xref: /openbmc/linux/security/keys/Kconfig (revision 31e6ec45)
1f0894940SDavid Howells#
2f0894940SDavid Howells# Key management configuration
3f0894940SDavid Howells#
4f0894940SDavid Howells
5f0894940SDavid Howellsconfig KEYS
6f0894940SDavid Howells	bool "Enable access key retention support"
7b2a4df20SDavid Howells	select ASSOCIATIVE_ARRAY
8f0894940SDavid Howells	help
9f0894940SDavid Howells	  This option provides support for retaining authentication tokens and
10f0894940SDavid Howells	  access keys in the kernel.
11f0894940SDavid Howells
12f0894940SDavid Howells	  It also includes provision of methods by which such keys might be
13f0894940SDavid Howells	  associated with a process so that network filesystems, encryption
14f0894940SDavid Howells	  support and the like can find them.
15f0894940SDavid Howells
16f0894940SDavid Howells	  Furthermore, a special type of key is available that acts as keyring:
17f0894940SDavid Howells	  a searchable sequence of keys. Each process is equipped with access
18f0894940SDavid Howells	  to five standard keyrings: UID-specific, GID-specific, session,
19f0894940SDavid Howells	  process and thread.
20f0894940SDavid Howells
21f0894940SDavid Howells	  If you are unsure as to whether this is required, answer N.
22f0894940SDavid Howells
23f36f8c75SDavid Howellsconfig PERSISTENT_KEYRINGS
24f36f8c75SDavid Howells	bool "Enable register of persistent per-UID keyrings"
25f36f8c75SDavid Howells	depends on KEYS
26f36f8c75SDavid Howells	help
27f36f8c75SDavid Howells	  This option provides a register of persistent per-UID keyrings,
28f36f8c75SDavid Howells	  primarily aimed at Kerberos key storage.  The keyrings are persistent
29f36f8c75SDavid Howells	  in the sense that they stay around after all processes of that UID
30f36f8c75SDavid Howells	  have exited, not that they survive the machine being rebooted.
31f36f8c75SDavid Howells
32f36f8c75SDavid Howells	  A particular keyring may be accessed by either the user whose keyring
33f36f8c75SDavid Howells	  it is or by a process with administrative privileges.  The active
34f36f8c75SDavid Howells	  LSMs gets to rule on which admin-level processes get to access the
35f36f8c75SDavid Howells	  cache.
36f36f8c75SDavid Howells
37f36f8c75SDavid Howells	  Keyrings are created and added into the register upon demand and get
38f36f8c75SDavid Howells	  removed if they expire (a default timeout is set upon creation).
39f36f8c75SDavid Howells
40ab3c3587SDavid Howellsconfig BIG_KEYS
412eaf6b5dSJosh Boyer	bool "Large payload keys"
42ab3c3587SDavid Howells	depends on KEYS
43ab3c3587SDavid Howells	depends on TMPFS
4431e6ec45SArtem Savkov	depends on (CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y)
4513100a72SKirill Marinushkin	select CRYPTO_AES
4613100a72SKirill Marinushkin	select CRYPTO_ECB
4713100a72SKirill Marinushkin	select CRYPTO_RNG
48ab3c3587SDavid Howells	help
49ab3c3587SDavid Howells	  This option provides support for holding large keys within the kernel
50ab3c3587SDavid Howells	  (for example Kerberos ticket caches).  The data may be stored out to
51ab3c3587SDavid Howells	  swapspace by tmpfs.
52ab3c3587SDavid Howells
53ab3c3587SDavid Howells	  If you are unsure as to whether this is required, answer N.
54ab3c3587SDavid Howells
55f0894940SDavid Howellsconfig TRUSTED_KEYS
56f0894940SDavid Howells	tristate "TRUSTED KEYS"
57f0894940SDavid Howells	depends on KEYS && TCG_TPM
58f0894940SDavid Howells	select CRYPTO
59f0894940SDavid Howells	select CRYPTO_HMAC
60f0894940SDavid Howells	select CRYPTO_SHA1
615ca4c20cSJarkko Sakkinen	select CRYPTO_HASH_INFO
62f0894940SDavid Howells	help
63f0894940SDavid Howells	  This option provides support for creating, sealing, and unsealing
64f0894940SDavid Howells	  keys in the kernel. Trusted keys are random number symmetric keys,
65f0894940SDavid Howells	  generated and RSA-sealed by the TPM. The TPM only unseals the keys,
66f0894940SDavid Howells	  if the boot PCRs and other criteria match.  Userspace will only ever
67f0894940SDavid Howells	  see encrypted blobs.
68f0894940SDavid Howells
69f0894940SDavid Howells	  If you are unsure as to whether this is required, answer N.
70f0894940SDavid Howells
71f0894940SDavid Howellsconfig ENCRYPTED_KEYS
72f0894940SDavid Howells	tristate "ENCRYPTED KEYS"
73f0894940SDavid Howells	depends on KEYS
74f0894940SDavid Howells	select CRYPTO
75f0894940SDavid Howells	select CRYPTO_HMAC
76f0894940SDavid Howells	select CRYPTO_AES
77f0894940SDavid Howells	select CRYPTO_CBC
78f0894940SDavid Howells	select CRYPTO_SHA256
79f0894940SDavid Howells	select CRYPTO_RNG
80f0894940SDavid Howells	help
81f0894940SDavid Howells	  This option provides support for create/encrypting/decrypting keys
82f0894940SDavid Howells	  in the kernel.  Encrypted keys are kernel generated random numbers,
83f0894940SDavid Howells	  which are encrypted/decrypted with a 'master' symmetric key. The
84f0894940SDavid Howells	  'master' key can be either a trusted-key or user-key type.
85f0894940SDavid Howells	  Userspace only ever sees/stores encrypted blobs.
86f0894940SDavid Howells
87f0894940SDavid Howells	  If you are unsure as to whether this is required, answer N.
88ddbb4114SMat Martineau
89ddbb4114SMat Martineauconfig KEY_DH_OPERATIONS
90ddbb4114SMat Martineau       bool "Diffie-Hellman operations on retained keys"
91ddbb4114SMat Martineau       depends on KEYS
92ddbb4114SMat Martineau       select MPILIB
93ddbb4114SMat Martineau       help
94ddbb4114SMat Martineau	 This option provides support for calculating Diffie-Hellman
95ddbb4114SMat Martineau	 public keys and shared secrets using values stored as keys
96ddbb4114SMat Martineau	 in the kernel.
97ddbb4114SMat Martineau
98ddbb4114SMat Martineau	 If you are unsure as to whether this is required, answer N.
99