| Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| Mimi Zohar | f381c27 | 2011-03-09 14:13:22 -0500 | [diff] [blame] | 2 | # |
| 3 | config INTEGRITY |
| Dmitry Kasatkin | 7ef84e6 | 2014-04-17 15:07:15 +0300 | [diff] [blame] | 4 | bool "Integrity subsystem" |
| 5 | depends on SECURITY |
| 6 | default y |
| 7 | help |
| 8 | This option enables the integrity subsystem, which is comprised |
| 9 | of a number of different components including the Integrity |
| 10 | Measurement Architecture (IMA), Extended Verification Module |
| 11 | (EVM), IMA-appraisal extension, digital signature verification |
| 12 | extension and audit measurement log support. |
| 13 | |
| 14 | Each of these components can be enabled/disabled separately. |
| 15 | Refer to the individual components for additional details. |
| 16 | |
| 17 | if INTEGRITY |
| Mimi Zohar | f381c27 | 2011-03-09 14:13:22 -0500 | [diff] [blame] | 18 | |
| Dmitry Kasatkin | f1be242 | 2012-01-17 17:12:07 +0200 | [diff] [blame] | 19 | config INTEGRITY_SIGNATURE |
| Christoph Jaeger | 6341e62 | 2014-12-20 15:41:11 -0500 | [diff] [blame] | 20 | bool "Digital signature verification using multiple keyrings" |
| Dmitry Kasatkin | 8607c50 | 2011-10-05 11:54:46 +0300 | [diff] [blame] | 21 | default n |
| Thiago Jung Bauermann | cf38fed | 2019-06-27 23:19:27 -0300 | [diff] [blame] | 22 | select KEYS |
| Dmitry Kasatkin | 5e8898e | 2012-01-17 17:12:03 +0200 | [diff] [blame] | 23 | select SIGNATURE |
| Dmitry Kasatkin | 8607c50 | 2011-10-05 11:54:46 +0300 | [diff] [blame] | 24 | help |
| 25 | This option enables digital signature verification support |
| 26 | using multiple keyrings. It defines separate keyrings for each |
| 27 | of the different use cases - evm, ima, and modules. |
| 28 | Different keyrings improves search performance, but also allow |
| 29 | to "lock" certain keyring to prevent adding new keys. |
| 30 | This is useful for evm and module keyrings, when keys are |
| 31 | usually only added from initramfs. |
| 32 | |
| Dmitry Kasatkin | 1ae8f41 | 2014-04-17 14:41:06 +0300 | [diff] [blame] | 33 | config INTEGRITY_ASYMMETRIC_KEYS |
| Christoph Jaeger | 6341e62 | 2014-12-20 15:41:11 -0500 | [diff] [blame] | 34 | bool "Enable asymmetric keys support" |
| Dmitry Kasatkin | 1ae8f41 | 2014-04-17 14:41:06 +0300 | [diff] [blame] | 35 | depends on INTEGRITY_SIGNATURE |
| 36 | default n |
| 37 | select ASYMMETRIC_KEY_TYPE |
| 38 | select ASYMMETRIC_PUBLIC_KEY_SUBTYPE |
| Tadeusz Struk | eb5798f | 2016-02-02 10:08:58 -0800 | [diff] [blame] | 39 | select CRYPTO_RSA |
| Dmitry Kasatkin | 1ae8f41 | 2014-04-17 14:41:06 +0300 | [diff] [blame] | 40 | select X509_CERTIFICATE_PARSER |
| 41 | help |
| 42 | This option enables digital signature verification using |
| 43 | asymmetric keys. |
| 44 | |
| Dmitry Kasatkin | f4dc377 | 2015-10-22 21:26:10 +0300 | [diff] [blame] | 45 | config INTEGRITY_TRUSTED_KEYRING |
| 46 | bool "Require all keys on the integrity keyrings be signed" |
| 47 | depends on SYSTEM_TRUSTED_KEYRING |
| 48 | depends on INTEGRITY_ASYMMETRIC_KEYS |
| Dmitry Kasatkin | f4dc377 | 2015-10-22 21:26:10 +0300 | [diff] [blame] | 49 | default y |
| 50 | help |
| 51 | This option requires that all keys added to the .ima and |
| 52 | .evm keyrings be signed by a key on the system trusted |
| 53 | keyring. |
| 54 | |
| Nayna Jain | 9dc92c4 | 2018-12-09 01:56:59 +0530 | [diff] [blame] | 55 | config INTEGRITY_PLATFORM_KEYRING |
| 56 | bool "Provide keyring for platform/firmware trusted keys" |
| 57 | depends on INTEGRITY_ASYMMETRIC_KEYS |
| 58 | depends on SYSTEM_BLACKLIST_KEYRING |
| Nayna Jain | 9dc92c4 | 2018-12-09 01:56:59 +0530 | [diff] [blame] | 59 | help |
| 60 | Provide a separate, distinct keyring for platform trusted keys, which |
| 61 | the kernel automatically populates during initialization from values |
| 62 | provided by the platform for verifying the kexec'ed kerned image |
| 63 | and, possibly, the initramfs signature. |
| 64 | |
| Martin Schwidefsky | 9641b8c | 2019-02-21 14:23:04 +0100 | [diff] [blame] | 65 | config LOAD_UEFI_KEYS |
| 66 | depends on INTEGRITY_PLATFORM_KEYRING |
| 67 | depends on EFI |
| 68 | def_bool y |
| 69 | |
| 70 | config LOAD_IPL_KEYS |
| 71 | depends on INTEGRITY_PLATFORM_KEYRING |
| 72 | depends on S390 |
| 73 | def_bool y |
| 74 | |
| Nayna Jain | 8220e22 | 2019-11-10 21:10:36 -0600 | [diff] [blame] | 75 | config LOAD_PPC_KEYS |
| 76 | bool "Enable loading of platform and blacklisted keys for POWER" |
| 77 | depends on INTEGRITY_PLATFORM_KEYRING |
| 78 | depends on PPC_SECURE_BOOT |
| 79 | default y |
| 80 | help |
| 81 | Enable loading of keys to the .platform keyring and blacklisted |
| 82 | hashes to the .blacklist keyring for powerpc based platforms. |
| 83 | |
| Mimi Zohar | d726d8d | 2013-03-18 14:48:02 -0400 | [diff] [blame] | 84 | config INTEGRITY_AUDIT |
| 85 | bool "Enables integrity auditing support " |
| Dmitry Kasatkin | 7ef84e6 | 2014-04-17 15:07:15 +0300 | [diff] [blame] | 86 | depends on AUDIT |
| Mimi Zohar | d726d8d | 2013-03-18 14:48:02 -0400 | [diff] [blame] | 87 | default y |
| 88 | help |
| 89 | In addition to enabling integrity auditing support, this |
| 90 | option adds a kernel parameter 'integrity_audit', which |
| 91 | controls the level of integrity auditing messages. |
| 92 | 0 - basic integrity auditing messages (default) |
| 93 | 1 - additional integrity auditing messages |
| 94 | |
| 95 | Additional informational integrity auditing messages would |
| 96 | be enabled by specifying 'integrity_audit=1' on the kernel |
| 97 | command line. |
| 98 | |
| Masahiro Yamada | 8636a1f | 2018-12-11 20:01:04 +0900 | [diff] [blame] | 99 | source "security/integrity/ima/Kconfig" |
| 100 | source "security/integrity/evm/Kconfig" |
| Dmitry Kasatkin | 7ef84e6 | 2014-04-17 15:07:15 +0300 | [diff] [blame] | 101 | |
| 102 | endif # if INTEGRITY |