1cfc411e7SDavid Howellsmenu "Certificates for signature checking" 2cfc411e7SDavid Howells 3cfc411e7SDavid Howellsconfig MODULE_SIG_KEY 4cfc411e7SDavid Howells string "File name or PKCS#11 URI of module signing key" 5cfc411e7SDavid Howells default "certs/signing_key.pem" 6cfc411e7SDavid Howells depends on MODULE_SIG 7cfc411e7SDavid Howells help 8cfc411e7SDavid Howells Provide the file name of a private key/certificate in PEM format, 9cfc411e7SDavid Howells or a PKCS#11 URI according to RFC7512. The file should contain, or 10cfc411e7SDavid Howells the URI should identify, both the certificate and its corresponding 11cfc411e7SDavid Howells private key. 12cfc411e7SDavid Howells 13cfc411e7SDavid Howells If this option is unchanged from its default "certs/signing_key.pem", 14cfc411e7SDavid Howells then the kernel will automatically generate the private key and 15cfc411e7SDavid Howells certificate as described in Documentation/module-signing.txt 16cfc411e7SDavid Howells 17cfc411e7SDavid Howellsconfig SYSTEM_TRUSTED_KEYRING 18cfc411e7SDavid Howells bool "Provide system-wide ring of trusted keys" 19cfc411e7SDavid Howells depends on KEYS 20cfc411e7SDavid Howells help 21cfc411e7SDavid Howells Provide a system keyring to which trusted keys can be added. Keys in 22cfc411e7SDavid Howells the keyring are considered to be trusted. Keys may be added at will 23cfc411e7SDavid Howells by the kernel from compiled-in data and from hardware key stores, but 24cfc411e7SDavid Howells userspace may only add extra keys if those keys can be verified by 25cfc411e7SDavid Howells keys already in the keyring. 26cfc411e7SDavid Howells 27cfc411e7SDavid Howells Keys in this keyring are used by module signature checking. 28cfc411e7SDavid Howells 29cfc411e7SDavid Howellsconfig SYSTEM_TRUSTED_KEYS 30cfc411e7SDavid Howells string "Additional X.509 keys for default system keyring" 31cfc411e7SDavid Howells depends on SYSTEM_TRUSTED_KEYRING 32cfc411e7SDavid Howells help 33cfc411e7SDavid Howells If set, this option should be the filename of a PEM-formatted file 34cfc411e7SDavid Howells containing trusted X.509 certificates to be included in the default 35cfc411e7SDavid Howells system keyring. Any certificate used for module signing is implicitly 36cfc411e7SDavid Howells also trusted. 37cfc411e7SDavid Howells 38cfc411e7SDavid Howells NOTE: If you previously provided keys for the system keyring in the 39cfc411e7SDavid Howells form of DER-encoded *.x509 files in the top-level build directory, 40cfc411e7SDavid Howells those are no longer used. You will need to set this option instead. 41cfc411e7SDavid Howells 42*c4c36105SMehmet Kayaalpconfig SYSTEM_EXTRA_CERTIFICATE 43*c4c36105SMehmet Kayaalp bool "Reserve area for inserting a certificate without recompiling" 44*c4c36105SMehmet Kayaalp depends on SYSTEM_TRUSTED_KEYRING 45*c4c36105SMehmet Kayaalp help 46*c4c36105SMehmet Kayaalp If set, space for an extra certificate will be reserved in the kernel 47*c4c36105SMehmet Kayaalp image. This allows introducing a trusted certificate to the default 48*c4c36105SMehmet Kayaalp system keyring without recompiling the kernel. 49*c4c36105SMehmet Kayaalp 50*c4c36105SMehmet Kayaalpconfig SYSTEM_EXTRA_CERTIFICATE_SIZE 51*c4c36105SMehmet Kayaalp int "Number of bytes to reserve for the extra certificate" 52*c4c36105SMehmet Kayaalp depends on SYSTEM_EXTRA_CERTIFICATE 53*c4c36105SMehmet Kayaalp default 4096 54*c4c36105SMehmet Kayaalp help 55*c4c36105SMehmet Kayaalp This is the number of bytes reserved in the kernel image for a 56*c4c36105SMehmet Kayaalp certificate to be inserted. 57*c4c36105SMehmet Kayaalp 58cfc411e7SDavid Howellsendmenu 59