103115077SDeven Bowers# SPDX-License-Identifier: GPL-2.0-only 203115077SDeven Bowers# 303115077SDeven Bowers# Integrity Policy Enforcement (IPE) configuration 403115077SDeven Bowers# 503115077SDeven Bowers 603115077SDeven Bowersmenuconfig SECURITY_IPE 703115077SDeven Bowers bool "Integrity Policy Enforcement (IPE)" 8f44554b5SDeven Bowers depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL 9*b90bb6dbSEric Biggers select CRYPTO_LIB_SHA256 1003115077SDeven Bowers select PKCS7_MESSAGE_PARSER 1103115077SDeven Bowers select SYSTEM_DATA_VERIFICATION 12e155858dSDeven Bowers select IPE_PROP_DM_VERITY if DM_VERITY 13e155858dSDeven Bowers select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 1431f8c868SFan Wu select IPE_PROP_FS_VERITY if FS_VERITY 1531f8c868SFan Wu select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 1603115077SDeven Bowers help 1703115077SDeven Bowers This option enables the Integrity Policy Enforcement LSM 1803115077SDeven Bowers allowing users to define a policy to enforce a trust-based access 1903115077SDeven Bowers control. A key feature of IPE is a customizable policy to allow 2003115077SDeven Bowers admins to reconfigure trust requirements on the fly. 2103115077SDeven Bowers 2203115077SDeven Bowers If unsure, answer N. 23e155858dSDeven Bowers 24e155858dSDeven Bowersif SECURITY_IPE 25ba199dc9SDeven Bowersconfig IPE_BOOT_POLICY 26ba199dc9SDeven Bowers string "Integrity policy to apply on system startup" 27ba199dc9SDeven Bowers help 28ba199dc9SDeven Bowers This option specifies a filepath to an IPE policy that is compiled 29ba199dc9SDeven Bowers into the kernel. This policy will be enforced until a policy update 30ba199dc9SDeven Bowers is deployed via the $securityfs/ipe/policies/$policy_name/active 31ba199dc9SDeven Bowers interface. 32ba199dc9SDeven Bowers 33ba199dc9SDeven Bowers If unsure, leave blank. 34ba199dc9SDeven Bowers 3502e2f9aaSLuca Boccassiconfig IPE_POLICY_SIG_SECONDARY_KEYRING 3602e2f9aaSLuca Boccassi bool "IPE policy update verification with secondary keyring" 3702e2f9aaSLuca Boccassi default y 3802e2f9aaSLuca Boccassi depends on SECONDARY_TRUSTED_KEYRING 3902e2f9aaSLuca Boccassi help 4002e2f9aaSLuca Boccassi Also allow the secondary trusted keyring to verify IPE policy 4102e2f9aaSLuca Boccassi updates. 4202e2f9aaSLuca Boccassi 4302e2f9aaSLuca Boccassi If unsure, answer Y. 4402e2f9aaSLuca Boccassi 4502e2f9aaSLuca Boccassiconfig IPE_POLICY_SIG_PLATFORM_KEYRING 4602e2f9aaSLuca Boccassi bool "IPE policy update verification with platform keyring" 4702e2f9aaSLuca Boccassi default y 4802e2f9aaSLuca Boccassi depends on INTEGRITY_PLATFORM_KEYRING 4902e2f9aaSLuca Boccassi help 5002e2f9aaSLuca Boccassi Also allow the platform keyring to verify IPE policy updates. 5102e2f9aaSLuca Boccassi 5202e2f9aaSLuca Boccassi If unsure, answer Y. 5302e2f9aaSLuca Boccassi 54e155858dSDeven Bowersmenu "IPE Trust Providers" 55e155858dSDeven Bowers 56e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY 57e155858dSDeven Bowers bool "Enable support for dm-verity based on root hash" 58e155858dSDeven Bowers depends on DM_VERITY 59e155858dSDeven Bowers help 60e155858dSDeven Bowers This option enables the 'dmverity_roothash' property within IPE 61e155858dSDeven Bowers policies. The property evaluates to TRUE when a file from a dm-verity 62e155858dSDeven Bowers volume is evaluated, and the volume's root hash matches the value 63e155858dSDeven Bowers supplied in the policy. 64e155858dSDeven Bowers 65e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY_SIGNATURE 66e155858dSDeven Bowers bool "Enable support for dm-verity based on root hash signature" 67e155858dSDeven Bowers depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 68e155858dSDeven Bowers help 69e155858dSDeven Bowers This option enables the 'dmverity_signature' property within IPE 70e155858dSDeven Bowers policies. The property evaluates to TRUE when a file from a dm-verity 71e155858dSDeven Bowers volume, which has been mounted with a valid signed root hash, 72e155858dSDeven Bowers is evaluated. 73e155858dSDeven Bowers 7431f8c868SFan Wu If unsure, answer Y. 7531f8c868SFan Wu 7631f8c868SFan Wuconfig IPE_PROP_FS_VERITY 7731f8c868SFan Wu bool "Enable support for fs-verity based on file digest" 7831f8c868SFan Wu depends on FS_VERITY 7931f8c868SFan Wu help 8031f8c868SFan Wu This option enables the 'fsverity_digest' property within IPE 8131f8c868SFan Wu policies. The property evaluates to TRUE when a file is fsverity 8231f8c868SFan Wu enabled and its digest matches the supplied digest value in the 8331f8c868SFan Wu policy. 8431f8c868SFan Wu 8531f8c868SFan Wu if unsure, answer Y. 8631f8c868SFan Wu 8731f8c868SFan Wuconfig IPE_PROP_FS_VERITY_BUILTIN_SIG 8831f8c868SFan Wu bool "Enable support for fs-verity based on builtin signature" 8931f8c868SFan Wu depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 9031f8c868SFan Wu help 9131f8c868SFan Wu This option enables the 'fsverity_signature' property within IPE 9231f8c868SFan Wu policies. The property evaluates to TRUE when a file is fsverity 9331f8c868SFan Wu enabled and it has a valid builtin signature whose signing cert 9431f8c868SFan Wu is in the .fs-verity keyring. 9531f8c868SFan Wu 9631f8c868SFan Wu if unsure, answer Y. 9731f8c868SFan Wu 98e155858dSDeven Bowersendmenu 99e155858dSDeven Bowers 10010ca05a7SDeven Bowersconfig SECURITY_IPE_KUNIT_TEST 10110ca05a7SDeven Bowers bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS 10210ca05a7SDeven Bowers depends on KUNIT=y 10310ca05a7SDeven Bowers default KUNIT_ALL_TESTS 10410ca05a7SDeven Bowers help 10510ca05a7SDeven Bowers This builds the IPE KUnit tests. 10610ca05a7SDeven Bowers 10710ca05a7SDeven Bowers KUnit tests run during boot and output the results to the debug log 10810ca05a7SDeven Bowers in TAP format (https://testanything.org/). Only useful for kernel devs 10910ca05a7SDeven Bowers running KUnit test harness and are not for inclusion into a 11010ca05a7SDeven Bowers production build. 11110ca05a7SDeven Bowers 11210ca05a7SDeven Bowers For more information on KUnit and unit tests in general please refer 11310ca05a7SDeven Bowers to the KUnit documentation in Documentation/dev-tools/kunit/. 11410ca05a7SDeven Bowers 11510ca05a7SDeven Bowers If unsure, say N. 11610ca05a7SDeven Bowers 117e155858dSDeven Bowersendif 118