# SPDX-License-Identifier: GPL-2.0-only # # Integrity Policy Enforcement (IPE) configuration # menuconfig SECURITY_IPE bool "Integrity Policy Enforcement (IPE)" depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL select PKCS7_MESSAGE_PARSER select SYSTEM_DATA_VERIFICATION select IPE_PROP_DM_VERITY if DM_VERITY select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG select IPE_PROP_FS_VERITY if FS_VERITY select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES help This option enables the Integrity Policy Enforcement LSM allowing users to define a policy to enforce a trust-based access control. A key feature of IPE is a customizable policy to allow admins to reconfigure trust requirements on the fly. If unsure, answer N. if SECURITY_IPE config IPE_BOOT_POLICY string "Integrity policy to apply on system startup" help This option specifies a filepath to an IPE policy that is compiled into the kernel. This policy will be enforced until a policy update is deployed via the $securityfs/ipe/policies/$policy_name/active interface. If unsure, leave blank. config IPE_POLICY_SIG_SECONDARY_KEYRING bool "IPE policy update verification with secondary keyring" default y depends on SECONDARY_TRUSTED_KEYRING help Also allow the secondary trusted keyring to verify IPE policy updates. If unsure, answer Y. config IPE_POLICY_SIG_PLATFORM_KEYRING bool "IPE policy update verification with platform keyring" default y depends on INTEGRITY_PLATFORM_KEYRING help Also allow the platform keyring to verify IPE policy updates. If unsure, answer Y. menu "IPE Trust Providers" config IPE_PROP_DM_VERITY bool "Enable support for dm-verity based on root hash" depends on DM_VERITY help This option enables the 'dmverity_roothash' property within IPE policies. The property evaluates to TRUE when a file from a dm-verity volume is evaluated, and the volume's root hash matches the value supplied in the policy. config IPE_PROP_DM_VERITY_SIGNATURE bool "Enable support for dm-verity based on root hash signature" depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG help This option enables the 'dmverity_signature' property within IPE policies. The property evaluates to TRUE when a file from a dm-verity volume, which has been mounted with a valid signed root hash, is evaluated. If unsure, answer Y. config IPE_PROP_FS_VERITY bool "Enable support for fs-verity based on file digest" depends on FS_VERITY help This option enables the 'fsverity_digest' property within IPE policies. The property evaluates to TRUE when a file is fsverity enabled and its digest matches the supplied digest value in the policy. if unsure, answer Y. config IPE_PROP_FS_VERITY_BUILTIN_SIG bool "Enable support for fs-verity based on builtin signature" depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES help This option enables the 'fsverity_signature' property within IPE policies. The property evaluates to TRUE when a file is fsverity enabled and it has a valid builtin signature whose signing cert is in the .fs-verity keyring. if unsure, answer Y. endmenu config SECURITY_IPE_KUNIT_TEST bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS depends on KUNIT=y default KUNIT_ALL_TESTS help This builds the IPE KUnit tests. KUnit tests run during boot and output the results to the debug log in TAP format (https://testanything.org/). Only useful for kernel devs running KUnit test harness and are not for inclusion into a production build. For more information on KUnit and unit tests in general please refer to the KUnit documentation in Documentation/dev-tools/kunit/. If unsure, say N. endif