Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/certs/Kconfig 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) # SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) menu "Certificates for signature checking"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4) config MODULE_SIG_KEY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5) 	string "File name or PKCS#11 URI of module signing key"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6) 	default "certs/signing_key.pem"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7) 	depends on MODULE_SIG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)          Provide the file name of a private key/certificate in PEM format,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10)          or a PKCS#11 URI according to RFC7512. The file should contain, or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11)          the URI should identify, both the certificate and its corresponding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12)          private key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14)          If this option is unchanged from its default "certs/signing_key.pem",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15)          then the kernel will automatically generate the private key and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16)          certificate as described in Documentation/admin-guide/module-signing.rst
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) config SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) 	bool "Provide system-wide ring of trusted keys"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) 	depends on KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) 	depends on ASYMMETRIC_KEY_TYPE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) 	  Provide a system keyring to which trusted keys can be added.  Keys in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 	  the keyring are considered to be trusted.  Keys may be added at will
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) 	  by the kernel from compiled-in data and from hardware key stores, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) 	  userspace may only add extra keys if those keys can be verified by
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) 	  keys already in the keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) 	  Keys in this keyring are used by module signature checking.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) config SYSTEM_TRUSTED_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) 	string "Additional X.509 keys for default system keyring"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) 	depends on SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 	  If set, this option should be the filename of a PEM-formatted file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 	  containing trusted X.509 certificates to be included in the default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 	  system keyring. Any certificate used for module signing is implicitly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 	  also trusted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 	  NOTE: If you previously provided keys for the system keyring in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 	  form of DER-encoded *.x509 files in the top-level build directory,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 	  those are no longer used. You will need to set this option instead.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) config SYSTEM_EXTRA_CERTIFICATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 	bool "Reserve area for inserting a certificate without recompiling"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 	depends on SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 	  If set, space for an extra certificate will be reserved in the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 	  image. This allows introducing a trusted certificate to the default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 	  system keyring without recompiling the kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) config SYSTEM_EXTRA_CERTIFICATE_SIZE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 	int "Number of bytes to reserve for the extra certificate"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 	depends on SYSTEM_EXTRA_CERTIFICATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 	default 4096
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 	  This is the number of bytes reserved in the kernel image for a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	  certificate to be inserted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) config SECONDARY_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 	bool "Provide a keyring to which extra trustable keys may be added"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 	depends on SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	  If set, provide a keyring to which extra keys may be added, provided
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 	  those keys are not blacklisted and are vouched for by a key built
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) 	  into the kernel or already in the secondary trusted keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) config SYSTEM_BLACKLIST_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 	bool "Provide system-wide ring of blacklisted keys"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) 	depends on KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) 	  Provide a system keyring to which blacklisted keys can be added.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 	  Keys in the keyring are considered entirely untrusted.  Keys in this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 	  keyring are used by the module signature checking to reject loading
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	  of modules signed with a blacklisted key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) config SYSTEM_BLACKLIST_HASH_LIST
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) 	string "Hashes to be preloaded into the system blacklist keyring"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 	depends on SYSTEM_BLACKLIST_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 	  If set, this option should be the filename of a list of hashes in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 	  form "<hash>", "<hash>", ... .  This will be included into a C
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 	  wrapper to incorporate the list into the kernel.  Each <hash> should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 	  be a string of hex digits.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) config SYSTEM_REVOCATION_LIST
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 	bool "Provide system-wide ring of revocation certificates"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 	depends on SYSTEM_BLACKLIST_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 	depends on PKCS7_MESSAGE_PARSER=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 	  If set, this allows revocation certificates to be stored in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 	  blacklist keyring and implements a hook whereby a PKCS#7 message can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 	  be checked to see if it matches such a certificate.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) config SYSTEM_REVOCATION_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 	string "X.509 certificates to be preloaded into the system blacklist keyring"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 	depends on SYSTEM_REVOCATION_LIST
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 	  If set, this option should be the filename of a PEM-formatted file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 	  containing X.509 certificates to be included in the default blacklist
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 	  keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) endmenu
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.