1f0894940SDavid Howells# 2f0894940SDavid Howells# Key management configuration 3f0894940SDavid Howells# 4f0894940SDavid Howells 5f0894940SDavid Howellsconfig KEYS 6f0894940SDavid Howells bool "Enable access key retention support" 7b2a4df20SDavid Howells select ASSOCIATIVE_ARRAY 8f0894940SDavid Howells help 9f0894940SDavid Howells This option provides support for retaining authentication tokens and 10f0894940SDavid Howells access keys in the kernel. 11f0894940SDavid Howells 12f0894940SDavid Howells It also includes provision of methods by which such keys might be 13f0894940SDavid Howells associated with a process so that network filesystems, encryption 14f0894940SDavid Howells support and the like can find them. 15f0894940SDavid Howells 16f0894940SDavid Howells Furthermore, a special type of key is available that acts as keyring: 17f0894940SDavid Howells a searchable sequence of keys. Each process is equipped with access 18f0894940SDavid Howells to five standard keyrings: UID-specific, GID-specific, session, 19f0894940SDavid Howells process and thread. 20f0894940SDavid Howells 21f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 22f0894940SDavid Howells 23f36f8c75SDavid Howellsconfig PERSISTENT_KEYRINGS 24f36f8c75SDavid Howells bool "Enable register of persistent per-UID keyrings" 25f36f8c75SDavid Howells depends on KEYS 26f36f8c75SDavid Howells help 27f36f8c75SDavid Howells This option provides a register of persistent per-UID keyrings, 28f36f8c75SDavid Howells primarily aimed at Kerberos key storage. The keyrings are persistent 29f36f8c75SDavid Howells in the sense that they stay around after all processes of that UID 30f36f8c75SDavid Howells have exited, not that they survive the machine being rebooted. 31f36f8c75SDavid Howells 32f36f8c75SDavid Howells A particular keyring may be accessed by either the user whose keyring 33f36f8c75SDavid Howells it is or by a process with administrative privileges. The active 34f36f8c75SDavid Howells LSMs gets to rule on which admin-level processes get to access the 35f36f8c75SDavid Howells cache. 36f36f8c75SDavid Howells 37f36f8c75SDavid Howells Keyrings are created and added into the register upon demand and get 38f36f8c75SDavid Howells removed if they expire (a default timeout is set upon creation). 39f36f8c75SDavid Howells 40ab3c3587SDavid Howellsconfig BIG_KEYS 412eaf6b5dSJosh Boyer bool "Large payload keys" 42ab3c3587SDavid Howells depends on KEYS 43ab3c3587SDavid Howells depends on TMPFS 44ab3c3587SDavid Howells help 45ab3c3587SDavid Howells This option provides support for holding large keys within the kernel 46ab3c3587SDavid Howells (for example Kerberos ticket caches). The data may be stored out to 47ab3c3587SDavid Howells swapspace by tmpfs. 48ab3c3587SDavid Howells 49ab3c3587SDavid Howells If you are unsure as to whether this is required, answer N. 50ab3c3587SDavid Howells 51f0894940SDavid Howellsconfig TRUSTED_KEYS 52f0894940SDavid Howells tristate "TRUSTED KEYS" 53f0894940SDavid Howells depends on KEYS && TCG_TPM 54f0894940SDavid Howells select CRYPTO 55f0894940SDavid Howells select CRYPTO_HMAC 56f0894940SDavid Howells select CRYPTO_SHA1 575ca4c20cSJarkko Sakkinen select CRYPTO_HASH_INFO 58f0894940SDavid Howells help 59f0894940SDavid Howells This option provides support for creating, sealing, and unsealing 60f0894940SDavid Howells keys in the kernel. Trusted keys are random number symmetric keys, 61f0894940SDavid Howells generated and RSA-sealed by the TPM. The TPM only unseals the keys, 62f0894940SDavid Howells if the boot PCRs and other criteria match. Userspace will only ever 63f0894940SDavid Howells see encrypted blobs. 64f0894940SDavid Howells 65f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 66f0894940SDavid Howells 67f0894940SDavid Howellsconfig ENCRYPTED_KEYS 68f0894940SDavid Howells tristate "ENCRYPTED KEYS" 69f0894940SDavid Howells depends on KEYS 70f0894940SDavid Howells select CRYPTO 71f0894940SDavid Howells select CRYPTO_HMAC 72f0894940SDavid Howells select CRYPTO_AES 73f0894940SDavid Howells select CRYPTO_CBC 74f0894940SDavid Howells select CRYPTO_SHA256 75f0894940SDavid Howells select CRYPTO_RNG 76f0894940SDavid Howells help 77f0894940SDavid Howells This option provides support for create/encrypting/decrypting keys 78f0894940SDavid Howells in the kernel. Encrypted keys are kernel generated random numbers, 79f0894940SDavid Howells which are encrypted/decrypted with a 'master' symmetric key. The 80f0894940SDavid Howells 'master' key can be either a trusted-key or user-key type. 81f0894940SDavid Howells Userspace only ever sees/stores encrypted blobs. 82f0894940SDavid Howells 83f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 84