1f0894940SDavid Howells# 2f0894940SDavid Howells# Key management configuration 3f0894940SDavid Howells# 4f0894940SDavid Howells 5f0894940SDavid Howellsconfig KEYS 6f0894940SDavid Howells bool "Enable access key retention support" 7b2a4df20SDavid Howells select ASSOCIATIVE_ARRAY 8f0894940SDavid Howells help 9f0894940SDavid Howells This option provides support for retaining authentication tokens and 10f0894940SDavid Howells access keys in the kernel. 11f0894940SDavid Howells 12f0894940SDavid Howells It also includes provision of methods by which such keys might be 13f0894940SDavid Howells associated with a process so that network filesystems, encryption 14f0894940SDavid Howells support and the like can find them. 15f0894940SDavid Howells 16f0894940SDavid Howells Furthermore, a special type of key is available that acts as keyring: 17f0894940SDavid Howells a searchable sequence of keys. Each process is equipped with access 18f0894940SDavid Howells to five standard keyrings: UID-specific, GID-specific, session, 19f0894940SDavid Howells process and thread. 20f0894940SDavid Howells 21f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 22f0894940SDavid Howells 23f36f8c75SDavid Howellsconfig PERSISTENT_KEYRINGS 24f36f8c75SDavid Howells bool "Enable register of persistent per-UID keyrings" 25f36f8c75SDavid Howells depends on KEYS 26f36f8c75SDavid Howells help 27f36f8c75SDavid Howells This option provides a register of persistent per-UID keyrings, 28f36f8c75SDavid Howells primarily aimed at Kerberos key storage. The keyrings are persistent 29f36f8c75SDavid Howells in the sense that they stay around after all processes of that UID 30f36f8c75SDavid Howells have exited, not that they survive the machine being rebooted. 31f36f8c75SDavid Howells 32f36f8c75SDavid Howells A particular keyring may be accessed by either the user whose keyring 33f36f8c75SDavid Howells it is or by a process with administrative privileges. The active 34f36f8c75SDavid Howells LSMs gets to rule on which admin-level processes get to access the 35f36f8c75SDavid Howells cache. 36f36f8c75SDavid Howells 37f36f8c75SDavid Howells Keyrings are created and added into the register upon demand and get 38f36f8c75SDavid Howells removed if they expire (a default timeout is set upon creation). 39f36f8c75SDavid Howells 40ab3c3587SDavid Howellsconfig BIG_KEYS 412eaf6b5dSJosh Boyer bool "Large payload keys" 42ab3c3587SDavid Howells depends on KEYS 43ab3c3587SDavid Howells depends on TMPFS 4431e6ec45SArtem Savkov depends on (CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y) 4513100a72SKirill Marinushkin select CRYPTO_AES 4613100a72SKirill Marinushkin select CRYPTO_ECB 4713100a72SKirill Marinushkin select CRYPTO_RNG 48ab3c3587SDavid Howells help 49ab3c3587SDavid Howells This option provides support for holding large keys within the kernel 50ab3c3587SDavid Howells (for example Kerberos ticket caches). The data may be stored out to 51ab3c3587SDavid Howells swapspace by tmpfs. 52ab3c3587SDavid Howells 53ab3c3587SDavid Howells If you are unsure as to whether this is required, answer N. 54ab3c3587SDavid Howells 55f0894940SDavid Howellsconfig TRUSTED_KEYS 56f0894940SDavid Howells tristate "TRUSTED KEYS" 57f0894940SDavid Howells depends on KEYS && TCG_TPM 58f0894940SDavid Howells select CRYPTO 59f0894940SDavid Howells select CRYPTO_HMAC 60f0894940SDavid Howells select CRYPTO_SHA1 615ca4c20cSJarkko Sakkinen select CRYPTO_HASH_INFO 62f0894940SDavid Howells help 63f0894940SDavid Howells This option provides support for creating, sealing, and unsealing 64f0894940SDavid Howells keys in the kernel. Trusted keys are random number symmetric keys, 65f0894940SDavid Howells generated and RSA-sealed by the TPM. The TPM only unseals the keys, 66f0894940SDavid Howells if the boot PCRs and other criteria match. Userspace will only ever 67f0894940SDavid Howells see encrypted blobs. 68f0894940SDavid Howells 69f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 70f0894940SDavid Howells 71f0894940SDavid Howellsconfig ENCRYPTED_KEYS 72f0894940SDavid Howells tristate "ENCRYPTED KEYS" 73f0894940SDavid Howells depends on KEYS 74f0894940SDavid Howells select CRYPTO 75f0894940SDavid Howells select CRYPTO_HMAC 76f0894940SDavid Howells select CRYPTO_AES 77f0894940SDavid Howells select CRYPTO_CBC 78f0894940SDavid Howells select CRYPTO_SHA256 79f0894940SDavid Howells select CRYPTO_RNG 80f0894940SDavid Howells help 81f0894940SDavid Howells This option provides support for create/encrypting/decrypting keys 82f0894940SDavid Howells in the kernel. Encrypted keys are kernel generated random numbers, 83f0894940SDavid Howells which are encrypted/decrypted with a 'master' symmetric key. The 84f0894940SDavid Howells 'master' key can be either a trusted-key or user-key type. 85f0894940SDavid Howells Userspace only ever sees/stores encrypted blobs. 86f0894940SDavid Howells 87f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 88ddbb4114SMat Martineau 89ddbb4114SMat Martineauconfig KEY_DH_OPERATIONS 90ddbb4114SMat Martineau bool "Diffie-Hellman operations on retained keys" 91ddbb4114SMat Martineau depends on KEYS 92ddbb4114SMat Martineau select MPILIB 934cd4ca7cSStephan Müller select CRYPTO 94f1c316a3SStephan Mueller select CRYPTO_HASH 95ddbb4114SMat Martineau help 96ddbb4114SMat Martineau This option provides support for calculating Diffie-Hellman 97ddbb4114SMat Martineau public keys and shared secrets using values stored as keys 98ddbb4114SMat Martineau in the kernel. 99ddbb4114SMat Martineau 100ddbb4114SMat Martineau If you are unsure as to whether this is required, answer N. 101