1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2f381c272SMimi Zohar# 3f381c272SMimi Zoharconfig INTEGRITY 47ef84e65SDmitry Kasatkin bool "Integrity subsystem" 57ef84e65SDmitry Kasatkin depends on SECURITY 67ef84e65SDmitry Kasatkin default y 77ef84e65SDmitry Kasatkin help 87ef84e65SDmitry Kasatkin This option enables the integrity subsystem, which is comprised 97ef84e65SDmitry Kasatkin of a number of different components including the Integrity 107ef84e65SDmitry Kasatkin Measurement Architecture (IMA), Extended Verification Module 117ef84e65SDmitry Kasatkin (EVM), IMA-appraisal extension, digital signature verification 127ef84e65SDmitry Kasatkin extension and audit measurement log support. 137ef84e65SDmitry Kasatkin 147ef84e65SDmitry Kasatkin Each of these components can be enabled/disabled separately. 157ef84e65SDmitry Kasatkin Refer to the individual components for additional details. 167ef84e65SDmitry Kasatkin 177ef84e65SDmitry Kasatkinif INTEGRITY 18f381c272SMimi Zohar 19f1be242cSDmitry Kasatkinconfig INTEGRITY_SIGNATURE 206341e62bSChristoph Jaeger bool "Digital signature verification using multiple keyrings" 218607c501SDmitry Kasatkin default n 22cf38fed1SThiago Jung Bauermann select KEYS 235e8898e9SDmitry Kasatkin select SIGNATURE 248607c501SDmitry Kasatkin help 258607c501SDmitry Kasatkin This option enables digital signature verification support 268607c501SDmitry Kasatkin using multiple keyrings. It defines separate keyrings for each 278607c501SDmitry Kasatkin of the different use cases - evm, ima, and modules. 288607c501SDmitry Kasatkin Different keyrings improves search performance, but also allow 298607c501SDmitry Kasatkin to "lock" certain keyring to prevent adding new keys. 308607c501SDmitry Kasatkin This is useful for evm and module keyrings, when keys are 318607c501SDmitry Kasatkin usually only added from initramfs. 328607c501SDmitry Kasatkin 331ae8f41cSDmitry Kasatkinconfig INTEGRITY_ASYMMETRIC_KEYS 346341e62bSChristoph Jaeger bool "Enable asymmetric keys support" 351ae8f41cSDmitry Kasatkin depends on INTEGRITY_SIGNATURE 361ae8f41cSDmitry Kasatkin default n 371ae8f41cSDmitry Kasatkin select ASYMMETRIC_KEY_TYPE 381ae8f41cSDmitry Kasatkin select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 39*1376956cSEric Biggers select CRYPTO 40eb5798f2STadeusz Struk select CRYPTO_RSA 411ae8f41cSDmitry Kasatkin select X509_CERTIFICATE_PARSER 421ae8f41cSDmitry Kasatkin help 431ae8f41cSDmitry Kasatkin This option enables digital signature verification using 441ae8f41cSDmitry Kasatkin asymmetric keys. 451ae8f41cSDmitry Kasatkin 46f4dc3778SDmitry Kasatkinconfig INTEGRITY_TRUSTED_KEYRING 47f4dc3778SDmitry Kasatkin bool "Require all keys on the integrity keyrings be signed" 48f4dc3778SDmitry Kasatkin depends on SYSTEM_TRUSTED_KEYRING 49f4dc3778SDmitry Kasatkin depends on INTEGRITY_ASYMMETRIC_KEYS 50f4dc3778SDmitry Kasatkin default y 51f4dc3778SDmitry Kasatkin help 52f4dc3778SDmitry Kasatkin This option requires that all keys added to the .ima and 53f4dc3778SDmitry Kasatkin .evm keyrings be signed by a key on the system trusted 54f4dc3778SDmitry Kasatkin keyring. 55f4dc3778SDmitry Kasatkin 569dc92c45SNayna Jainconfig INTEGRITY_PLATFORM_KEYRING 579dc92c45SNayna Jain bool "Provide keyring for platform/firmware trusted keys" 589dc92c45SNayna Jain depends on INTEGRITY_ASYMMETRIC_KEYS 599dc92c45SNayna Jain depends on SYSTEM_BLACKLIST_KEYRING 609dc92c45SNayna Jain help 619dc92c45SNayna Jain Provide a separate, distinct keyring for platform trusted keys, which 629dc92c45SNayna Jain the kernel automatically populates during initialization from values 639dc92c45SNayna Jain provided by the platform for verifying the kexec'ed kerned image 649dc92c45SNayna Jain and, possibly, the initramfs signature. 659dc92c45SNayna Jain 66d1996776SEric Snowbergconfig INTEGRITY_MACHINE_KEYRING 67d1996776SEric Snowberg bool "Provide a keyring to which Machine Owner Keys may be added" 68d1996776SEric Snowberg depends on SECONDARY_TRUSTED_KEYRING 69d1996776SEric Snowberg depends on INTEGRITY_ASYMMETRIC_KEYS 70d1996776SEric Snowberg depends on SYSTEM_BLACKLIST_KEYRING 71d7d91c47SNayna Jain depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS 72d1996776SEric Snowberg help 73d1996776SEric Snowberg If set, provide a keyring to which Machine Owner Keys (MOK) may 74d1996776SEric Snowberg be added. This keyring shall contain just MOK keys. Unlike keys 75d1996776SEric Snowberg in the platform keyring, keys contained in the .machine keyring will 76d1996776SEric Snowberg be trusted within the kernel. 77d1996776SEric Snowberg 78099f26f2SEric Snowbergconfig INTEGRITY_CA_MACHINE_KEYRING 79099f26f2SEric Snowberg bool "Enforce Machine Keyring CA Restrictions" 80099f26f2SEric Snowberg depends on INTEGRITY_MACHINE_KEYRING 81099f26f2SEric Snowberg default n 82099f26f2SEric Snowberg help 83099f26f2SEric Snowberg The .machine keyring can be configured to enforce CA restriction 84099f26f2SEric Snowberg on any key added to it. By default no restrictions are in place 85099f26f2SEric Snowberg and all Machine Owner Keys (MOK) are added to the machine keyring. 86099f26f2SEric Snowberg If enabled only CA keys are added to the machine keyring, all 87099f26f2SEric Snowberg other MOK keys load into the platform keyring. 88099f26f2SEric Snowberg 89099f26f2SEric Snowbergconfig INTEGRITY_CA_MACHINE_KEYRING_MAX 90099f26f2SEric Snowberg bool "Only CA keys without DigitialSignature usage set" 91099f26f2SEric Snowberg depends on INTEGRITY_CA_MACHINE_KEYRING 92099f26f2SEric Snowberg default n 93099f26f2SEric Snowberg help 94099f26f2SEric Snowberg When selected, only load CA keys are loaded into the machine 95099f26f2SEric Snowberg keyring that contain the CA bit set along with the keyCertSign 96099f26f2SEric Snowberg Usage field. Keys containing the digitialSignature Usage field 97099f26f2SEric Snowberg will not be loaded. The remaining MOK keys are loaded into the 98099f26f2SEric Snowberg .platform keyring. 99099f26f2SEric Snowberg 1009641b8ccSMartin Schwidefskyconfig LOAD_UEFI_KEYS 1019641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 1029641b8ccSMartin Schwidefsky depends on EFI 1039641b8ccSMartin Schwidefsky def_bool y 1049641b8ccSMartin Schwidefsky 1059641b8ccSMartin Schwidefskyconfig LOAD_IPL_KEYS 1069641b8ccSMartin Schwidefsky depends on INTEGRITY_PLATFORM_KEYRING 1079641b8ccSMartin Schwidefsky depends on S390 1089641b8ccSMartin Schwidefsky def_bool y 1099641b8ccSMartin Schwidefsky 1108220e22dSNayna Jainconfig LOAD_PPC_KEYS 1118220e22dSNayna Jain bool "Enable loading of platform and blacklisted keys for POWER" 1128220e22dSNayna Jain depends on INTEGRITY_PLATFORM_KEYRING 1138220e22dSNayna Jain depends on PPC_SECURE_BOOT 1148220e22dSNayna Jain default y 1158220e22dSNayna Jain help 1168220e22dSNayna Jain Enable loading of keys to the .platform keyring and blacklisted 1178220e22dSNayna Jain hashes to the .blacklist keyring for powerpc based platforms. 1188220e22dSNayna Jain 119d726d8d7SMimi Zoharconfig INTEGRITY_AUDIT 120d726d8d7SMimi Zohar bool "Enables integrity auditing support " 1217ef84e65SDmitry Kasatkin depends on AUDIT 122d726d8d7SMimi Zohar default y 123d726d8d7SMimi Zohar help 124d726d8d7SMimi Zohar In addition to enabling integrity auditing support, this 125d726d8d7SMimi Zohar option adds a kernel parameter 'integrity_audit', which 126d726d8d7SMimi Zohar controls the level of integrity auditing messages. 127d726d8d7SMimi Zohar 0 - basic integrity auditing messages (default) 128d726d8d7SMimi Zohar 1 - additional integrity auditing messages 129d726d8d7SMimi Zohar 130d726d8d7SMimi Zohar Additional informational integrity auditing messages would 131d726d8d7SMimi Zohar be enabled by specifying 'integrity_audit=1' on the kernel 132d726d8d7SMimi Zohar command line. 133d726d8d7SMimi Zohar 1348636a1f9SMasahiro Yamadasource "security/integrity/ima/Kconfig" 1358636a1f9SMasahiro Yamadasource "security/integrity/evm/Kconfig" 1367ef84e65SDmitry Kasatkin 1377ef84e65SDmitry Kasatkinendif # if INTEGRITY 138