| Kconfig (5087fd9e80e539d2163accd045b73da64de7de95) | Kconfig (90f6f691a706754e33d2d0c6fa2e1dacedb477f6) |
|---|---|
| 1# SPDX-License-Identifier: GPL-2.0-only 2# IBM Integrity Measurement Architecture 3# 4config IMA 5 bool "Integrity Measurement Architecture(IMA)" 6 select SECURITYFS 7 select CRYPTO 8 select CRYPTO_HMAC --- 234 unchanged lines hidden (view full) --- 243 select MODULE_SIG_FORMAT 244 default n 245 help 246 Adds support for signatures appended to files. The format of the 247 appended signature is the same used for signed kernel modules. 248 The modsig keyword can be used in the IMA policy to allow a hook 249 to accept such signatures. 250 | 1# SPDX-License-Identifier: GPL-2.0-only 2# IBM Integrity Measurement Architecture 3# 4config IMA 5 bool "Integrity Measurement Architecture(IMA)" 6 select SECURITYFS 7 select CRYPTO 8 select CRYPTO_HMAC --- 234 unchanged lines hidden (view full) --- 243 select MODULE_SIG_FORMAT 244 default n 245 help 246 Adds support for signatures appended to files. The format of the 247 appended signature is the same used for signed kernel modules. 248 The modsig keyword can be used in the IMA policy to allow a hook 249 to accept such signatures. 250 |
| 251config IMA_TRUSTED_KEYRING 252 bool "Require all keys on the .ima keyring be signed (deprecated)" 253 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 254 depends on INTEGRITY_ASYMMETRIC_KEYS 255 select INTEGRITY_TRUSTED_KEYRING 256 default y 257 help 258 This option requires that all keys added to the .ima 259 keyring be signed by a key on the system trusted keyring. 260 261 This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING 262 |
|
| 251config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 252 bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" 253 depends on SYSTEM_TRUSTED_KEYRING 254 depends on SECONDARY_TRUSTED_KEYRING 255 depends on INTEGRITY_ASYMMETRIC_KEYS 256 select INTEGRITY_TRUSTED_KEYRING 257 default n 258 help 259 Keys may be added to the IMA or IMA blacklist keyrings, if the 260 key is validly signed by a CA cert in the system built-in or | 263config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 264 bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" 265 depends on SYSTEM_TRUSTED_KEYRING 266 depends on SECONDARY_TRUSTED_KEYRING 267 depends on INTEGRITY_ASYMMETRIC_KEYS 268 select INTEGRITY_TRUSTED_KEYRING 269 default n 270 help 271 Keys may be added to the IMA or IMA blacklist keyrings, if the 272 key is validly signed by a CA cert in the system built-in or |
| 261 secondary trusted keyrings. | 273 secondary trusted keyrings. The key must also have the 274 digitalSignature usage set. |
| 262 263 Intermediate keys between those the kernel has compiled in and the 264 IMA keys to be added may be added to the system secondary keyring, 265 provided they are validly signed by a key already resident in the 266 built-in or secondary trusted keyrings. 267 268config IMA_BLACKLIST_KEYRING 269 bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" --- 59 unchanged lines hidden --- | 275 276 Intermediate keys between those the kernel has compiled in and the 277 IMA keys to be added may be added to the system secondary keyring, 278 provided they are validly signed by a key already resident in the 279 built-in or secondary trusted keyrings. 280 281config IMA_BLACKLIST_KEYRING 282 bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" --- 59 unchanged lines hidden --- |