1f381c272SMimi Zohar# 2f381c272SMimi Zoharconfig INTEGRITY 37ef84e65SDmitry Kasatkin bool "Integrity subsystem" 47ef84e65SDmitry Kasatkin depends on SECURITY 57ef84e65SDmitry Kasatkin default y 67ef84e65SDmitry Kasatkin help 77ef84e65SDmitry Kasatkin This option enables the integrity subsystem, which is comprised 87ef84e65SDmitry Kasatkin of a number of different components including the Integrity 97ef84e65SDmitry Kasatkin Measurement Architecture (IMA), Extended Verification Module 107ef84e65SDmitry Kasatkin (EVM), IMA-appraisal extension, digital signature verification 117ef84e65SDmitry Kasatkin extension and audit measurement log support. 127ef84e65SDmitry Kasatkin 137ef84e65SDmitry Kasatkin Each of these components can be enabled/disabled separately. 147ef84e65SDmitry Kasatkin Refer to the individual components for additional details. 157ef84e65SDmitry Kasatkin 167ef84e65SDmitry Kasatkinif INTEGRITY 17f381c272SMimi Zohar 18f1be242cSDmitry Kasatkinconfig INTEGRITY_SIGNATURE 196341e62bSChristoph Jaeger bool "Digital signature verification using multiple keyrings" 207ef84e65SDmitry Kasatkin depends on KEYS 218607c501SDmitry Kasatkin default n 225e8898e9SDmitry Kasatkin select SIGNATURE 238607c501SDmitry Kasatkin help 248607c501SDmitry Kasatkin This option enables digital signature verification support 258607c501SDmitry Kasatkin using multiple keyrings. It defines separate keyrings for each 268607c501SDmitry Kasatkin of the different use cases - evm, ima, and modules. 278607c501SDmitry Kasatkin Different keyrings improves search performance, but also allow 288607c501SDmitry Kasatkin to "lock" certain keyring to prevent adding new keys. 298607c501SDmitry Kasatkin This is useful for evm and module keyrings, when keys are 308607c501SDmitry Kasatkin usually only added from initramfs. 318607c501SDmitry Kasatkin 321ae8f41cSDmitry Kasatkinconfig INTEGRITY_ASYMMETRIC_KEYS 336341e62bSChristoph Jaeger bool "Enable asymmetric keys support" 341ae8f41cSDmitry Kasatkin depends on INTEGRITY_SIGNATURE 351ae8f41cSDmitry Kasatkin default n 361ae8f41cSDmitry Kasatkin select ASYMMETRIC_KEY_TYPE 371ae8f41cSDmitry Kasatkin select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 38eb5798f2STadeusz Struk select CRYPTO_RSA 391ae8f41cSDmitry Kasatkin select X509_CERTIFICATE_PARSER 401ae8f41cSDmitry Kasatkin help 411ae8f41cSDmitry Kasatkin This option enables digital signature verification using 421ae8f41cSDmitry Kasatkin asymmetric keys. 431ae8f41cSDmitry Kasatkin 44f4dc3778SDmitry Kasatkinconfig INTEGRITY_TRUSTED_KEYRING 45f4dc3778SDmitry Kasatkin bool "Require all keys on the integrity keyrings be signed" 46f4dc3778SDmitry Kasatkin depends on SYSTEM_TRUSTED_KEYRING 47f4dc3778SDmitry Kasatkin depends on INTEGRITY_ASYMMETRIC_KEYS 48f4dc3778SDmitry Kasatkin default y 49f4dc3778SDmitry Kasatkin help 50f4dc3778SDmitry Kasatkin This option requires that all keys added to the .ima and 51f4dc3778SDmitry Kasatkin .evm keyrings be signed by a key on the system trusted 52f4dc3778SDmitry Kasatkin keyring. 53f4dc3778SDmitry Kasatkin 549dc92c45SNayna Jainconfig INTEGRITY_PLATFORM_KEYRING 559dc92c45SNayna Jain bool "Provide keyring for platform/firmware trusted keys" 569dc92c45SNayna Jain depends on INTEGRITY_ASYMMETRIC_KEYS 579dc92c45SNayna Jain depends on SYSTEM_BLACKLIST_KEYRING 589dc92c45SNayna Jain help 599dc92c45SNayna Jain Provide a separate, distinct keyring for platform trusted keys, which 609dc92c45SNayna Jain the kernel automatically populates during initialization from values 619dc92c45SNayna Jain provided by the platform for verifying the kexec'ed kerned image 629dc92c45SNayna Jain and, possibly, the initramfs signature. 639dc92c45SNayna Jain 649641b8ccSMartin Schwidefskyconfig LOAD_UEFI_KEYS 659641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 669641b8ccSMartin Schwidefsky depends on EFI 679641b8ccSMartin Schwidefsky def_bool y 689641b8ccSMartin Schwidefsky 699641b8ccSMartin Schwidefskyconfig LOAD_IPL_KEYS 709641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 719641b8ccSMartin Schwidefsky depends on S390 729641b8ccSMartin Schwidefsky def_bool y 739641b8ccSMartin Schwidefsky 74d726d8d7SMimi Zoharconfig INTEGRITY_AUDIT 75d726d8d7SMimi Zohar bool "Enables integrity auditing support " 767ef84e65SDmitry Kasatkin depends on AUDIT 77d726d8d7SMimi Zohar default y 78d726d8d7SMimi Zohar help 79d726d8d7SMimi Zohar In addition to enabling integrity auditing support, this 80d726d8d7SMimi Zohar option adds a kernel parameter 'integrity_audit', which 81d726d8d7SMimi Zohar controls the level of integrity auditing messages. 82d726d8d7SMimi Zohar 0 - basic integrity auditing messages (default) 83d726d8d7SMimi Zohar 1 - additional integrity auditing messages 84d726d8d7SMimi Zohar 85d726d8d7SMimi Zohar Additional informational integrity auditing messages would 86d726d8d7SMimi Zohar be enabled by specifying 'integrity_audit=1' on the kernel 87d726d8d7SMimi Zohar command line. 88d726d8d7SMimi Zohar 898636a1f9SMasahiro Yamadasource "security/integrity/ima/Kconfig" 908636a1f9SMasahiro Yamadasource "security/integrity/evm/Kconfig" 917ef84e65SDmitry Kasatkin 927ef84e65SDmitry Kasatkinendif # if INTEGRITY 93