1f381c272SMimi Zohar# 2f381c272SMimi Zoharconfig INTEGRITY 3*7ef84e65SDmitry Kasatkin bool "Integrity subsystem" 4*7ef84e65SDmitry Kasatkin depends on SECURITY 5*7ef84e65SDmitry Kasatkin default y 6*7ef84e65SDmitry Kasatkin help 7*7ef84e65SDmitry Kasatkin This option enables the integrity subsystem, which is comprised 8*7ef84e65SDmitry Kasatkin of a number of different components including the Integrity 9*7ef84e65SDmitry Kasatkin Measurement Architecture (IMA), Extended Verification Module 10*7ef84e65SDmitry Kasatkin (EVM), IMA-appraisal extension, digital signature verification 11*7ef84e65SDmitry Kasatkin extension and audit measurement log support. 12*7ef84e65SDmitry Kasatkin 13*7ef84e65SDmitry Kasatkin Each of these components can be enabled/disabled separately. 14*7ef84e65SDmitry Kasatkin Refer to the individual components for additional details. 15*7ef84e65SDmitry Kasatkin 16*7ef84e65SDmitry Kasatkinif INTEGRITY 17f381c272SMimi Zohar 18f1be242cSDmitry Kasatkinconfig INTEGRITY_SIGNATURE 198607c501SDmitry Kasatkin boolean "Digital signature verification using multiple keyrings" 20*7ef84e65SDmitry Kasatkin depends on KEYS 218607c501SDmitry Kasatkin default n 225e8898e9SDmitry Kasatkin select SIGNATURE 238607c501SDmitry Kasatkin help 248607c501SDmitry Kasatkin This option enables digital signature verification support 258607c501SDmitry Kasatkin using multiple keyrings. It defines separate keyrings for each 268607c501SDmitry Kasatkin of the different use cases - evm, ima, and modules. 278607c501SDmitry Kasatkin Different keyrings improves search performance, but also allow 288607c501SDmitry Kasatkin to "lock" certain keyring to prevent adding new keys. 298607c501SDmitry Kasatkin This is useful for evm and module keyrings, when keys are 308607c501SDmitry Kasatkin usually only added from initramfs. 318607c501SDmitry Kasatkin 321ae8f41cSDmitry Kasatkinconfig INTEGRITY_ASYMMETRIC_KEYS 331ae8f41cSDmitry Kasatkin boolean "Enable asymmetric keys support" 341ae8f41cSDmitry Kasatkin depends on INTEGRITY_SIGNATURE 351ae8f41cSDmitry Kasatkin default n 361ae8f41cSDmitry Kasatkin select ASYMMETRIC_KEY_TYPE 371ae8f41cSDmitry Kasatkin select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 381ae8f41cSDmitry Kasatkin select PUBLIC_KEY_ALGO_RSA 391ae8f41cSDmitry Kasatkin select X509_CERTIFICATE_PARSER 401ae8f41cSDmitry Kasatkin help 411ae8f41cSDmitry Kasatkin This option enables digital signature verification using 421ae8f41cSDmitry Kasatkin asymmetric keys. 431ae8f41cSDmitry Kasatkin 44d726d8d7SMimi Zoharconfig INTEGRITY_AUDIT 45d726d8d7SMimi Zohar bool "Enables integrity auditing support " 46*7ef84e65SDmitry Kasatkin depends on AUDIT 47d726d8d7SMimi Zohar default y 48d726d8d7SMimi Zohar help 49d726d8d7SMimi Zohar In addition to enabling integrity auditing support, this 50d726d8d7SMimi Zohar option adds a kernel parameter 'integrity_audit', which 51d726d8d7SMimi Zohar controls the level of integrity auditing messages. 52d726d8d7SMimi Zohar 0 - basic integrity auditing messages (default) 53d726d8d7SMimi Zohar 1 - additional integrity auditing messages 54d726d8d7SMimi Zohar 55d726d8d7SMimi Zohar Additional informational integrity auditing messages would 56d726d8d7SMimi Zohar be enabled by specifying 'integrity_audit=1' on the kernel 57d726d8d7SMimi Zohar command line. 58d726d8d7SMimi Zohar 59f381c272SMimi Zoharsource security/integrity/ima/Kconfig 6066dbc325SMimi Zoharsource security/integrity/evm/Kconfig 61*7ef84e65SDmitry Kasatkin 62*7ef84e65SDmitry Kasatkinendif # if INTEGRITY 63