1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 2cfc411e7SDavid Howellsmenu "Certificates for signature checking" 3cfc411e7SDavid Howells 4cfc411e7SDavid Howellsconfig MODULE_SIG_KEY 5cfc411e7SDavid Howells string "File name or PKCS#11 URI of module signing key" 6cfc411e7SDavid Howells default "certs/signing_key.pem" 7cfc411e7SDavid Howells depends on MODULE_SIG 8cfc411e7SDavid Howells help 9cfc411e7SDavid Howells Provide the file name of a private key/certificate in PEM format, 10cfc411e7SDavid Howells or a PKCS#11 URI according to RFC7512. The file should contain, or 11cfc411e7SDavid Howells the URI should identify, both the certificate and its corresponding 12cfc411e7SDavid Howells private key. 13cfc411e7SDavid Howells 14cfc411e7SDavid Howells If this option is unchanged from its default "certs/signing_key.pem", 15cfc411e7SDavid Howells then the kernel will automatically generate the private key and 16*5fb94e9cSMauro Carvalho Chehab certificate as described in Documentation/admin-guide/module-signing.rst 17cfc411e7SDavid Howells 18cfc411e7SDavid Howellsconfig SYSTEM_TRUSTED_KEYRING 19cfc411e7SDavid Howells bool "Provide system-wide ring of trusted keys" 20cfc411e7SDavid Howells depends on KEYS 2199716b7cSDavid Howells depends on ASYMMETRIC_KEY_TYPE 22cfc411e7SDavid Howells help 23cfc411e7SDavid Howells Provide a system keyring to which trusted keys can be added. Keys in 24cfc411e7SDavid Howells the keyring are considered to be trusted. Keys may be added at will 25cfc411e7SDavid Howells by the kernel from compiled-in data and from hardware key stores, but 26cfc411e7SDavid Howells userspace may only add extra keys if those keys can be verified by 27cfc411e7SDavid Howells keys already in the keyring. 28cfc411e7SDavid Howells 29cfc411e7SDavid Howells Keys in this keyring are used by module signature checking. 30cfc411e7SDavid Howells 31cfc411e7SDavid Howellsconfig SYSTEM_TRUSTED_KEYS 32cfc411e7SDavid Howells string "Additional X.509 keys for default system keyring" 33cfc411e7SDavid Howells depends on SYSTEM_TRUSTED_KEYRING 34cfc411e7SDavid Howells help 35cfc411e7SDavid Howells If set, this option should be the filename of a PEM-formatted file 36cfc411e7SDavid Howells containing trusted X.509 certificates to be included in the default 37cfc411e7SDavid Howells system keyring. Any certificate used for module signing is implicitly 38cfc411e7SDavid Howells also trusted. 39cfc411e7SDavid Howells 40cfc411e7SDavid Howells NOTE: If you previously provided keys for the system keyring in the 41cfc411e7SDavid Howells form of DER-encoded *.x509 files in the top-level build directory, 42cfc411e7SDavid Howells those are no longer used. You will need to set this option instead. 43cfc411e7SDavid Howells 44c4c36105SMehmet Kayaalpconfig SYSTEM_EXTRA_CERTIFICATE 45c4c36105SMehmet Kayaalp bool "Reserve area for inserting a certificate without recompiling" 46c4c36105SMehmet Kayaalp depends on SYSTEM_TRUSTED_KEYRING 47c4c36105SMehmet Kayaalp help 48c4c36105SMehmet Kayaalp If set, space for an extra certificate will be reserved in the kernel 49c4c36105SMehmet Kayaalp image. This allows introducing a trusted certificate to the default 50c4c36105SMehmet Kayaalp system keyring without recompiling the kernel. 51c4c36105SMehmet Kayaalp 52c4c36105SMehmet Kayaalpconfig SYSTEM_EXTRA_CERTIFICATE_SIZE 53c4c36105SMehmet Kayaalp int "Number of bytes to reserve for the extra certificate" 54c4c36105SMehmet Kayaalp depends on SYSTEM_EXTRA_CERTIFICATE 55c4c36105SMehmet Kayaalp default 4096 56c4c36105SMehmet Kayaalp help 57c4c36105SMehmet Kayaalp This is the number of bytes reserved in the kernel image for a 58c4c36105SMehmet Kayaalp certificate to be inserted. 59c4c36105SMehmet Kayaalp 60d3bfe841SDavid Howellsconfig SECONDARY_TRUSTED_KEYRING 61d3bfe841SDavid Howells bool "Provide a keyring to which extra trustable keys may be added" 62d3bfe841SDavid Howells depends on SYSTEM_TRUSTED_KEYRING 63d3bfe841SDavid Howells help 64d3bfe841SDavid Howells If set, provide a keyring to which extra keys may be added, provided 65d3bfe841SDavid Howells those keys are not blacklisted and are vouched for by a key built 66d3bfe841SDavid Howells into the kernel or already in the secondary trusted keyring. 67d3bfe841SDavid Howells 68734114f8SDavid Howellsconfig SYSTEM_BLACKLIST_KEYRING 69734114f8SDavid Howells bool "Provide system-wide ring of blacklisted keys" 70734114f8SDavid Howells depends on KEYS 71734114f8SDavid Howells help 72734114f8SDavid Howells Provide a system keyring to which blacklisted keys can be added. 73734114f8SDavid Howells Keys in the keyring are considered entirely untrusted. Keys in this 74734114f8SDavid Howells keyring are used by the module signature checking to reject loading 75734114f8SDavid Howells of modules signed with a blacklisted key. 76734114f8SDavid Howells 77734114f8SDavid Howellsconfig SYSTEM_BLACKLIST_HASH_LIST 78734114f8SDavid Howells string "Hashes to be preloaded into the system blacklist keyring" 79734114f8SDavid Howells depends on SYSTEM_BLACKLIST_KEYRING 80734114f8SDavid Howells help 81734114f8SDavid Howells If set, this option should be the filename of a list of hashes in the 82734114f8SDavid Howells form "<hash>", "<hash>", ... . This will be included into a C 83734114f8SDavid Howells wrapper to incorporate the list into the kernel. Each <hash> should 84734114f8SDavid Howells be a string of hex digits. 85734114f8SDavid Howells 86cfc411e7SDavid Howellsendmenu 87