xref: /linux/security/ipe/Kconfig (revision ba199dc909a20fe62270ae4e93f263987bb9d119) 
103115077SDeven Bowers# SPDX-License-Identifier: GPL-2.0-only
203115077SDeven Bowers#
303115077SDeven Bowers# Integrity Policy Enforcement (IPE) configuration
403115077SDeven Bowers#
503115077SDeven Bowers
603115077SDeven Bowersmenuconfig SECURITY_IPE
703115077SDeven Bowers	bool "Integrity Policy Enforcement (IPE)"
8f44554b5SDeven Bowers	depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
903115077SDeven Bowers	select PKCS7_MESSAGE_PARSER
1003115077SDeven Bowers	select SYSTEM_DATA_VERIFICATION
11e155858dSDeven Bowers	select IPE_PROP_DM_VERITY if DM_VERITY
12e155858dSDeven Bowers	select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
1331f8c868SFan Wu	select IPE_PROP_FS_VERITY if FS_VERITY
1431f8c868SFan Wu	select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
1503115077SDeven Bowers	help
1603115077SDeven Bowers	  This option enables the Integrity Policy Enforcement LSM
1703115077SDeven Bowers	  allowing users to define a policy to enforce a trust-based access
1803115077SDeven Bowers	  control. A key feature of IPE is a customizable policy to allow
1903115077SDeven Bowers	  admins to reconfigure trust requirements on the fly.
2003115077SDeven Bowers
2103115077SDeven Bowers	  If unsure, answer N.
22e155858dSDeven Bowers
23e155858dSDeven Bowersif SECURITY_IPE
24*ba199dc9SDeven Bowersconfig IPE_BOOT_POLICY
25*ba199dc9SDeven Bowers	string "Integrity policy to apply on system startup"
26*ba199dc9SDeven Bowers	help
27*ba199dc9SDeven Bowers	  This option specifies a filepath to an IPE policy that is compiled
28*ba199dc9SDeven Bowers	  into the kernel. This policy will be enforced until a policy update
29*ba199dc9SDeven Bowers	  is deployed via the $securityfs/ipe/policies/$policy_name/active
30*ba199dc9SDeven Bowers	  interface.
31*ba199dc9SDeven Bowers
32*ba199dc9SDeven Bowers	  If unsure, leave blank.
33*ba199dc9SDeven Bowers
34e155858dSDeven Bowersmenu "IPE Trust Providers"
35e155858dSDeven Bowers
36e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY
37e155858dSDeven Bowers	bool "Enable support for dm-verity based on root hash"
38e155858dSDeven Bowers	depends on DM_VERITY
39e155858dSDeven Bowers	help
40e155858dSDeven Bowers	  This option enables the 'dmverity_roothash' property within IPE
41e155858dSDeven Bowers	  policies. The property evaluates to TRUE when a file from a dm-verity
42e155858dSDeven Bowers	  volume is evaluated, and the volume's root hash matches the value
43e155858dSDeven Bowers	  supplied in the policy.
44e155858dSDeven Bowers
45e155858dSDeven Bowersconfig IPE_PROP_DM_VERITY_SIGNATURE
46e155858dSDeven Bowers	bool "Enable support for dm-verity based on root hash signature"
47e155858dSDeven Bowers	depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
48e155858dSDeven Bowers	help
49e155858dSDeven Bowers	  This option enables the 'dmverity_signature' property within IPE
50e155858dSDeven Bowers	  policies. The property evaluates to TRUE when a file from a dm-verity
51e155858dSDeven Bowers	  volume, which has been mounted with a valid signed root hash,
52e155858dSDeven Bowers	  is evaluated.
53e155858dSDeven Bowers
5431f8c868SFan Wu	  If unsure, answer Y.
5531f8c868SFan Wu
5631f8c868SFan Wuconfig IPE_PROP_FS_VERITY
5731f8c868SFan Wu	bool "Enable support for fs-verity based on file digest"
5831f8c868SFan Wu	depends on FS_VERITY
5931f8c868SFan Wu	help
6031f8c868SFan Wu	  This option enables the 'fsverity_digest' property within IPE
6131f8c868SFan Wu	  policies. The property evaluates to TRUE when a file is fsverity
6231f8c868SFan Wu	  enabled and its digest matches the supplied digest value in the
6331f8c868SFan Wu	  policy.
6431f8c868SFan Wu
6531f8c868SFan Wu	  if unsure, answer Y.
6631f8c868SFan Wu
6731f8c868SFan Wuconfig IPE_PROP_FS_VERITY_BUILTIN_SIG
6831f8c868SFan Wu	bool "Enable support for fs-verity based on builtin signature"
6931f8c868SFan Wu	depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
7031f8c868SFan Wu	help
7131f8c868SFan Wu	  This option enables the 'fsverity_signature' property within IPE
7231f8c868SFan Wu	  policies. The property evaluates to TRUE when a file is fsverity
7331f8c868SFan Wu	  enabled and it has a valid builtin signature whose signing cert
7431f8c868SFan Wu	  is in the .fs-verity keyring.
7531f8c868SFan Wu
7631f8c868SFan Wu	  if unsure, answer Y.
7731f8c868SFan Wu
78e155858dSDeven Bowersendmenu
79e155858dSDeven Bowers
80e155858dSDeven Bowersendif
81