103115077SDeven Bowers# SPDX-License-Identifier: GPL-2.0-only 203115077SDeven Bowers# 303115077SDeven Bowers# Integrity Policy Enforcement (IPE) configuration 403115077SDeven Bowers# 503115077SDeven Bowers 603115077SDeven Bowersmenuconfig SECURITY_IPE 703115077SDeven Bowers bool "Integrity Policy Enforcement (IPE)" 8f44554b5SDeven Bowers depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL 903115077SDeven Bowers select PKCS7_MESSAGE_PARSER 1003115077SDeven Bowers select SYSTEM_DATA_VERIFICATION 11e155858dSDeven Bowers select IPE_PROP_DM_VERITY if DM_VERITY 12e155858dSDeven Bowers select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 1331f8c868SFan Wu select IPE_PROP_FS_VERITY if FS_VERITY 1431f8c868SFan Wu select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 1503115077SDeven Bowers help 1603115077SDeven Bowers This option enables the Integrity Policy Enforcement LSM 1703115077SDeven Bowers allowing users to define a policy to enforce a trust-based access 1803115077SDeven Bowers control. A key feature of IPE is a customizable policy to allow 1903115077SDeven Bowers admins to reconfigure trust requirements on the fly. 2003115077SDeven Bowers 2103115077SDeven Bowers If unsure, answer N. 22e155858dSDeven Bowers 23e155858dSDeven Bowersif SECURITY_IPE 24ba199dc9SDeven Bowersconfig IPE_BOOT_POLICY 25ba199dc9SDeven Bowers string "Integrity policy to apply on system startup" 26ba199dc9SDeven Bowers help 27ba199dc9SDeven Bowers This option specifies a filepath to an IPE policy that is compiled 28ba199dc9SDeven Bowers into the kernel. This policy will be enforced until a policy update 29ba199dc9SDeven Bowers is deployed via the $securityfs/ipe/policies/$policy_name/active 30ba199dc9SDeven Bowers interface. 31ba199dc9SDeven Bowers 32ba199dc9SDeven Bowers If unsure, leave blank. 33ba199dc9SDeven Bowers 34*02e2f9aaSLuca Boccassiconfig IPE_POLICY_SIG_SECONDARY_KEYRING 35*02e2f9aaSLuca Boccassi bool "IPE policy update verification with secondary keyring" 36*02e2f9aaSLuca Boccassi default y 37*02e2f9aaSLuca Boccassi depends on SECONDARY_TRUSTED_KEYRING 38*02e2f9aaSLuca Boccassi help 39*02e2f9aaSLuca Boccassi Also allow the secondary trusted keyring to verify IPE policy 40*02e2f9aaSLuca Boccassi updates. 41*02e2f9aaSLuca Boccassi 42*02e2f9aaSLuca Boccassi If unsure, answer Y. 43*02e2f9aaSLuca Boccassi 44*02e2f9aaSLuca Boccassiconfig IPE_POLICY_SIG_PLATFORM_KEYRING 45*02e2f9aaSLuca Boccassi bool "IPE policy update verification with platform keyring" 46*02e2f9aaSLuca Boccassi default y 47*02e2f9aaSLuca Boccassi depends on INTEGRITY_PLATFORM_KEYRING 48*02e2f9aaSLuca Boccassi help 49*02e2f9aaSLuca Boccassi Also allow the platform keyring to verify IPE policy updates. 50*02e2f9aaSLuca Boccassi 51*02e2f9aaSLuca Boccassi If unsure, answer Y. 52*02e2f9aaSLuca Boccassi 53e155858dSDeven Bowersmenu "IPE Trust Providers" 54e155858dSDeven Bowers 55e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY 56e155858dSDeven Bowers bool "Enable support for dm-verity based on root hash" 57e155858dSDeven Bowers depends on DM_VERITY 58e155858dSDeven Bowers help 59e155858dSDeven Bowers This option enables the 'dmverity_roothash' property within IPE 60e155858dSDeven Bowers policies. The property evaluates to TRUE when a file from a dm-verity 61e155858dSDeven Bowers volume is evaluated, and the volume's root hash matches the value 62e155858dSDeven Bowers supplied in the policy. 63e155858dSDeven Bowers 64e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY_SIGNATURE 65e155858dSDeven Bowers bool "Enable support for dm-verity based on root hash signature" 66e155858dSDeven Bowers depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 67e155858dSDeven Bowers help 68e155858dSDeven Bowers This option enables the 'dmverity_signature' property within IPE 69e155858dSDeven Bowers policies. The property evaluates to TRUE when a file from a dm-verity 70e155858dSDeven Bowers volume, which has been mounted with a valid signed root hash, 71e155858dSDeven Bowers is evaluated. 72e155858dSDeven Bowers 7331f8c868SFan Wu If unsure, answer Y. 7431f8c868SFan Wu 7531f8c868SFan Wuconfig IPE_PROP_FS_VERITY 7631f8c868SFan Wu bool "Enable support for fs-verity based on file digest" 7731f8c868SFan Wu depends on FS_VERITY 7831f8c868SFan Wu help 7931f8c868SFan Wu This option enables the 'fsverity_digest' property within IPE 8031f8c868SFan Wu policies. The property evaluates to TRUE when a file is fsverity 8131f8c868SFan Wu enabled and its digest matches the supplied digest value in the 8231f8c868SFan Wu policy. 8331f8c868SFan Wu 8431f8c868SFan Wu if unsure, answer Y. 8531f8c868SFan Wu 8631f8c868SFan Wuconfig IPE_PROP_FS_VERITY_BUILTIN_SIG 8731f8c868SFan Wu bool "Enable support for fs-verity based on builtin signature" 8831f8c868SFan Wu depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 8931f8c868SFan Wu help 9031f8c868SFan Wu This option enables the 'fsverity_signature' property within IPE 9131f8c868SFan Wu policies. The property evaluates to TRUE when a file is fsverity 9231f8c868SFan Wu enabled and it has a valid builtin signature whose signing cert 9331f8c868SFan Wu is in the .fs-verity keyring. 9431f8c868SFan Wu 9531f8c868SFan Wu if unsure, answer Y. 9631f8c868SFan Wu 97e155858dSDeven Bowersendmenu 98e155858dSDeven Bowers 9910ca05a7SDeven Bowersconfig SECURITY_IPE_KUNIT_TEST 10010ca05a7SDeven Bowers bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS 10110ca05a7SDeven Bowers depends on KUNIT=y 10210ca05a7SDeven Bowers default KUNIT_ALL_TESTS 10310ca05a7SDeven Bowers help 10410ca05a7SDeven Bowers This builds the IPE KUnit tests. 10510ca05a7SDeven Bowers 10610ca05a7SDeven Bowers KUnit tests run during boot and output the results to the debug log 10710ca05a7SDeven Bowers in TAP format (https://testanything.org/). Only useful for kernel devs 10810ca05a7SDeven Bowers running KUnit test harness and are not for inclusion into a 10910ca05a7SDeven Bowers production build. 11010ca05a7SDeven Bowers 11110ca05a7SDeven Bowers For more information on KUnit and unit tests in general please refer 11210ca05a7SDeven Bowers to the KUnit documentation in Documentation/dev-tools/kunit/. 11310ca05a7SDeven Bowers 11410ca05a7SDeven Bowers If unsure, say N. 11510ca05a7SDeven Bowers 116e155858dSDeven Bowersendif 117