1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Integrity Policy Enforcement (IPE) configuration 4# 5 6menuconfig SECURITY_IPE 7 bool "Integrity Policy Enforcement (IPE)" 8 depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL 9 select PKCS7_MESSAGE_PARSER 10 select SYSTEM_DATA_VERIFICATION 11 select IPE_PROP_DM_VERITY if DM_VERITY 12 select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 13 select IPE_PROP_FS_VERITY if FS_VERITY 14 select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 15 help 16 This option enables the Integrity Policy Enforcement LSM 17 allowing users to define a policy to enforce a trust-based access 18 control. A key feature of IPE is a customizable policy to allow 19 admins to reconfigure trust requirements on the fly. 20 21 If unsure, answer N. 22 23if SECURITY_IPE 24config IPE_BOOT_POLICY 25 string "Integrity policy to apply on system startup" 26 help 27 This option specifies a filepath to an IPE policy that is compiled 28 into the kernel. This policy will be enforced until a policy update 29 is deployed via the $securityfs/ipe/policies/$policy_name/active 30 interface. 31 32 If unsure, leave blank. 33 34config IPE_POLICY_SIG_SECONDARY_KEYRING 35 bool "IPE policy update verification with secondary keyring" 36 default y 37 depends on SECONDARY_TRUSTED_KEYRING 38 help 39 Also allow the secondary trusted keyring to verify IPE policy 40 updates. 41 42 If unsure, answer Y. 43 44config IPE_POLICY_SIG_PLATFORM_KEYRING 45 bool "IPE policy update verification with platform keyring" 46 default y 47 depends on INTEGRITY_PLATFORM_KEYRING 48 help 49 Also allow the platform keyring to verify IPE policy updates. 50 51 If unsure, answer Y. 52 53menu "IPE Trust Providers" 54 55config IPE_PROP_DM_VERITY 56 bool "Enable support for dm-verity based on root hash" 57 depends on DM_VERITY 58 help 59 This option enables the 'dmverity_roothash' property within IPE 60 policies. The property evaluates to TRUE when a file from a dm-verity 61 volume is evaluated, and the volume's root hash matches the value 62 supplied in the policy. 63 64config IPE_PROP_DM_VERITY_SIGNATURE 65 bool "Enable support for dm-verity based on root hash signature" 66 depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 67 help 68 This option enables the 'dmverity_signature' property within IPE 69 policies. The property evaluates to TRUE when a file from a dm-verity 70 volume, which has been mounted with a valid signed root hash, 71 is evaluated. 72 73 If unsure, answer Y. 74 75config IPE_PROP_FS_VERITY 76 bool "Enable support for fs-verity based on file digest" 77 depends on FS_VERITY 78 help 79 This option enables the 'fsverity_digest' property within IPE 80 policies. The property evaluates to TRUE when a file is fsverity 81 enabled and its digest matches the supplied digest value in the 82 policy. 83 84 if unsure, answer Y. 85 86config IPE_PROP_FS_VERITY_BUILTIN_SIG 87 bool "Enable support for fs-verity based on builtin signature" 88 depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 89 help 90 This option enables the 'fsverity_signature' property within IPE 91 policies. The property evaluates to TRUE when a file is fsverity 92 enabled and it has a valid builtin signature whose signing cert 93 is in the .fs-verity keyring. 94 95 if unsure, answer Y. 96 97endmenu 98 99config SECURITY_IPE_KUNIT_TEST 100 bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS 101 depends on KUNIT=y 102 default KUNIT_ALL_TESTS 103 help 104 This builds the IPE KUnit tests. 105 106 KUnit tests run during boot and output the results to the debug log 107 in TAP format (https://testanything.org/). Only useful for kernel devs 108 running KUnit test harness and are not for inclusion into a 109 production build. 110 111 For more information on KUnit and unit tests in general please refer 112 to the KUnit documentation in Documentation/dev-tools/kunit/. 113 114 If unsure, say N. 115 116endif 117