1f0894940SDavid Howells# 2f0894940SDavid Howells# Key management configuration 3f0894940SDavid Howells# 4f0894940SDavid Howells 5f0894940SDavid Howellsconfig KEYS 6f0894940SDavid Howells bool "Enable access key retention support" 7b2a4df20SDavid Howells select ASSOCIATIVE_ARRAY 8f0894940SDavid Howells help 9f0894940SDavid Howells This option provides support for retaining authentication tokens and 10f0894940SDavid Howells access keys in the kernel. 11f0894940SDavid Howells 12f0894940SDavid Howells It also includes provision of methods by which such keys might be 13f0894940SDavid Howells associated with a process so that network filesystems, encryption 14f0894940SDavid Howells support and the like can find them. 15f0894940SDavid Howells 16f0894940SDavid Howells Furthermore, a special type of key is available that acts as keyring: 17f0894940SDavid Howells a searchable sequence of keys. Each process is equipped with access 18f0894940SDavid Howells to five standard keyrings: UID-specific, GID-specific, session, 19f0894940SDavid Howells process and thread. 20f0894940SDavid Howells 21f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 22f0894940SDavid Howells 23ab3c3587SDavid Howellsconfig BIG_KEYS 24ab3c3587SDavid Howells tristate "Large payload keys" 25ab3c3587SDavid Howells depends on KEYS 26ab3c3587SDavid Howells depends on TMPFS 27ab3c3587SDavid Howells help 28ab3c3587SDavid Howells This option provides support for holding large keys within the kernel 29ab3c3587SDavid Howells (for example Kerberos ticket caches). The data may be stored out to 30ab3c3587SDavid Howells swapspace by tmpfs. 31ab3c3587SDavid Howells 32ab3c3587SDavid Howells If you are unsure as to whether this is required, answer N. 33ab3c3587SDavid Howells 34f0894940SDavid Howellsconfig TRUSTED_KEYS 35f0894940SDavid Howells tristate "TRUSTED KEYS" 36f0894940SDavid Howells depends on KEYS && TCG_TPM 37f0894940SDavid Howells select CRYPTO 38f0894940SDavid Howells select CRYPTO_HMAC 39f0894940SDavid Howells select CRYPTO_SHA1 40f0894940SDavid Howells help 41f0894940SDavid Howells This option provides support for creating, sealing, and unsealing 42f0894940SDavid Howells keys in the kernel. Trusted keys are random number symmetric keys, 43f0894940SDavid Howells generated and RSA-sealed by the TPM. The TPM only unseals the keys, 44f0894940SDavid Howells if the boot PCRs and other criteria match. Userspace will only ever 45f0894940SDavid Howells see encrypted blobs. 46f0894940SDavid Howells 47f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 48f0894940SDavid Howells 49f0894940SDavid Howellsconfig ENCRYPTED_KEYS 50f0894940SDavid Howells tristate "ENCRYPTED KEYS" 51f0894940SDavid Howells depends on KEYS 52f0894940SDavid Howells select CRYPTO 53f0894940SDavid Howells select CRYPTO_HMAC 54f0894940SDavid Howells select CRYPTO_AES 55f0894940SDavid Howells select CRYPTO_CBC 56f0894940SDavid Howells select CRYPTO_SHA256 57f0894940SDavid Howells select CRYPTO_RNG 58f0894940SDavid Howells help 59f0894940SDavid Howells This option provides support for create/encrypting/decrypting keys 60f0894940SDavid Howells in the kernel. Encrypted keys are kernel generated random numbers, 61f0894940SDavid Howells which are encrypted/decrypted with a 'master' symmetric key. The 62f0894940SDavid Howells 'master' key can be either a trusted-key or user-key type. 63f0894940SDavid Howells Userspace only ever sees/stores encrypted blobs. 64f0894940SDavid Howells 65f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 66f0894940SDavid Howells 67f0894940SDavid Howellsconfig KEYS_DEBUG_PROC_KEYS 68f0894940SDavid Howells bool "Enable the /proc/keys file by which keys may be viewed" 69f0894940SDavid Howells depends on KEYS 70f0894940SDavid Howells help 71f0894940SDavid Howells This option turns on support for the /proc/keys file - through which 72f0894940SDavid Howells can be listed all the keys on the system that are viewable by the 73f0894940SDavid Howells reading process. 74f0894940SDavid Howells 75f0894940SDavid Howells The only keys included in the list are those that grant View 76f0894940SDavid Howells permission to the reading process whether or not it possesses them. 77f0894940SDavid Howells Note that LSM security checks are still performed, and may further 78f0894940SDavid Howells filter out keys that the current process is not authorised to view. 79f0894940SDavid Howells 80f0894940SDavid Howells Only key attributes are listed here; key payloads are not included in 81f0894940SDavid Howells the resulting table. 82f0894940SDavid Howells 83f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 84