1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 2f0894940SDavid Howells# 3f0894940SDavid Howells# Key management configuration 4f0894940SDavid Howells# 5f0894940SDavid Howells 6*8be70a8fSRandy Dunlapmenuconfig KEYS 7f0894940SDavid Howells bool "Enable access key retention support" 8b2a4df20SDavid Howells select ASSOCIATIVE_ARRAY 9f0894940SDavid Howells help 10f0894940SDavid Howells This option provides support for retaining authentication tokens and 11f0894940SDavid Howells access keys in the kernel. 12f0894940SDavid Howells 13f0894940SDavid Howells It also includes provision of methods by which such keys might be 14f0894940SDavid Howells associated with a process so that network filesystems, encryption 15f0894940SDavid Howells support and the like can find them. 16f0894940SDavid Howells 17f0894940SDavid Howells Furthermore, a special type of key is available that acts as keyring: 18f0894940SDavid Howells a searchable sequence of keys. Each process is equipped with access 19f0894940SDavid Howells to five standard keyrings: UID-specific, GID-specific, session, 20f0894940SDavid Howells process and thread. 21f0894940SDavid Howells 22f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 23f0894940SDavid Howells 24*8be70a8fSRandy Dunlapif KEYS 25*8be70a8fSRandy Dunlap 267743c48eSDavid Howellsconfig KEYS_REQUEST_CACHE 277743c48eSDavid Howells bool "Enable temporary caching of the last request_key() result" 287743c48eSDavid Howells help 297743c48eSDavid Howells This option causes the result of the last successful request_key() 307743c48eSDavid Howells call that didn't upcall to the kernel to be cached temporarily in the 317743c48eSDavid Howells task_struct. The cache is cleared by exit and just prior to the 327743c48eSDavid Howells resumption of userspace. 337743c48eSDavid Howells 347743c48eSDavid Howells This allows the key used for multiple step processes where each step 357743c48eSDavid Howells wants to request a key that is likely the same as the one requested 367743c48eSDavid Howells by the last step to save on the searching. 377743c48eSDavid Howells 387743c48eSDavid Howells An example of such a process is a pathwalk through a network 397743c48eSDavid Howells filesystem in which each method needs to request an authentication 407743c48eSDavid Howells key. Pathwalk will call multiple methods for each dentry traversed 417743c48eSDavid Howells (permission, d_revalidate, lookup, getxattr, getacl, ...). 427743c48eSDavid Howells 43f36f8c75SDavid Howellsconfig PERSISTENT_KEYRINGS 44f36f8c75SDavid Howells bool "Enable register of persistent per-UID keyrings" 45f36f8c75SDavid Howells help 46f36f8c75SDavid Howells This option provides a register of persistent per-UID keyrings, 47f36f8c75SDavid Howells primarily aimed at Kerberos key storage. The keyrings are persistent 48f36f8c75SDavid Howells in the sense that they stay around after all processes of that UID 49f36f8c75SDavid Howells have exited, not that they survive the machine being rebooted. 50f36f8c75SDavid Howells 51f36f8c75SDavid Howells A particular keyring may be accessed by either the user whose keyring 52f36f8c75SDavid Howells it is or by a process with administrative privileges. The active 53f36f8c75SDavid Howells LSMs gets to rule on which admin-level processes get to access the 54f36f8c75SDavid Howells cache. 55f36f8c75SDavid Howells 56f36f8c75SDavid Howells Keyrings are created and added into the register upon demand and get 57f36f8c75SDavid Howells removed if they expire (a default timeout is set upon creation). 58f36f8c75SDavid Howells 59ab3c3587SDavid Howellsconfig BIG_KEYS 602eaf6b5dSJosh Boyer bool "Large payload keys" 61ab3c3587SDavid Howells depends on TMPFS 62edc8e80bSArnd Bergmann select CRYPTO_LIB_CHACHA20POLY1305 63ab3c3587SDavid Howells help 64ab3c3587SDavid Howells This option provides support for holding large keys within the kernel 65ab3c3587SDavid Howells (for example Kerberos ticket caches). The data may be stored out to 66ab3c3587SDavid Howells swapspace by tmpfs. 67ab3c3587SDavid Howells 68ab3c3587SDavid Howells If you are unsure as to whether this is required, answer N. 69ab3c3587SDavid Howells 70f0894940SDavid Howellsconfig TRUSTED_KEYS 71f0894940SDavid Howells tristate "TRUSTED KEYS" 72f0894940SDavid Howells help 73f0894940SDavid Howells This option provides support for creating, sealing, and unsealing 74f0894940SDavid Howells keys in the kernel. Trusted keys are random number symmetric keys, 75be07858fSAhmad Fatoum generated and sealed by a trust source selected at kernel boot-time. 76be07858fSAhmad Fatoum Userspace will only ever see encrypted blobs. 77f0894940SDavid Howells 78f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 79f0894940SDavid Howells 80be07858fSAhmad Fatoumif TRUSTED_KEYS 81be07858fSAhmad Fatoumsource "security/keys/trusted-keys/Kconfig" 82be07858fSAhmad Fatoumendif 83be07858fSAhmad Fatoum 84f0894940SDavid Howellsconfig ENCRYPTED_KEYS 85f0894940SDavid Howells tristate "ENCRYPTED KEYS" 86f0894940SDavid Howells select CRYPTO 87f0894940SDavid Howells select CRYPTO_AES 88f0894940SDavid Howells select CRYPTO_CBC 899b8d24a4SEric Biggers select CRYPTO_LIB_SHA256 90f0894940SDavid Howells select CRYPTO_RNG 91f0894940SDavid Howells help 92f0894940SDavid Howells This option provides support for create/encrypting/decrypting keys 93cd3bc044SYael Tzur in the kernel. Encrypted keys are instantiated using kernel 94cd3bc044SYael Tzur generated random numbers or provided decrypted data, and are 95cd3bc044SYael Tzur encrypted/decrypted with a 'master' symmetric key. The 'master' 96cd3bc044SYael Tzur key can be either a trusted-key or user-key type. Only encrypted 97cd3bc044SYael Tzur blobs are ever output to Userspace. 98cd3bc044SYael Tzur 99cd3bc044SYael Tzur If you are unsure as to whether this is required, answer N. 100cd3bc044SYael Tzur 101cd3bc044SYael Tzurconfig USER_DECRYPTED_DATA 102cd3bc044SYael Tzur bool "Allow encrypted keys with user decrypted data" 103cd3bc044SYael Tzur depends on ENCRYPTED_KEYS 104cd3bc044SYael Tzur help 105cd3bc044SYael Tzur This option provides support for instantiating encrypted keys using 106cd3bc044SYael Tzur user-provided decrypted data. The decrypted data must be hex-ascii 107cd3bc044SYael Tzur encoded. 108f0894940SDavid Howells 109f0894940SDavid Howells If you are unsure as to whether this is required, answer N. 110ddbb4114SMat Martineau 111ddbb4114SMat Martineauconfig KEY_DH_OPERATIONS 112ddbb4114SMat Martineau bool "Diffie-Hellman operations on retained keys" 1134cd4ca7cSStephan Müller select CRYPTO 114d3b04a43SStephan Müller select CRYPTO_KDF800108_CTR 1157cbe0932SMat Martineau select CRYPTO_DH 116ddbb4114SMat Martineau help 117ddbb4114SMat Martineau This option provides support for calculating Diffie-Hellman 118ddbb4114SMat Martineau public keys and shared secrets using values stored as keys 119ddbb4114SMat Martineau in the kernel. 120ddbb4114SMat Martineau 121ddbb4114SMat Martineau If you are unsure as to whether this is required, answer N. 122f7e47677SDavid Howells 123f7e47677SDavid Howellsconfig KEY_NOTIFICATIONS 124f7e47677SDavid Howells bool "Provide key/keyring change notifications" 125*8be70a8fSRandy Dunlap depends on WATCH_QUEUE 126f7e47677SDavid Howells help 1278fe62e0cSGabriel Krisman Bertazi This option provides support for getting change notifications 1288fe62e0cSGabriel Krisman Bertazi on keys and keyrings on which the caller has View permission. 1298fe62e0cSGabriel Krisman Bertazi This makes use of pipes to handle the notification buffer and 1308fe62e0cSGabriel Krisman Bertazi provides KEYCTL_WATCH_KEY to enable/disable watches. 131*8be70a8fSRandy Dunlap 132*8be70a8fSRandy Dunlapendif # KEYS 133