1# 2config INTEGRITY 3 bool "Integrity subsystem" 4 depends on SECURITY 5 default y 6 help 7 This option enables the integrity subsystem, which is comprised 8 of a number of different components including the Integrity 9 Measurement Architecture (IMA), Extended Verification Module 10 (EVM), IMA-appraisal extension, digital signature verification 11 extension and audit measurement log support. 12 13 Each of these components can be enabled/disabled separately. 14 Refer to the individual components for additional details. 15 16if INTEGRITY 17 18config INTEGRITY_SIGNATURE 19 bool "Digital signature verification using multiple keyrings" 20 depends on KEYS 21 default n 22 select SIGNATURE 23 help 24 This option enables digital signature verification support 25 using multiple keyrings. It defines separate keyrings for each 26 of the different use cases - evm, ima, and modules. 27 Different keyrings improves search performance, but also allow 28 to "lock" certain keyring to prevent adding new keys. 29 This is useful for evm and module keyrings, when keys are 30 usually only added from initramfs. 31 32config INTEGRITY_ASYMMETRIC_KEYS 33 bool "Enable asymmetric keys support" 34 depends on INTEGRITY_SIGNATURE 35 default n 36 select ASYMMETRIC_KEY_TYPE 37 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 38 select CRYPTO_RSA 39 select X509_CERTIFICATE_PARSER 40 help 41 This option enables digital signature verification using 42 asymmetric keys. 43 44config INTEGRITY_TRUSTED_KEYRING 45 bool "Require all keys on the integrity keyrings be signed" 46 depends on SYSTEM_TRUSTED_KEYRING 47 depends on INTEGRITY_ASYMMETRIC_KEYS 48 default y 49 help 50 This option requires that all keys added to the .ima and 51 .evm keyrings be signed by a key on the system trusted 52 keyring. 53 54config INTEGRITY_PLATFORM_KEYRING 55 bool "Provide keyring for platform/firmware trusted keys" 56 depends on INTEGRITY_ASYMMETRIC_KEYS 57 depends on SYSTEM_BLACKLIST_KEYRING 58 depends on EFI 59 help 60 Provide a separate, distinct keyring for platform trusted keys, which 61 the kernel automatically populates during initialization from values 62 provided by the platform for verifying the kexec'ed kerned image 63 and, possibly, the initramfs signature. 64 65config INTEGRITY_AUDIT 66 bool "Enables integrity auditing support " 67 depends on AUDIT 68 default y 69 help 70 In addition to enabling integrity auditing support, this 71 option adds a kernel parameter 'integrity_audit', which 72 controls the level of integrity auditing messages. 73 0 - basic integrity auditing messages (default) 74 1 - additional integrity auditing messages 75 76 Additional informational integrity auditing messages would 77 be enabled by specifying 'integrity_audit=1' on the kernel 78 command line. 79 80source security/integrity/ima/Kconfig 81source security/integrity/evm/Kconfig 82 83endif # if INTEGRITY 84