Kconfig 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. # SPDX-License-Identifier: GPL-2.0-only
  2. #
  3. config INTEGRITY
  4. bool "Integrity subsystem"
  5. depends on SECURITY
  6. default y
  7. help
  8. This option enables the integrity subsystem, which is comprised
  9. of a number of different components including the Integrity
  10. Measurement Architecture (IMA), Extended Verification Module
  11. (EVM), IMA-appraisal extension, digital signature verification
  12. extension and audit measurement log support.
  13. Each of these components can be enabled/disabled separately.
  14. Refer to the individual components for additional details.
  15. if INTEGRITY
  16. config INTEGRITY_SIGNATURE
  17. bool "Digital signature verification using multiple keyrings"
  18. default n
  19. select KEYS
  20. select SIGNATURE
  21. help
  22. This option enables digital signature verification support
  23. using multiple keyrings. It defines separate keyrings for each
  24. of the different use cases - evm, ima, and modules.
  25. Different keyrings improves search performance, but also allow
  26. to "lock" certain keyring to prevent adding new keys.
  27. This is useful for evm and module keyrings, when keys are
  28. usually only added from initramfs.
  29. config INTEGRITY_ASYMMETRIC_KEYS
  30. bool "Enable asymmetric keys support"
  31. depends on INTEGRITY_SIGNATURE
  32. default n
  33. select ASYMMETRIC_KEY_TYPE
  34. select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
  35. select CRYPTO
  36. select CRYPTO_RSA
  37. select X509_CERTIFICATE_PARSER
  38. help
  39. This option enables digital signature verification using
  40. asymmetric keys.
  41. config INTEGRITY_TRUSTED_KEYRING
  42. bool "Require all keys on the integrity keyrings be signed"
  43. depends on SYSTEM_TRUSTED_KEYRING
  44. depends on INTEGRITY_ASYMMETRIC_KEYS
  45. default y
  46. help
  47. This option requires that all keys added to the .ima and
  48. .evm keyrings be signed by a key on the system trusted
  49. keyring.
  50. config INTEGRITY_PLATFORM_KEYRING
  51. bool "Provide keyring for platform/firmware trusted keys"
  52. depends on INTEGRITY_ASYMMETRIC_KEYS
  53. depends on SYSTEM_BLACKLIST_KEYRING
  54. help
  55. Provide a separate, distinct keyring for platform trusted keys, which
  56. the kernel automatically populates during initialization from values
  57. provided by the platform for verifying the kexec'ed kerned image
  58. and, possibly, the initramfs signature.
  59. config INTEGRITY_MACHINE_KEYRING
  60. bool "Provide a keyring to which Machine Owner Keys may be added"
  61. depends on SECONDARY_TRUSTED_KEYRING
  62. depends on INTEGRITY_ASYMMETRIC_KEYS
  63. depends on SYSTEM_BLACKLIST_KEYRING
  64. depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
  65. help
  66. If set, provide a keyring to which Machine Owner Keys (MOK) may
  67. be added. This keyring shall contain just MOK keys. Unlike keys
  68. in the platform keyring, keys contained in the .machine keyring will
  69. be trusted within the kernel.
  70. config INTEGRITY_CA_MACHINE_KEYRING
  71. bool "Enforce Machine Keyring CA Restrictions"
  72. depends on INTEGRITY_MACHINE_KEYRING
  73. default n
  74. help
  75. The .machine keyring can be configured to enforce CA restriction
  76. on any key added to it. By default no restrictions are in place
  77. and all Machine Owner Keys (MOK) are added to the machine keyring.
  78. If enabled only CA keys are added to the machine keyring, all
  79. other MOK keys load into the platform keyring.
  80. config INTEGRITY_CA_MACHINE_KEYRING_MAX
  81. bool "Only CA keys without DigitialSignature usage set"
  82. depends on INTEGRITY_CA_MACHINE_KEYRING
  83. default n
  84. help
  85. When selected, only load CA keys are loaded into the machine
  86. keyring that contain the CA bit set along with the keyCertSign
  87. Usage field. Keys containing the digitialSignature Usage field
  88. will not be loaded. The remaining MOK keys are loaded into the
  89. .platform keyring.
  90. config LOAD_UEFI_KEYS
  91. depends on INTEGRITY_PLATFORM_KEYRING
  92. depends on EFI
  93. def_bool y
  94. config LOAD_IPL_KEYS
  95. depends on INTEGRITY_PLATFORM_KEYRING
  96. depends on S390
  97. def_bool y
  98. config LOAD_PPC_KEYS
  99. bool "Enable loading of platform and blacklisted keys for POWER"
  100. depends on INTEGRITY_PLATFORM_KEYRING
  101. depends on PPC_SECURE_BOOT
  102. default y
  103. help
  104. Enable loading of keys to the .platform keyring and blacklisted
  105. hashes to the .blacklist keyring for powerpc based platforms.
  106. config INTEGRITY_AUDIT
  107. bool "Enables integrity auditing support "
  108. depends on AUDIT
  109. default y
  110. help
  111. In addition to enabling integrity auditing support, this
  112. option adds a kernel parameter 'integrity_audit', which
  113. controls the level of integrity auditing messages.
  114. 0 - basic integrity auditing messages (default)
  115. 1 - additional integrity auditing messages
  116. Additional informational integrity auditing messages would
  117. be enabled by specifying 'integrity_audit=1' on the kernel
  118. command line.
  119. source "security/integrity/ima/Kconfig"
  120. source "security/integrity/evm/Kconfig"
  121. endif # if INTEGRITY