1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Key management configuration 4# 5 6config KEYS 7 bool "Enable access key retention support" 8 select ASSOCIATIVE_ARRAY 9 help 10 This option provides support for retaining authentication tokens and 11 access keys in the kernel. 12 13 It also includes provision of methods by which such keys might be 14 associated with a process so that network filesystems, encryption 15 support and the like can find them. 16 17 Furthermore, a special type of key is available that acts as keyring: 18 a searchable sequence of keys. Each process is equipped with access 19 to five standard keyrings: UID-specific, GID-specific, session, 20 process and thread. 21 22 If you are unsure as to whether this is required, answer N. 23 24config KEYS_COMPAT 25 def_bool y 26 depends on COMPAT && KEYS 27 28config PERSISTENT_KEYRINGS 29 bool "Enable register of persistent per-UID keyrings" 30 depends on KEYS 31 help 32 This option provides a register of persistent per-UID keyrings, 33 primarily aimed at Kerberos key storage. The keyrings are persistent 34 in the sense that they stay around after all processes of that UID 35 have exited, not that they survive the machine being rebooted. 36 37 A particular keyring may be accessed by either the user whose keyring 38 it is or by a process with administrative privileges. The active 39 LSMs gets to rule on which admin-level processes get to access the 40 cache. 41 42 Keyrings are created and added into the register upon demand and get 43 removed if they expire (a default timeout is set upon creation). 44 45config BIG_KEYS 46 bool "Large payload keys" 47 depends on KEYS 48 depends on TMPFS 49 select CRYPTO 50 select CRYPTO_AES 51 select CRYPTO_GCM 52 help 53 This option provides support for holding large keys within the kernel 54 (for example Kerberos ticket caches). The data may be stored out to 55 swapspace by tmpfs. 56 57 If you are unsure as to whether this is required, answer N. 58 59config TRUSTED_KEYS 60 tristate "TRUSTED KEYS" 61 depends on KEYS && TCG_TPM 62 select CRYPTO 63 select CRYPTO_HMAC 64 select CRYPTO_SHA1 65 select CRYPTO_HASH_INFO 66 help 67 This option provides support for creating, sealing, and unsealing 68 keys in the kernel. Trusted keys are random number symmetric keys, 69 generated and RSA-sealed by the TPM. The TPM only unseals the keys, 70 if the boot PCRs and other criteria match. Userspace will only ever 71 see encrypted blobs. 72 73 If you are unsure as to whether this is required, answer N. 74 75config ENCRYPTED_KEYS 76 tristate "ENCRYPTED KEYS" 77 depends on KEYS 78 select CRYPTO 79 select CRYPTO_HMAC 80 select CRYPTO_AES 81 select CRYPTO_CBC 82 select CRYPTO_SHA256 83 select CRYPTO_RNG 84 help 85 This option provides support for create/encrypting/decrypting keys 86 in the kernel. Encrypted keys are kernel generated random numbers, 87 which are encrypted/decrypted with a 'master' symmetric key. The 88 'master' key can be either a trusted-key or user-key type. 89 Userspace only ever sees/stores encrypted blobs. 90 91 If you are unsure as to whether this is required, answer N. 92 93config KEY_DH_OPERATIONS 94 bool "Diffie-Hellman operations on retained keys" 95 depends on KEYS 96 select CRYPTO 97 select CRYPTO_HASH 98 select CRYPTO_DH 99 help 100 This option provides support for calculating Diffie-Hellman 101 public keys and shared secrets using values stored as keys 102 in the kernel. 103 104 If you are unsure as to whether this is required, answer N. 105