1f0894940SDavid Howells# 2f0894940SDavid Howells# Key management configuration 3f0894940SDavid Howells# 4f0894940SDavid Howells 5f0894940SDavid Howellsconfig KEYS 6f0894940SDavid Howells bool "Enable access key retention support" 7b2a4df20SDavid Howells select ASSOCIATIVE_ARRAY 8f0894940SDavid Howells help 9f0894940SDavid Howells This option provides support for retaining authentication tokens and 10f0894940SDavid Howells access keys in the kernel. 11f0894940SDavid Howells 12f0894940SDavid Howells It also includes provision of methods by which such keys might be 13f0894940SDavid Howells associated with a process so that network filesystems, encryption 14f0894940SDavid Howells support and the like can find them. 15f0894940SDavid Howells 16f0894940SDavid Howells Furthermore, a special type of key is available that acts as keyring: 17f0894940SDavid Howells a searchable sequence of keys. Each process is equipped with access 18f0894940SDavid Howells to five standard keyrings: UID-specific, GID-specific, session, 19f0894940SDavid Howells process and thread. 20f0894940SDavid Howells 21f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 22f0894940SDavid Howells 23f36f8c75SDavid Howellsconfig PERSISTENT_KEYRINGS 24f36f8c75SDavid Howells bool "Enable register of persistent per-UID keyrings" 25f36f8c75SDavid Howells depends on KEYS 26f36f8c75SDavid Howells help 27f36f8c75SDavid Howells This option provides a register of persistent per-UID keyrings, 28f36f8c75SDavid Howells primarily aimed at Kerberos key storage. The keyrings are persistent 29f36f8c75SDavid Howells in the sense that they stay around after all processes of that UID 30f36f8c75SDavid Howells have exited, not that they survive the machine being rebooted. 31f36f8c75SDavid Howells 32f36f8c75SDavid Howells A particular keyring may be accessed by either the user whose keyring 33f36f8c75SDavid Howells it is or by a process with administrative privileges. The active 34f36f8c75SDavid Howells LSMs gets to rule on which admin-level processes get to access the 35f36f8c75SDavid Howells cache. 36f36f8c75SDavid Howells 37f36f8c75SDavid Howells Keyrings are created and added into the register upon demand and get 38f36f8c75SDavid Howells removed if they expire (a default timeout is set upon creation). 39f36f8c75SDavid Howells 40ab3c3587SDavid Howellsconfig BIG_KEYS 41ab3c3587SDavid Howells tristate "Large payload keys" 42ab3c3587SDavid Howells depends on KEYS 43ab3c3587SDavid Howells depends on TMPFS 44ab3c3587SDavid Howells help 45ab3c3587SDavid Howells This option provides support for holding large keys within the kernel 46ab3c3587SDavid Howells (for example Kerberos ticket caches). The data may be stored out to 47ab3c3587SDavid Howells swapspace by tmpfs. 48ab3c3587SDavid Howells 49ab3c3587SDavid Howells If you are unsure as to whether this is required, answer N. 50ab3c3587SDavid Howells 51f0894940SDavid Howellsconfig TRUSTED_KEYS 52f0894940SDavid Howells tristate "TRUSTED KEYS" 53f0894940SDavid Howells depends on KEYS && TCG_TPM 54f0894940SDavid Howells select CRYPTO 55f0894940SDavid Howells select CRYPTO_HMAC 56f0894940SDavid Howells select CRYPTO_SHA1 57f0894940SDavid Howells help 58f0894940SDavid Howells This option provides support for creating, sealing, and unsealing 59f0894940SDavid Howells keys in the kernel. Trusted keys are random number symmetric keys, 60f0894940SDavid Howells generated and RSA-sealed by the TPM. The TPM only unseals the keys, 61f0894940SDavid Howells if the boot PCRs and other criteria match. Userspace will only ever 62f0894940SDavid Howells see encrypted blobs. 63f0894940SDavid Howells 64f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 65f0894940SDavid Howells 66f0894940SDavid Howellsconfig ENCRYPTED_KEYS 67f0894940SDavid Howells tristate "ENCRYPTED KEYS" 68f0894940SDavid Howells depends on KEYS 69f0894940SDavid Howells select CRYPTO 70f0894940SDavid Howells select CRYPTO_HMAC 71f0894940SDavid Howells select CRYPTO_AES 72f0894940SDavid Howells select CRYPTO_CBC 73f0894940SDavid Howells select CRYPTO_SHA256 74f0894940SDavid Howells select CRYPTO_RNG 75f0894940SDavid Howells help 76f0894940SDavid Howells This option provides support for create/encrypting/decrypting keys 77f0894940SDavid Howells in the kernel. Encrypted keys are kernel generated random numbers, 78f0894940SDavid Howells which are encrypted/decrypted with a 'master' symmetric key. The 79f0894940SDavid Howells 'master' key can be either a trusted-key or user-key type. 80f0894940SDavid Howells Userspace only ever sees/stores encrypted blobs. 81f0894940SDavid Howells 82f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 83f0894940SDavid Howells 84f0894940SDavid Howellsconfig KEYS_DEBUG_PROC_KEYS 85f0894940SDavid Howells bool "Enable the /proc/keys file by which keys may be viewed" 86f0894940SDavid Howells depends on KEYS 87f0894940SDavid Howells help 88f0894940SDavid Howells This option turns on support for the /proc/keys file - through which 89f0894940SDavid Howells can be listed all the keys on the system that are viewable by the 90f0894940SDavid Howells reading process. 91f0894940SDavid Howells 92f0894940SDavid Howells The only keys included in the list are those that grant View 93f0894940SDavid Howells permission to the reading process whether or not it possesses them. 94f0894940SDavid Howells Note that LSM security checks are still performed, and may further 95f0894940SDavid Howells filter out keys that the current process is not authorised to view. 96f0894940SDavid Howells 97f0894940SDavid Howells Only key attributes are listed here; key payloads are not included in 98f0894940SDavid Howells the resulting table. 99f0894940SDavid Howells 100f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 101