103115077SDeven Bowers# SPDX-License-Identifier: GPL-2.0-only 203115077SDeven Bowers# 303115077SDeven Bowers# Integrity Policy Enforcement (IPE) configuration 403115077SDeven Bowers# 503115077SDeven Bowers 603115077SDeven Bowersmenuconfig SECURITY_IPE 703115077SDeven Bowers bool "Integrity Policy Enforcement (IPE)" 8f44554b5SDeven Bowers depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL 903115077SDeven Bowers select PKCS7_MESSAGE_PARSER 1003115077SDeven Bowers select SYSTEM_DATA_VERIFICATION 11e155858dSDeven Bowers select IPE_PROP_DM_VERITY if DM_VERITY 12e155858dSDeven Bowers select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 13*31f8c868SFan Wu select IPE_PROP_FS_VERITY if FS_VERITY 14*31f8c868SFan Wu select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 1503115077SDeven Bowers help 1603115077SDeven Bowers This option enables the Integrity Policy Enforcement LSM 1703115077SDeven Bowers allowing users to define a policy to enforce a trust-based access 1803115077SDeven Bowers control. A key feature of IPE is a customizable policy to allow 1903115077SDeven Bowers admins to reconfigure trust requirements on the fly. 2003115077SDeven Bowers 2103115077SDeven Bowers If unsure, answer N. 22e155858dSDeven Bowers 23e155858dSDeven Bowersif SECURITY_IPE 24e155858dSDeven Bowersmenu "IPE Trust Providers" 25e155858dSDeven Bowers 26e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY 27e155858dSDeven Bowers bool "Enable support for dm-verity based on root hash" 28e155858dSDeven Bowers depends on DM_VERITY 29e155858dSDeven Bowers help 30e155858dSDeven Bowers This option enables the 'dmverity_roothash' property within IPE 31e155858dSDeven Bowers policies. The property evaluates to TRUE when a file from a dm-verity 32e155858dSDeven Bowers volume is evaluated, and the volume's root hash matches the value 33e155858dSDeven Bowers supplied in the policy. 34e155858dSDeven Bowers 35e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY_SIGNATURE 36e155858dSDeven Bowers bool "Enable support for dm-verity based on root hash signature" 37e155858dSDeven Bowers depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 38e155858dSDeven Bowers help 39e155858dSDeven Bowers This option enables the 'dmverity_signature' property within IPE 40e155858dSDeven Bowers policies. The property evaluates to TRUE when a file from a dm-verity 41e155858dSDeven Bowers volume, which has been mounted with a valid signed root hash, 42e155858dSDeven Bowers is evaluated. 43e155858dSDeven Bowers 44*31f8c868SFan Wu If unsure, answer Y. 45*31f8c868SFan Wu 46*31f8c868SFan Wuconfig IPE_PROP_FS_VERITY 47*31f8c868SFan Wu bool "Enable support for fs-verity based on file digest" 48*31f8c868SFan Wu depends on FS_VERITY 49*31f8c868SFan Wu help 50*31f8c868SFan Wu This option enables the 'fsverity_digest' property within IPE 51*31f8c868SFan Wu policies. The property evaluates to TRUE when a file is fsverity 52*31f8c868SFan Wu enabled and its digest matches the supplied digest value in the 53*31f8c868SFan Wu policy. 54*31f8c868SFan Wu 55*31f8c868SFan Wu if unsure, answer Y. 56*31f8c868SFan Wu 57*31f8c868SFan Wuconfig IPE_PROP_FS_VERITY_BUILTIN_SIG 58*31f8c868SFan Wu bool "Enable support for fs-verity based on builtin signature" 59*31f8c868SFan Wu depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 60*31f8c868SFan Wu help 61*31f8c868SFan Wu This option enables the 'fsverity_signature' property within IPE 62*31f8c868SFan Wu policies. The property evaluates to TRUE when a file is fsverity 63*31f8c868SFan Wu enabled and it has a valid builtin signature whose signing cert 64*31f8c868SFan Wu is in the .fs-verity keyring. 65*31f8c868SFan Wu 66*31f8c868SFan Wu if unsure, answer Y. 67*31f8c868SFan Wu 68e155858dSDeven Bowersendmenu 69e155858dSDeven Bowers 70e155858dSDeven Bowersendif 71