David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 1 | menu "Certificates for signature checking" |
| 2 | |
| 3 | config MODULE_SIG_KEY |
| 4 | string "File name or PKCS#11 URI of module signing key" |
| 5 | default "certs/signing_key.pem" |
| 6 | depends on MODULE_SIG |
| 7 | help |
| 8 | Provide the file name of a private key/certificate in PEM format, |
| 9 | or a PKCS#11 URI according to RFC7512. The file should contain, or |
| 10 | the URI should identify, both the certificate and its corresponding |
| 11 | private key. |
| 12 | |
| 13 | If this option is unchanged from its default "certs/signing_key.pem", |
| 14 | then the kernel will automatically generate the private key and |
| 15 | certificate as described in Documentation/module-signing.txt |
| 16 | |
| 17 | config SYSTEM_TRUSTED_KEYRING |
| 18 | bool "Provide system-wide ring of trusted keys" |
| 19 | depends on KEYS |
David Howells | 99716b7 | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 20 | depends on ASYMMETRIC_KEY_TYPE |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 21 | help |
| 22 | Provide a system keyring to which trusted keys can be added. Keys in |
| 23 | the keyring are considered to be trusted. Keys may be added at will |
| 24 | by the kernel from compiled-in data and from hardware key stores, but |
| 25 | userspace may only add extra keys if those keys can be verified by |
| 26 | keys already in the keyring. |
| 27 | |
| 28 | Keys in this keyring are used by module signature checking. |
| 29 | |
| 30 | config SYSTEM_TRUSTED_KEYS |
| 31 | string "Additional X.509 keys for default system keyring" |
| 32 | depends on SYSTEM_TRUSTED_KEYRING |
| 33 | help |
| 34 | If set, this option should be the filename of a PEM-formatted file |
| 35 | containing trusted X.509 certificates to be included in the default |
| 36 | system keyring. Any certificate used for module signing is implicitly |
| 37 | also trusted. |
| 38 | |
| 39 | NOTE: If you previously provided keys for the system keyring in the |
| 40 | form of DER-encoded *.x509 files in the top-level build directory, |
| 41 | those are no longer used. You will need to set this option instead. |
| 42 | |
Mehmet Kayaalp | c4c3610 | 2015-11-24 16:18:05 -0500 | [diff] [blame] | 43 | config SYSTEM_EXTRA_CERTIFICATE |
| 44 | bool "Reserve area for inserting a certificate without recompiling" |
| 45 | depends on SYSTEM_TRUSTED_KEYRING |
| 46 | help |
| 47 | If set, space for an extra certificate will be reserved in the kernel |
| 48 | image. This allows introducing a trusted certificate to the default |
| 49 | system keyring without recompiling the kernel. |
| 50 | |
| 51 | config SYSTEM_EXTRA_CERTIFICATE_SIZE |
| 52 | int "Number of bytes to reserve for the extra certificate" |
| 53 | depends on SYSTEM_EXTRA_CERTIFICATE |
| 54 | default 4096 |
| 55 | help |
| 56 | This is the number of bytes reserved in the kernel image for a |
| 57 | certificate to be inserted. |
| 58 | |
David Howells | d3bfe84 | 2016-04-06 16:14:27 +0100 | [diff] [blame] | 59 | config SECONDARY_TRUSTED_KEYRING |
| 60 | bool "Provide a keyring to which extra trustable keys may be added" |
| 61 | depends on SYSTEM_TRUSTED_KEYRING |
| 62 | help |
| 63 | If set, provide a keyring to which extra keys may be added, provided |
| 64 | those keys are not blacklisted and are vouched for by a key built |
| 65 | into the kernel or already in the secondary trusted keyring. |
| 66 | |
David Howells | 734114f | 2017-04-03 16:07:24 +0100 | [diff] [blame^] | 67 | config SYSTEM_BLACKLIST_KEYRING |
| 68 | bool "Provide system-wide ring of blacklisted keys" |
| 69 | depends on KEYS |
| 70 | help |
| 71 | Provide a system keyring to which blacklisted keys can be added. |
| 72 | Keys in the keyring are considered entirely untrusted. Keys in this |
| 73 | keyring are used by the module signature checking to reject loading |
| 74 | of modules signed with a blacklisted key. |
| 75 | |
| 76 | config SYSTEM_BLACKLIST_HASH_LIST |
| 77 | string "Hashes to be preloaded into the system blacklist keyring" |
| 78 | depends on SYSTEM_BLACKLIST_KEYRING |
| 79 | help |
| 80 | If set, this option should be the filename of a list of hashes in the |
| 81 | form "<hash>", "<hash>", ... . This will be included into a C |
| 82 | wrapper to incorporate the list into the kernel. Each <hash> should |
| 83 | be a string of hex digits. |
| 84 | |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 85 | endmenu |