mirror of https://github.com/Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
102 lines
3.3 KiB
102 lines
3.3 KiB
# SPDX-License-Identifier: GPL-2.0-only |
|
# |
|
config INTEGRITY |
|
bool "Integrity subsystem" |
|
depends on SECURITY |
|
default y |
|
help |
|
This option enables the integrity subsystem, which is comprised |
|
of a number of different components including the Integrity |
|
Measurement Architecture (IMA), Extended Verification Module |
|
(EVM), IMA-appraisal extension, digital signature verification |
|
extension and audit measurement log support. |
|
|
|
Each of these components can be enabled/disabled separately. |
|
Refer to the individual components for additional details. |
|
|
|
if INTEGRITY |
|
|
|
config INTEGRITY_SIGNATURE |
|
bool "Digital signature verification using multiple keyrings" |
|
default n |
|
select KEYS |
|
select SIGNATURE |
|
help |
|
This option enables digital signature verification support |
|
using multiple keyrings. It defines separate keyrings for each |
|
of the different use cases - evm, ima, and modules. |
|
Different keyrings improves search performance, but also allow |
|
to "lock" certain keyring to prevent adding new keys. |
|
This is useful for evm and module keyrings, when keys are |
|
usually only added from initramfs. |
|
|
|
config INTEGRITY_ASYMMETRIC_KEYS |
|
bool "Enable asymmetric keys support" |
|
depends on INTEGRITY_SIGNATURE |
|
default n |
|
select ASYMMETRIC_KEY_TYPE |
|
select ASYMMETRIC_PUBLIC_KEY_SUBTYPE |
|
select CRYPTO_RSA |
|
select X509_CERTIFICATE_PARSER |
|
help |
|
This option enables digital signature verification using |
|
asymmetric keys. |
|
|
|
config INTEGRITY_TRUSTED_KEYRING |
|
bool "Require all keys on the integrity keyrings be signed" |
|
depends on SYSTEM_TRUSTED_KEYRING |
|
depends on INTEGRITY_ASYMMETRIC_KEYS |
|
default y |
|
help |
|
This option requires that all keys added to the .ima and |
|
.evm keyrings be signed by a key on the system trusted |
|
keyring. |
|
|
|
config INTEGRITY_PLATFORM_KEYRING |
|
bool "Provide keyring for platform/firmware trusted keys" |
|
depends on INTEGRITY_ASYMMETRIC_KEYS |
|
depends on SYSTEM_BLACKLIST_KEYRING |
|
help |
|
Provide a separate, distinct keyring for platform trusted keys, which |
|
the kernel automatically populates during initialization from values |
|
provided by the platform for verifying the kexec'ed kerned image |
|
and, possibly, the initramfs signature. |
|
|
|
config LOAD_UEFI_KEYS |
|
depends on INTEGRITY_PLATFORM_KEYRING |
|
depends on EFI |
|
def_bool y |
|
|
|
config LOAD_IPL_KEYS |
|
depends on INTEGRITY_PLATFORM_KEYRING |
|
depends on S390 |
|
def_bool y |
|
|
|
config LOAD_PPC_KEYS |
|
bool "Enable loading of platform and blacklisted keys for POWER" |
|
depends on INTEGRITY_PLATFORM_KEYRING |
|
depends on PPC_SECURE_BOOT |
|
default y |
|
help |
|
Enable loading of keys to the .platform keyring and blacklisted |
|
hashes to the .blacklist keyring for powerpc based platforms. |
|
|
|
config INTEGRITY_AUDIT |
|
bool "Enables integrity auditing support " |
|
depends on AUDIT |
|
default y |
|
help |
|
In addition to enabling integrity auditing support, this |
|
option adds a kernel parameter 'integrity_audit', which |
|
controls the level of integrity auditing messages. |
|
0 - basic integrity auditing messages (default) |
|
1 - additional integrity auditing messages |
|
|
|
Additional informational integrity auditing messages would |
|
be enabled by specifying 'integrity_audit=1' on the kernel |
|
command line. |
|
|
|
source "security/integrity/ima/Kconfig" |
|
source "security/integrity/evm/Kconfig" |
|
|
|
endif # if INTEGRITY
|
|
|