1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2f381c272SMimi Zohar# 3f381c272SMimi Zoharconfig INTEGRITY 47ef84e65SDmitry Kasatkin bool "Integrity subsystem" 57ef84e65SDmitry Kasatkin depends on SECURITY 67ef84e65SDmitry Kasatkin default y 77ef84e65SDmitry Kasatkin help 87ef84e65SDmitry Kasatkin This option enables the integrity subsystem, which is comprised 97ef84e65SDmitry Kasatkin of a number of different components including the Integrity 107ef84e65SDmitry Kasatkin Measurement Architecture (IMA), Extended Verification Module 117ef84e65SDmitry Kasatkin (EVM), IMA-appraisal extension, digital signature verification 127ef84e65SDmitry Kasatkin extension and audit measurement log support. 137ef84e65SDmitry Kasatkin 147ef84e65SDmitry Kasatkin Each of these components can be enabled/disabled separately. 157ef84e65SDmitry Kasatkin Refer to the individual components for additional details. 167ef84e65SDmitry Kasatkin 177ef84e65SDmitry Kasatkinif INTEGRITY 18f381c272SMimi Zohar 19f1be242cSDmitry Kasatkinconfig INTEGRITY_SIGNATURE 206341e62bSChristoph Jaeger bool "Digital signature verification using multiple keyrings" 218607c501SDmitry Kasatkin default n 22cf38fed1SThiago Jung Bauermann select KEYS 235e8898e9SDmitry Kasatkin select SIGNATURE 248607c501SDmitry Kasatkin help 258607c501SDmitry Kasatkin This option enables digital signature verification support 268607c501SDmitry Kasatkin using multiple keyrings. It defines separate keyrings for each 278607c501SDmitry Kasatkin of the different use cases - evm, ima, and modules. 288607c501SDmitry Kasatkin Different keyrings improves search performance, but also allow 298607c501SDmitry Kasatkin to "lock" certain keyring to prevent adding new keys. 308607c501SDmitry Kasatkin This is useful for evm and module keyrings, when keys are 318607c501SDmitry Kasatkin usually only added from initramfs. 328607c501SDmitry Kasatkin 331ae8f41cSDmitry Kasatkinconfig INTEGRITY_ASYMMETRIC_KEYS 346341e62bSChristoph Jaeger bool "Enable asymmetric keys support" 351ae8f41cSDmitry Kasatkin depends on INTEGRITY_SIGNATURE 361ae8f41cSDmitry Kasatkin default n 371ae8f41cSDmitry Kasatkin select ASYMMETRIC_KEY_TYPE 381ae8f41cSDmitry Kasatkin select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39eb5798f2STadeusz Struk select CRYPTO_RSA 401ae8f41cSDmitry Kasatkin select X509_CERTIFICATE_PARSER 411ae8f41cSDmitry Kasatkin help 421ae8f41cSDmitry Kasatkin This option enables digital signature verification using 431ae8f41cSDmitry Kasatkin asymmetric keys. 441ae8f41cSDmitry Kasatkin 45f4dc3778SDmitry Kasatkinconfig INTEGRITY_TRUSTED_KEYRING 46f4dc3778SDmitry Kasatkin bool "Require all keys on the integrity keyrings be signed" 47f4dc3778SDmitry Kasatkin depends on SYSTEM_TRUSTED_KEYRING 48f4dc3778SDmitry Kasatkin depends on INTEGRITY_ASYMMETRIC_KEYS 49f4dc3778SDmitry Kasatkin default y 50f4dc3778SDmitry Kasatkin help 51f4dc3778SDmitry Kasatkin This option requires that all keys added to the .ima and 52f4dc3778SDmitry Kasatkin .evm keyrings be signed by a key on the system trusted 53f4dc3778SDmitry Kasatkin keyring. 54f4dc3778SDmitry Kasatkin 559dc92c45SNayna Jainconfig INTEGRITY_PLATFORM_KEYRING 569dc92c45SNayna Jain bool "Provide keyring for platform/firmware trusted keys" 579dc92c45SNayna Jain depends on INTEGRITY_ASYMMETRIC_KEYS 589dc92c45SNayna Jain depends on SYSTEM_BLACKLIST_KEYRING 599dc92c45SNayna Jain help 609dc92c45SNayna Jain Provide a separate, distinct keyring for platform trusted keys, which 619dc92c45SNayna Jain the kernel automatically populates during initialization from values 629dc92c45SNayna Jain provided by the platform for verifying the kexec'ed kerned image 639dc92c45SNayna Jain and, possibly, the initramfs signature. 649dc92c45SNayna Jain 65*d1996776SEric Snowbergconfig INTEGRITY_MACHINE_KEYRING 66*d1996776SEric Snowberg bool "Provide a keyring to which Machine Owner Keys may be added" 67*d1996776SEric Snowberg depends on SECONDARY_TRUSTED_KEYRING 68*d1996776SEric Snowberg depends on INTEGRITY_ASYMMETRIC_KEYS 69*d1996776SEric Snowberg depends on SYSTEM_BLACKLIST_KEYRING 70*d1996776SEric Snowberg depends on LOAD_UEFI_KEYS 71*d1996776SEric Snowberg depends on !IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 72*d1996776SEric Snowberg help 73*d1996776SEric Snowberg If set, provide a keyring to which Machine Owner Keys (MOK) may 74*d1996776SEric Snowberg be added. This keyring shall contain just MOK keys. Unlike keys 75*d1996776SEric Snowberg in the platform keyring, keys contained in the .machine keyring will 76*d1996776SEric Snowberg be trusted within the kernel. 77*d1996776SEric Snowberg 789641b8ccSMartin Schwidefskyconfig LOAD_UEFI_KEYS 799641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 809641b8ccSMartin Schwidefsky depends on EFI 819641b8ccSMartin Schwidefsky def_bool y 829641b8ccSMartin Schwidefsky 839641b8ccSMartin Schwidefskyconfig LOAD_IPL_KEYS 849641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 859641b8ccSMartin Schwidefsky depends on S390 869641b8ccSMartin Schwidefsky def_bool y 879641b8ccSMartin Schwidefsky 888220e22dSNayna Jainconfig LOAD_PPC_KEYS 898220e22dSNayna Jain bool "Enable loading of platform and blacklisted keys for POWER" 908220e22dSNayna Jain depends on INTEGRITY_PLATFORM_KEYRING 918220e22dSNayna Jain depends on PPC_SECURE_BOOT 928220e22dSNayna Jain default y 938220e22dSNayna Jain help 948220e22dSNayna Jain Enable loading of keys to the .platform keyring and blacklisted 958220e22dSNayna Jain hashes to the .blacklist keyring for powerpc based platforms. 968220e22dSNayna Jain 97d726d8d7SMimi Zoharconfig INTEGRITY_AUDIT 98d726d8d7SMimi Zohar bool "Enables integrity auditing support " 997ef84e65SDmitry Kasatkin depends on AUDIT 100d726d8d7SMimi Zohar default y 101d726d8d7SMimi Zohar help 102d726d8d7SMimi Zohar In addition to enabling integrity auditing support, this 103d726d8d7SMimi Zohar option adds a kernel parameter 'integrity_audit', which 104d726d8d7SMimi Zohar controls the level of integrity auditing messages. 105d726d8d7SMimi Zohar 0 - basic integrity auditing messages (default) 106d726d8d7SMimi Zohar 1 - additional integrity auditing messages 107d726d8d7SMimi Zohar 108d726d8d7SMimi Zohar Additional informational integrity auditing messages would 109d726d8d7SMimi Zohar be enabled by specifying 'integrity_audit=1' on the kernel 110d726d8d7SMimi Zohar command line. 111d726d8d7SMimi Zohar 1128636a1f9SMasahiro Yamadasource "security/integrity/ima/Kconfig" 1138636a1f9SMasahiro Yamadasource "security/integrity/evm/Kconfig" 1147ef84e65SDmitry Kasatkin 1157ef84e65SDmitry Kasatkinendif # if INTEGRITY 116