed by keys on the builtin trusted
  116. keyring may be loaded onto the secondary trusted keyring.
  117. Note: The machine keyring, if configured, will be linked to the
  118. secondary keyring. When enabling this option, it is recommended
  119. to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent
  120. linking code signing keys with imputed trust to the secondary
  121. trusted keyring.
  122. config SYSTEM_BLACKLIST_KEYRING
  123. bool "Provide system-wide ring of blacklisted keys"
  124. depends on KEYS
  125. help
  126. Provide a system keyring to which blacklisted keys can be added.
  127. Keys in the keyring are considered entirely untrusted. Keys in this
  128. keyring are used by the module signature checking to reject loading
  129. of modules signed with a blacklisted key.
  130. config SYSTEM_BLACKLIST_HASH_LIST
  131. string "Hashes to be preloaded into the system blacklist keyring"
  132. depends on SYSTEM_BLACKLIST_KEYRING
  133. help
  134. If set, this option should be the filename of a list of hashes in the
  135. form "<hash>", "<hash>", ... . This will be included into a C
  136. wrapper to incorporate the list into the kernel. Each <hash> must be a
  137. string starting with a prefix ("tbs" or "bin"), then a colon (":"), and
  138. finally an even number of hexadecimal lowercase characters (up to 128).
  139. Certificate hashes can be generated with
  140. tools/certs/print-cert-tbs-hash.sh .
  141. config SYSTEM_REVOCATION_LIST
  142. bool "Provide system-wide ring of revocation certificates"
  143. depends on SYSTEM_BLACKLIST_KEYRING
  144. depends on PKCS7_MESSAGE_PARSER=y
  145. help
  146. If set, this allows revocation certificates to be stored in the
  147. blacklist keyring and implements a hook whereby a PKCS#7 message can
  148. be checked to see if it matches such a certificate.
  149. config SYSTEM_REVOCATION_KEYS
  150. string "X.509 certificates to be preloaded into the system blacklist keyring"
  151. depends on SYSTEM_REVOCATION_LIST
  152. help
  153. If set, this option should be the filename of a PEM-formatted file
  154. containing X.509 certificates to be included in the default blacklist
  155. keyring.
  156. config SYSTEM_BLACKLIST_AUTH_UPDATE
  157. bool "Allow root to add signed blacklist keys"
  158. depends on SYSTEM_BLACKLIST_KEYRING
  159. depends on SYSTEM_DATA_VERIFICATION
  160. help
  161. If set, provide the ability to load new blacklist keys at run time if
  162. they are signed and vouched by a certificate from the builtin trusted
  163. keyring. The PKCS#7 signature of the description is set in the key
  164. payload. Blacklist keys cannot be removed.
  165. config OPENSSL_SUPPORTS_ML_DSA
  166. def_bool $(success, openssl list -key-managers | grep -q ML-DSA-87)
  167. help
  168. Support for ML-DSA-44/65/87 was added in openssl-3.5, so as long
  169. as older versions are supported, the key types may only be
  170. set after testing the installed binary for support.
  171. endmenu