| Kconfig (b0e22b47f650b53dbb094cd0011a48f6f3ae3e29) | Kconfig (781a5739489949fd0f32432a9da17f7ddbccf1cc) |
|---|---|
| 1# SPDX-License-Identifier: GPL-2.0 2menu "Certificates for signature checking" 3 4config MODULE_SIG_KEY 5 string "File name or PKCS#11 URI of module signing key" 6 default "certs/signing_key.pem" | 1# SPDX-License-Identifier: GPL-2.0 2menu "Certificates for signature checking" 3 4config MODULE_SIG_KEY 5 string "File name or PKCS#11 URI of module signing key" 6 default "certs/signing_key.pem" |
| 7 depends on MODULE_SIG | 7 depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) |
| 8 help 9 Provide the file name of a private key/certificate in PEM format, 10 or a PKCS#11 URI according to RFC7512. The file should contain, or 11 the URI should identify, both the certificate and its corresponding 12 private key. 13 14 If this option is unchanged from its default "certs/signing_key.pem", 15 then the kernel will automatically generate the private key and --- 62 unchanged lines hidden (view full) --- 78 string "Hashes to be preloaded into the system blacklist keyring" 79 depends on SYSTEM_BLACKLIST_KEYRING 80 help 81 If set, this option should be the filename of a list of hashes in the 82 form "<hash>", "<hash>", ... . This will be included into a C 83 wrapper to incorporate the list into the kernel. Each <hash> should 84 be a string of hex digits. 85 | 8 help 9 Provide the file name of a private key/certificate in PEM format, 10 or a PKCS#11 URI according to RFC7512. The file should contain, or 11 the URI should identify, both the certificate and its corresponding 12 private key. 13 14 If this option is unchanged from its default "certs/signing_key.pem", 15 then the kernel will automatically generate the private key and --- 62 unchanged lines hidden (view full) --- 78 string "Hashes to be preloaded into the system blacklist keyring" 79 depends on SYSTEM_BLACKLIST_KEYRING 80 help 81 If set, this option should be the filename of a list of hashes in the 82 form "<hash>", "<hash>", ... . This will be included into a C 83 wrapper to incorporate the list into the kernel. Each <hash> should 84 be a string of hex digits. 85 |
| 86config SYSTEM_REVOCATION_LIST 87 bool "Provide system-wide ring of revocation certificates" 88 depends on SYSTEM_BLACKLIST_KEYRING 89 depends on PKCS7_MESSAGE_PARSER=y 90 help 91 If set, this allows revocation certificates to be stored in the 92 blacklist keyring and implements a hook whereby a PKCS#7 message can 93 be checked to see if it matches such a certificate. 94 95config SYSTEM_REVOCATION_KEYS 96 string "X.509 certificates to be preloaded into the system blacklist keyring" 97 depends on SYSTEM_REVOCATION_LIST 98 help 99 If set, this option should be the filename of a PEM-formatted file 100 containing X.509 certificates to be included in the default blacklist 101 keyring. 102 | |
| 103endmenu | 86endmenu |