Kconfig 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132
  1. # SPDX-License-Identifier: GPL-2.0-only
  2. #
  3. # Key management configuration
  4. #
  5. menuconfig KEYS
  6. bool "Enable access key retention support"
  7. select ASSOCIATIVE_ARRAY
  8. help
  9. This option provides support for retaining authentication tokens and
  10. access keys in the kernel.
  11. It also includes provision of methods by which such keys might be
  12. associated with a process so that network filesystems, encryption
  13. support and the like can find them.
  14. Furthermore, a special type of key is available that acts as keyring:
  15. a searchable sequence of keys. Each process is equipped with access
  16. to five standard keyrings: UID-specific, GID-specific, session,
  17. process and thread.
  18. If you are unsure as to whether this is required, answer N.
  19. if KEYS
  20. config KEYS_REQUEST_CACHE
  21. bool "Enable temporary caching of the last request_key() result"
  22. help
  23. This option causes the result of the last successful request_key()
  24. call that didn't upcall to the kernel to be cached temporarily in the
  25. task_struct. The cache is cleared by exit and just prior to the
  26. resumption of userspace.
  27. This allows the key used for multiple step processes where each step
  28. wants to request a key that is likely the same as the one requested
  29. by the last step to save on the searching.
  30. An example of such a process is a pathwalk through a network
  31. filesystem in which each method needs to request an authentication
  32. key. Pathwalk will call multiple methods for each dentry traversed
  33. (permission, d_revalidate, lookup, getxattr, getacl, ...).
  34. config PERSISTENT_KEYRINGS
  35. bool "Enable register of persistent per-UID keyrings"
  36. help
  37. This option provides a register of persistent per-UID keyrings,
  38. primarily aimed at Kerberos key storage. The keyrings are persistent
  39. in the sense that they stay around after all processes of that UID
  40. have exited, not that they survive the machine being rebooted.
  41. A particular keyring may be accessed by either the user whose keyring
  42. it is or by a process with administrative privileges. The active
  43. LSMs gets to rule on which admin-level processes get to access the
  44. cache.
  45. Keyrings are created and added into the register upon demand and get
  46. removed if they expire (a default timeout is set upon creation).
  47. config BIG_KEYS
  48. bool "Large payload keys"
  49. depends on TMPFS
  50. select CRYPTO_LIB_CHACHA20POLY1305
  51. help
  52. This option provides support for holding large keys within the kernel
  53. (for example Kerberos ticket caches). The data may be stored out to
  54. swapspace by tmpfs.
  55. If you are unsure as to whether this is required, answer N.
  56. config TRUSTED_KEYS
  57. tristate "TRUSTED KEYS"
  58. help
  59. This option provides support for creating, sealing, and unsealing
  60. keys in the kernel. Trusted keys are random number symmetric keys,
  61. generated and sealed by a trust source selected at kernel boot-time.
  62. Userspace will only ever see encrypted blobs.
  63. If you are unsure as to whether this is required, answer N.
  64. if TRUSTED_KEYS
  65. source "security/keys/trusted-keys/Kconfig"
  66. endif
  67. config ENCRYPTED_KEYS
  68. tristate "ENCRYPTED KEYS"
  69. select CRYPTO
  70. select CRYPTO_AES
  71. select CRYPTO_CBC
  72. select CRYPTO_LIB_SHA256
  73. select CRYPTO_RNG
  74. help
  75. This option provides support for create/encrypting/decrypting keys
  76. in the kernel. Encrypted keys are instantiated using kernel
  77. generated random numbers or provided decrypted data, and are
  78. encrypted/decrypted with a 'master' symmetric key. The 'master'
  79. key can be either a trusted-key or user-key type. Only encrypted
  80. blobs are ever output to Userspace.
  81. If you are unsure as to whether this is required, answer N.
  82. config USER_DECRYPTED_DATA
  83. bool "Allow encrypted keys with user decrypted data"
  84. depends on ENCRYPTED_KEYS
  85. help
  86. This option provides support for instantiating encrypted keys using
  87. user-provided decrypted data. The decrypted data must be hex-ascii
  88. encoded.
  89. If you are unsure as to whether this is required, answer N.
  90. config KEY_DH_OPERATIONS
  91. bool "Diffie-Hellman operations on retained keys"
  92. select CRYPTO
  93. select CRYPTO_KDF800108_CTR
  94. select CRYPTO_DH
  95. help
  96. This option provides support for calculating Diffie-Hellman
  97. public keys and shared secrets using values stored as keys
  98. in the kernel.
  99. If you are unsure as to whether this is required, answer N.
  100. config KEY_NOTIFICATIONS
  101. bool "Provide key/keyring change notifications"
  102. depends on WATCH_QUEUE
  103. help
  104. This option provides support for getting change notifications
  105. on keys and keyrings on which the caller has View permission.
  106. This makes use of pipes to handle the notification buffer and
  107. provides KEYCTL_WATCH_KEY to enable/disable watches.
  108. endif # KEYS