1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2f0894940SDavid Howells# 3f0894940SDavid Howells# Key management configuration 4f0894940SDavid Howells# 5f0894940SDavid Howells 6f0894940SDavid Howellsconfig KEYS 7f0894940SDavid Howells bool "Enable access key retention support" 8b2a4df20SDavid Howells select ASSOCIATIVE_ARRAY 9f0894940SDavid Howells help 10f0894940SDavid Howells This option provides support for retaining authentication tokens and 11f0894940SDavid Howells access keys in the kernel. 12f0894940SDavid Howells 13f0894940SDavid Howells It also includes provision of methods by which such keys might be 14f0894940SDavid Howells associated with a process so that network filesystems, encryption 15f0894940SDavid Howells support and the like can find them. 16f0894940SDavid Howells 17f0894940SDavid Howells Furthermore, a special type of key is available that acts as keyring: 18f0894940SDavid Howells a searchable sequence of keys. Each process is equipped with access 19f0894940SDavid Howells to five standard keyrings: UID-specific, GID-specific, session, 20f0894940SDavid Howells process and thread. 21f0894940SDavid Howells 22f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 23f0894940SDavid Howells 2447b2c3ffSBilal Amarniconfig KEYS_COMPAT 2547b2c3ffSBilal Amarni def_bool y 2647b2c3ffSBilal Amarni depends on COMPAT && KEYS 2747b2c3ffSBilal Amarni 28f36f8c75SDavid Howellsconfig PERSISTENT_KEYRINGS 29f36f8c75SDavid Howells bool "Enable register of persistent per-UID keyrings" 30f36f8c75SDavid Howells depends on KEYS 31f36f8c75SDavid Howells help 32f36f8c75SDavid Howells This option provides a register of persistent per-UID keyrings, 33f36f8c75SDavid Howells primarily aimed at Kerberos key storage. The keyrings are persistent 34f36f8c75SDavid Howells in the sense that they stay around after all processes of that UID 35f36f8c75SDavid Howells have exited, not that they survive the machine being rebooted. 36f36f8c75SDavid Howells 37f36f8c75SDavid Howells A particular keyring may be accessed by either the user whose keyring 38f36f8c75SDavid Howells it is or by a process with administrative privileges. The active 39f36f8c75SDavid Howells LSMs gets to rule on which admin-level processes get to access the 40f36f8c75SDavid Howells cache. 41f36f8c75SDavid Howells 42f36f8c75SDavid Howells Keyrings are created and added into the register upon demand and get 43f36f8c75SDavid Howells removed if they expire (a default timeout is set upon creation). 44f36f8c75SDavid Howells 45ab3c3587SDavid Howellsconfig BIG_KEYS 462eaf6b5dSJosh Boyer bool "Large payload keys" 47ab3c3587SDavid Howells depends on KEYS 48ab3c3587SDavid Howells depends on TMPFS 493cd18d19SArnd Bergmann select CRYPTO 5013100a72SKirill Marinushkin select CRYPTO_AES 51428490e3SJason A. Donenfeld select CRYPTO_GCM 52ab3c3587SDavid Howells help 53ab3c3587SDavid Howells This option provides support for holding large keys within the kernel 54ab3c3587SDavid Howells (for example Kerberos ticket caches). The data may be stored out to 55ab3c3587SDavid Howells swapspace by tmpfs. 56ab3c3587SDavid Howells 57ab3c3587SDavid Howells If you are unsure as to whether this is required, answer N. 58ab3c3587SDavid Howells 59f0894940SDavid Howellsconfig TRUSTED_KEYS 60f0894940SDavid Howells tristate "TRUSTED KEYS" 61f0894940SDavid Howells depends on KEYS && TCG_TPM 62f0894940SDavid Howells select CRYPTO 63f0894940SDavid Howells select CRYPTO_HMAC 64f0894940SDavid Howells select CRYPTO_SHA1 655ca4c20cSJarkko Sakkinen select CRYPTO_HASH_INFO 66f0894940SDavid Howells help 67f0894940SDavid Howells This option provides support for creating, sealing, and unsealing 68f0894940SDavid Howells keys in the kernel. Trusted keys are random number symmetric keys, 69f0894940SDavid Howells generated and RSA-sealed by the TPM. The TPM only unseals the keys, 70f0894940SDavid Howells if the boot PCRs and other criteria match. Userspace will only ever 71f0894940SDavid Howells see encrypted blobs. 72f0894940SDavid Howells 73f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 74f0894940SDavid Howells 75f0894940SDavid Howellsconfig ENCRYPTED_KEYS 76f0894940SDavid Howells tristate "ENCRYPTED KEYS" 77f0894940SDavid Howells depends on KEYS 78f0894940SDavid Howells select CRYPTO 79f0894940SDavid Howells select CRYPTO_HMAC 80f0894940SDavid Howells select CRYPTO_AES 81f0894940SDavid Howells select CRYPTO_CBC 82f0894940SDavid Howells select CRYPTO_SHA256 83f0894940SDavid Howells select CRYPTO_RNG 84f0894940SDavid Howells help 85f0894940SDavid Howells This option provides support for create/encrypting/decrypting keys 86f0894940SDavid Howells in the kernel. Encrypted keys are kernel generated random numbers, 87f0894940SDavid Howells which are encrypted/decrypted with a 'master' symmetric key. The 88f0894940SDavid Howells 'master' key can be either a trusted-key or user-key type. 89f0894940SDavid Howells Userspace only ever sees/stores encrypted blobs. 90f0894940SDavid Howells 91f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 92ddbb4114SMat Martineau 93ddbb4114SMat Martineauconfig KEY_DH_OPERATIONS 94ddbb4114SMat Martineau bool "Diffie-Hellman operations on retained keys" 95ddbb4114SMat Martineau depends on KEYS 964cd4ca7cSStephan Müller select CRYPTO 97f1c316a3SStephan Mueller select CRYPTO_HASH 987cbe0932SMat Martineau select CRYPTO_DH 99ddbb4114SMat Martineau help 100ddbb4114SMat Martineau This option provides support for calculating Diffie-Hellman 101ddbb4114SMat Martineau public keys and shared secrets using values stored as keys 102ddbb4114SMat Martineau in the kernel. 103ddbb4114SMat Martineau 104ddbb4114SMat Martineau If you are unsure as to whether this is required, answer N. 105