1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2f381c272SMimi Zohar# 3f381c272SMimi Zoharconfig INTEGRITY 47ef84e65SDmitry Kasatkin bool "Integrity subsystem" 57ef84e65SDmitry Kasatkin depends on SECURITY 67ef84e65SDmitry Kasatkin default y 77ef84e65SDmitry Kasatkin help 87ef84e65SDmitry Kasatkin This option enables the integrity subsystem, which is comprised 97ef84e65SDmitry Kasatkin of a number of different components including the Integrity 107ef84e65SDmitry Kasatkin Measurement Architecture (IMA), Extended Verification Module 117ef84e65SDmitry Kasatkin (EVM), IMA-appraisal extension, digital signature verification 127ef84e65SDmitry Kasatkin extension and audit measurement log support. 137ef84e65SDmitry Kasatkin 147ef84e65SDmitry Kasatkin Each of these components can be enabled/disabled separately. 157ef84e65SDmitry Kasatkin Refer to the individual components for additional details. 167ef84e65SDmitry Kasatkin 177ef84e65SDmitry Kasatkinif INTEGRITY 18f381c272SMimi Zohar 19f1be242cSDmitry Kasatkinconfig INTEGRITY_SIGNATURE 206341e62bSChristoph Jaeger bool "Digital signature verification using multiple keyrings" 218607c501SDmitry Kasatkin default n 22cf38fed1SThiago Jung Bauermann select KEYS 235e8898e9SDmitry Kasatkin select SIGNATURE 248607c501SDmitry Kasatkin help 258607c501SDmitry Kasatkin This option enables digital signature verification support 268607c501SDmitry Kasatkin using multiple keyrings. It defines separate keyrings for each 278607c501SDmitry Kasatkin of the different use cases - evm, ima, and modules. 288607c501SDmitry Kasatkin Different keyrings improves search performance, but also allow 298607c501SDmitry Kasatkin to "lock" certain keyring to prevent adding new keys. 308607c501SDmitry Kasatkin This is useful for evm and module keyrings, when keys are 318607c501SDmitry Kasatkin usually only added from initramfs. 328607c501SDmitry Kasatkin 331ae8f41cSDmitry Kasatkinconfig INTEGRITY_ASYMMETRIC_KEYS 346341e62bSChristoph Jaeger bool "Enable asymmetric keys support" 351ae8f41cSDmitry Kasatkin depends on INTEGRITY_SIGNATURE 361ae8f41cSDmitry Kasatkin default n 371ae8f41cSDmitry Kasatkin select ASYMMETRIC_KEY_TYPE 381ae8f41cSDmitry Kasatkin select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39eb5798f2STadeusz Struk select CRYPTO_RSA 401ae8f41cSDmitry Kasatkin select X509_CERTIFICATE_PARSER 411ae8f41cSDmitry Kasatkin help 421ae8f41cSDmitry Kasatkin This option enables digital signature verification using 431ae8f41cSDmitry Kasatkin asymmetric keys. 441ae8f41cSDmitry Kasatkin 45f4dc3778SDmitry Kasatkinconfig INTEGRITY_TRUSTED_KEYRING 46f4dc3778SDmitry Kasatkin bool "Require all keys on the integrity keyrings be signed" 47f4dc3778SDmitry Kasatkin depends on SYSTEM_TRUSTED_KEYRING 48f4dc3778SDmitry Kasatkin depends on INTEGRITY_ASYMMETRIC_KEYS 49f4dc3778SDmitry Kasatkin default y 50f4dc3778SDmitry Kasatkin help 51f4dc3778SDmitry Kasatkin This option requires that all keys added to the .ima and 52f4dc3778SDmitry Kasatkin .evm keyrings be signed by a key on the system trusted 53f4dc3778SDmitry Kasatkin keyring. 54f4dc3778SDmitry Kasatkin 559dc92c45SNayna Jainconfig INTEGRITY_PLATFORM_KEYRING 569dc92c45SNayna Jain bool "Provide keyring for platform/firmware trusted keys" 579dc92c45SNayna Jain depends on INTEGRITY_ASYMMETRIC_KEYS 589dc92c45SNayna Jain depends on SYSTEM_BLACKLIST_KEYRING 599dc92c45SNayna Jain help 609dc92c45SNayna Jain Provide a separate, distinct keyring for platform trusted keys, which 619dc92c45SNayna Jain the kernel automatically populates during initialization from values 629dc92c45SNayna Jain provided by the platform for verifying the kexec'ed kerned image 639dc92c45SNayna Jain and, possibly, the initramfs signature. 649dc92c45SNayna Jain 65d1996776SEric Snowbergconfig INTEGRITY_MACHINE_KEYRING 66d1996776SEric Snowberg bool "Provide a keyring to which Machine Owner Keys may be added" 67d1996776SEric Snowberg depends on SECONDARY_TRUSTED_KEYRING 68d1996776SEric Snowberg depends on INTEGRITY_ASYMMETRIC_KEYS 69d1996776SEric Snowberg depends on SYSTEM_BLACKLIST_KEYRING 70*d7d91c47SNayna Jain depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS 71*d7d91c47SNayna Jain select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS 72*d7d91c47SNayna Jain select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS 73d1996776SEric Snowberg help 74d1996776SEric Snowberg If set, provide a keyring to which Machine Owner Keys (MOK) may 75d1996776SEric Snowberg be added. This keyring shall contain just MOK keys. Unlike keys 76d1996776SEric Snowberg in the platform keyring, keys contained in the .machine keyring will 77d1996776SEric Snowberg be trusted within the kernel. 78d1996776SEric Snowberg 79099f26f2SEric Snowbergconfig INTEGRITY_CA_MACHINE_KEYRING 80099f26f2SEric Snowberg bool "Enforce Machine Keyring CA Restrictions" 81099f26f2SEric Snowberg depends on INTEGRITY_MACHINE_KEYRING 82099f26f2SEric Snowberg default n 83099f26f2SEric Snowberg help 84099f26f2SEric Snowberg The .machine keyring can be configured to enforce CA restriction 85099f26f2SEric Snowberg on any key added to it. By default no restrictions are in place 86099f26f2SEric Snowberg and all Machine Owner Keys (MOK) are added to the machine keyring. 87099f26f2SEric Snowberg If enabled only CA keys are added to the machine keyring, all 88099f26f2SEric Snowberg other MOK keys load into the platform keyring. 89099f26f2SEric Snowberg 90099f26f2SEric Snowbergconfig INTEGRITY_CA_MACHINE_KEYRING_MAX 91099f26f2SEric Snowberg bool "Only CA keys without DigitialSignature usage set" 92099f26f2SEric Snowberg depends on INTEGRITY_CA_MACHINE_KEYRING 93099f26f2SEric Snowberg default n 94099f26f2SEric Snowberg help 95099f26f2SEric Snowberg When selected, only load CA keys are loaded into the machine 96099f26f2SEric Snowberg keyring that contain the CA bit set along with the keyCertSign 97099f26f2SEric Snowberg Usage field. Keys containing the digitialSignature Usage field 98099f26f2SEric Snowberg will not be loaded. The remaining MOK keys are loaded into the 99099f26f2SEric Snowberg .platform keyring. 100099f26f2SEric Snowberg 1019641b8ccSMartin Schwidefskyconfig LOAD_UEFI_KEYS 1029641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 1039641b8ccSMartin Schwidefsky depends on EFI 1049641b8ccSMartin Schwidefsky def_bool y 1059641b8ccSMartin Schwidefsky 1069641b8ccSMartin Schwidefskyconfig LOAD_IPL_KEYS 1079641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 1089641b8ccSMartin Schwidefsky depends on S390 1099641b8ccSMartin Schwidefsky def_bool y 1109641b8ccSMartin Schwidefsky 1118220e22dSNayna Jainconfig LOAD_PPC_KEYS 1128220e22dSNayna Jain bool "Enable loading of platform and blacklisted keys for POWER" 1138220e22dSNayna Jain depends on INTEGRITY_PLATFORM_KEYRING 1148220e22dSNayna Jain depends on PPC_SECURE_BOOT 1158220e22dSNayna Jain default y 1168220e22dSNayna Jain help 1178220e22dSNayna Jain Enable loading of keys to the .platform keyring and blacklisted 1188220e22dSNayna Jain hashes to the .blacklist keyring for powerpc based platforms. 1198220e22dSNayna Jain 120d726d8d7SMimi Zoharconfig INTEGRITY_AUDIT 121d726d8d7SMimi Zohar bool "Enables integrity auditing support " 1227ef84e65SDmitry Kasatkin depends on AUDIT 123d726d8d7SMimi Zohar default y 124d726d8d7SMimi Zohar help 125d726d8d7SMimi Zohar In addition to enabling integrity auditing support, this 126d726d8d7SMimi Zohar option adds a kernel parameter 'integrity_audit', which 127d726d8d7SMimi Zohar controls the level of integrity auditing messages. 128d726d8d7SMimi Zohar 0 - basic integrity auditing messages (default) 129d726d8d7SMimi Zohar 1 - additional integrity auditing messages 130d726d8d7SMimi Zohar 131d726d8d7SMimi Zohar Additional informational integrity auditing messages would 132d726d8d7SMimi Zohar be enabled by specifying 'integrity_audit=1' on the kernel 133d726d8d7SMimi Zohar command line. 134d726d8d7SMimi Zohar 1358636a1f9SMasahiro Yamadasource "security/integrity/ima/Kconfig" 1368636a1f9SMasahiro Yamadasource "security/integrity/evm/Kconfig" 1377ef84e65SDmitry Kasatkin 1387ef84e65SDmitry Kasatkinendif # if INTEGRITY 139