xref: /linux/certs/Kconfig (revision 0ea5c948cb64bab5bc7a5516774eb8536f05aa0d) 
1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0
2cfc411e7SDavid Howellsmenu "Certificates for signature checking"
3cfc411e7SDavid Howells
4cfc411e7SDavid Howellsconfig MODULE_SIG_KEY
5cfc411e7SDavid Howells	string "File name or PKCS#11 URI of module signing key"
6cfc411e7SDavid Howells	default "certs/signing_key.pem"
7781a5739SNayna Jain	depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
8cfc411e7SDavid Howells	help
9cfc411e7SDavid Howells         Provide the file name of a private key/certificate in PEM format,
10cfc411e7SDavid Howells         or a PKCS#11 URI according to RFC7512. The file should contain, or
11cfc411e7SDavid Howells         the URI should identify, both the certificate and its corresponding
12cfc411e7SDavid Howells         private key.
13cfc411e7SDavid Howells
14cfc411e7SDavid Howells         If this option is unchanged from its default "certs/signing_key.pem",
15cfc411e7SDavid Howells         then the kernel will automatically generate the private key and
165fb94e9cSMauro Carvalho Chehab         certificate as described in Documentation/admin-guide/module-signing.rst
17cfc411e7SDavid Howells
18a4aed36eSStefan Bergerchoice
19a4aed36eSStefan Berger	prompt "Type of module signing key to be generated"
20be0d5fa7SMasahiro Yamada	depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
21a4aed36eSStefan Berger	help
22a4aed36eSStefan Berger	 The type of module signing key type to generate. This option
23a4aed36eSStefan Berger	 does not apply if a #PKCS11 URI is used.
24a4aed36eSStefan Berger
25a4aed36eSStefan Bergerconfig MODULE_SIG_KEY_TYPE_RSA
26a4aed36eSStefan Berger	bool "RSA"
27a4aed36eSStefan Berger	help
28a4aed36eSStefan Berger	 Use an RSA key for module signing.
29a4aed36eSStefan Berger
30a4aed36eSStefan Bergerconfig MODULE_SIG_KEY_TYPE_ECDSA
31a4aed36eSStefan Berger	bool "ECDSA"
32a4aed36eSStefan Berger	select CRYPTO_ECDSA
33446b1e0bSDimitri John Ledkov	depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)
34a4aed36eSStefan Berger	help
35d4f5bfe2SDimitri John Ledkov	 Use an elliptic curve key (NIST P384) for module signing. Use
36d4f5bfe2SDimitri John Ledkov	 a strong hash of same or higher bit length, i.e. sha384 or
37d4f5bfe2SDimitri John Ledkov	 sha512 for hashing modules.
38a4aed36eSStefan Berger
39a4aed36eSStefan Berger	 Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem,
40a4aed36eSStefan Berger	 when falling back to building Linux 5.14 and older kernels.
41a4aed36eSStefan Berger
42a4aed36eSStefan Bergerendchoice
43a4aed36eSStefan Berger
44cfc411e7SDavid Howellsconfig SYSTEM_TRUSTED_KEYRING
45cfc411e7SDavid Howells	bool "Provide system-wide ring of trusted keys"
46cfc411e7SDavid Howells	depends on KEYS
4799716b7cSDavid Howells	depends on ASYMMETRIC_KEY_TYPE
482154aca2SMasahiro Yamada	depends on X509_CERTIFICATE_PARSER = y
49cfc411e7SDavid Howells	help
50cfc411e7SDavid Howells	  Provide a system keyring to which trusted keys can be added.  Keys in
51cfc411e7SDavid Howells	  the keyring are considered to be trusted.  Keys may be added at will
52cfc411e7SDavid Howells	  by the kernel from compiled-in data and from hardware key stores, but
53cfc411e7SDavid Howells	  userspace may only add extra keys if those keys can be verified by
54cfc411e7SDavid Howells	  keys already in the keyring.
55cfc411e7SDavid Howells
56cfc411e7SDavid Howells	  Keys in this keyring are used by module signature checking.
57cfc411e7SDavid Howells
58cfc411e7SDavid Howellsconfig SYSTEM_TRUSTED_KEYS
59cfc411e7SDavid Howells	string "Additional X.509 keys for default system keyring"
60cfc411e7SDavid Howells	depends on SYSTEM_TRUSTED_KEYRING
61cfc411e7SDavid Howells	help
62cfc411e7SDavid Howells	  If set, this option should be the filename of a PEM-formatted file
63cfc411e7SDavid Howells	  containing trusted X.509 certificates to be included in the default
64cfc411e7SDavid Howells	  system keyring. Any certificate used for module signing is implicitly
65cfc411e7SDavid Howells	  also trusted.
66cfc411e7SDavid Howells
67cfc411e7SDavid Howells	  NOTE: If you previously provided keys for the system keyring in the
68cfc411e7SDavid Howells	  form of DER-encoded *.x509 files in the top-level build directory,
69cfc411e7SDavid Howells	  those are no longer used. You will need to set this option instead.
70cfc411e7SDavid Howells
71c4c36105SMehmet Kayaalpconfig SYSTEM_EXTRA_CERTIFICATE
72c4c36105SMehmet Kayaalp	bool "Reserve area for inserting a certificate without recompiling"
73c4c36105SMehmet Kayaalp	depends on SYSTEM_TRUSTED_KEYRING
74c4c36105SMehmet Kayaalp	help
75c4c36105SMehmet Kayaalp	  If set, space for an extra certificate will be reserved in the kernel
76c4c36105SMehmet Kayaalp	  image. This allows introducing a trusted certificate to the default
77c4c36105SMehmet Kayaalp	  system keyring without recompiling the kernel.
78c4c36105SMehmet Kayaalp
79c4c36105SMehmet Kayaalpconfig SYSTEM_EXTRA_CERTIFICATE_SIZE
80c4c36105SMehmet Kayaalp	int "Number of bytes to reserve for the extra certificate"
81c4c36105SMehmet Kayaalp	depends on SYSTEM_EXTRA_CERTIFICATE
82c4c36105SMehmet Kayaalp	default 4096
83c4c36105SMehmet Kayaalp	help
84c4c36105SMehmet Kayaalp	  This is the number of bytes reserved in the kernel image for a
85c4c36105SMehmet Kayaalp	  certificate to be inserted.
86c4c36105SMehmet Kayaalp
87d3bfe841SDavid Howellsconfig SECONDARY_TRUSTED_KEYRING
88d3bfe841SDavid Howells	bool "Provide a keyring to which extra trustable keys may be added"
89d3bfe841SDavid Howells	depends on SYSTEM_TRUSTED_KEYRING
90d3bfe841SDavid Howells	help
91d3bfe841SDavid Howells	  If set, provide a keyring to which extra keys may be added, provided
92d3bfe841SDavid Howells	  those keys are not blacklisted and are vouched for by a key built
93*b4650306SMimi Zohar	  into the kernel, machine keyring (if configured), or already in the
94*b4650306SMimi Zohar	  secondary trusted keyring.
95*b4650306SMimi Zohar
96*b4650306SMimi Zoharconfig SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN
97*b4650306SMimi Zohar	bool "Only allow additional certs signed by keys on the builtin trusted keyring"
98*b4650306SMimi Zohar	depends on SECONDARY_TRUSTED_KEYRING
99*b4650306SMimi Zohar	help
100*b4650306SMimi Zohar	  If set, only certificates signed by keys on the builtin trusted
101*b4650306SMimi Zohar	  keyring may be loaded onto the secondary trusted keyring.
102*b4650306SMimi Zohar
103*b4650306SMimi Zohar	  Note: The machine keyring, if configured, will be linked to the
104*b4650306SMimi Zohar	  secondary keyring.  When enabling this option, it is recommended
105*b4650306SMimi Zohar	  to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent
106*b4650306SMimi Zohar	  linking code signing keys with imputed trust to the secondary
107*b4650306SMimi Zohar	  trusted keyring.
108d3bfe841SDavid Howells
109734114f8SDavid Howellsconfig SYSTEM_BLACKLIST_KEYRING
110734114f8SDavid Howells	bool "Provide system-wide ring of blacklisted keys"
111734114f8SDavid Howells	depends on KEYS
112734114f8SDavid Howells	help
113734114f8SDavid Howells	  Provide a system keyring to which blacklisted keys can be added.
114734114f8SDavid Howells	  Keys in the keyring are considered entirely untrusted.  Keys in this
115734114f8SDavid Howells	  keyring are used by the module signature checking to reject loading
116734114f8SDavid Howells	  of modules signed with a blacklisted key.
117734114f8SDavid Howells
118734114f8SDavid Howellsconfig SYSTEM_BLACKLIST_HASH_LIST
119734114f8SDavid Howells	string "Hashes to be preloaded into the system blacklist keyring"
120734114f8SDavid Howells	depends on SYSTEM_BLACKLIST_KEYRING
121734114f8SDavid Howells	help
122734114f8SDavid Howells	  If set, this option should be the filename of a list of hashes in the
123734114f8SDavid Howells	  form "<hash>", "<hash>", ... .  This will be included into a C
124addf4663SMickaël Salaün	  wrapper to incorporate the list into the kernel.  Each <hash> must be a
125addf4663SMickaël Salaün	  string starting with a prefix ("tbs" or "bin"), then a colon (":"), and
126addf4663SMickaël Salaün	  finally an even number of hexadecimal lowercase characters (up to 128).
127addf4663SMickaël Salaün	  Certificate hashes can be generated with
128addf4663SMickaël Salaün	  tools/certs/print-cert-tbs-hash.sh .
129734114f8SDavid Howells
13056c58126SEric Snowbergconfig SYSTEM_REVOCATION_LIST
13156c58126SEric Snowberg	bool "Provide system-wide ring of revocation certificates"
13256c58126SEric Snowberg	depends on SYSTEM_BLACKLIST_KEYRING
13356c58126SEric Snowberg	depends on PKCS7_MESSAGE_PARSER=y
13456c58126SEric Snowberg	help
13556c58126SEric Snowberg	  If set, this allows revocation certificates to be stored in the
13656c58126SEric Snowberg	  blacklist keyring and implements a hook whereby a PKCS#7 message can
13756c58126SEric Snowberg	  be checked to see if it matches such a certificate.
13856c58126SEric Snowberg
139d1f04410SEric Snowbergconfig SYSTEM_REVOCATION_KEYS
140d1f04410SEric Snowberg	string "X.509 certificates to be preloaded into the system blacklist keyring"
141d1f04410SEric Snowberg	depends on SYSTEM_REVOCATION_LIST
142d1f04410SEric Snowberg	help
143d1f04410SEric Snowberg	  If set, this option should be the filename of a PEM-formatted file
144d1f04410SEric Snowberg	  containing X.509 certificates to be included in the default blacklist
145d1f04410SEric Snowberg	  keyring.
146d1f04410SEric Snowberg
1476364d106SMickaël Salaünconfig SYSTEM_BLACKLIST_AUTH_UPDATE
1486364d106SMickaël Salaün	bool "Allow root to add signed blacklist keys"
1496364d106SMickaël Salaün	depends on SYSTEM_BLACKLIST_KEYRING
1506364d106SMickaël Salaün	depends on SYSTEM_DATA_VERIFICATION
1516364d106SMickaël Salaün	help
1526364d106SMickaël Salaün	  If set, provide the ability to load new blacklist keys at run time if
1536364d106SMickaël Salaün	  they are signed and vouched by a certificate from the builtin trusted
1546364d106SMickaël Salaün	  keyring.  The PKCS#7 signature of the description is set in the key
1556364d106SMickaël Salaün	  payload.  Blacklist keys cannot be removed.
1566364d106SMickaël Salaün
157cfc411e7SDavid Howellsendmenu
158