1# 2config INTEGRITY 3 bool "Integrity subsystem" 4 depends on SECURITY 5 default y 6 help 7 This option enables the integrity subsystem, which is comprised 8 of a number of different components including the Integrity 9 Measurement Architecture (IMA), Extended Verification Module 10 (EVM), IMA-appraisal extension, digital signature verification 11 extension and audit measurement log support. 12 13 Each of these components can be enabled/disabled separately. 14 Refer to the individual components for additional details. 15 16if INTEGRITY 17 18config INTEGRITY_SIGNATURE 19 bool "Digital signature verification using multiple keyrings" 20 depends on KEYS 21 default n 22 select SIGNATURE 23 help 24 This option enables digital signature verification support 25 using multiple keyrings. It defines separate keyrings for each 26 of the different use cases - evm, ima, and modules. 27 Different keyrings improves search performance, but also allow 28 to "lock" certain keyring to prevent adding new keys. 29 This is useful for evm and module keyrings, when keys are 30 usually only added from initramfs. 31 32config INTEGRITY_ASYMMETRIC_KEYS 33 bool "Enable asymmetric keys support" 34 depends on INTEGRITY_SIGNATURE 35 default n 36 select ASYMMETRIC_KEY_TYPE 37 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 38 select CRYPTO_RSA 39 select X509_CERTIFICATE_PARSER 40 help 41 This option enables digital signature verification using 42 asymmetric keys. 43 44config INTEGRITY_TRUSTED_KEYRING 45 bool "Require all keys on the integrity keyrings be signed" 46 depends on SYSTEM_TRUSTED_KEYRING 47 depends on INTEGRITY_ASYMMETRIC_KEYS 48 default y 49 help 50 This option requires that all keys added to the .ima and 51 .evm keyrings be signed by a key on the system trusted 52 keyring. 53 54config INTEGRITY_AUDIT 55 bool "Enables integrity auditing support " 56 depends on AUDIT 57 default y 58 help 59 In addition to enabling integrity auditing support, this 60 option adds a kernel parameter 'integrity_audit', which 61 controls the level of integrity auditing messages. 62 0 - basic integrity auditing messages (default) 63 1 - additional integrity auditing messages 64 65 Additional informational integrity auditing messages would 66 be enabled by specifying 'integrity_audit=1' on the kernel 67 command line. 68 69source "security/integrity/ima/Kconfig" 70source "security/integrity/evm/Kconfig" 71 72endif # if INTEGRITY 73