^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) # SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) config INTEGRITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) bool "Integrity subsystem"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) depends on SECURITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) This option enables the integrity subsystem, which is comprised
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) of a number of different components including the Integrity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) Measurement Architecture (IMA), Extended Verification Module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) (EVM), IMA-appraisal extension, digital signature verification
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) extension and audit measurement log support.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) Each of these components can be enabled/disabled separately.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) Refer to the individual components for additional details.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) if INTEGRITY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) config INTEGRITY_SIGNATURE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) bool "Digital signature verification using multiple keyrings"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) select KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) select SIGNATURE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) This option enables digital signature verification support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) using multiple keyrings. It defines separate keyrings for each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) of the different use cases - evm, ima, and modules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) Different keyrings improves search performance, but also allow
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) to "lock" certain keyring to prevent adding new keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) This is useful for evm and module keyrings, when keys are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) usually only added from initramfs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) config INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) bool "Enable asymmetric keys support"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) depends on INTEGRITY_SIGNATURE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) select ASYMMETRIC_KEY_TYPE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) select CRYPTO_RSA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) select X509_CERTIFICATE_PARSER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) This option enables digital signature verification using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) asymmetric keys.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) config INTEGRITY_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) bool "Require all keys on the integrity keyrings be signed"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) depends on SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) depends on INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) This option requires that all keys added to the .ima and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) .evm keyrings be signed by a key on the system trusted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) config INTEGRITY_PLATFORM_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) bool "Provide keyring for platform/firmware trusted keys"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) depends on INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) depends on SYSTEM_BLACKLIST_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) Provide a separate, distinct keyring for platform trusted keys, which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) the kernel automatically populates during initialization from values
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) provided by the platform for verifying the kexec'ed kerned image
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) and, possibly, the initramfs signature.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) config LOAD_UEFI_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) depends on INTEGRITY_PLATFORM_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) depends on EFI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) def_bool y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) config LOAD_IPL_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) depends on INTEGRITY_PLATFORM_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) depends on S390
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) def_bool y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) config LOAD_PPC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) bool "Enable loading of platform and blacklisted keys for POWER"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) depends on INTEGRITY_PLATFORM_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) depends on PPC_SECURE_BOOT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) Enable loading of keys to the .platform keyring and blacklisted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) hashes to the .blacklist keyring for powerpc based platforms.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) config INTEGRITY_AUDIT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) bool "Enables integrity auditing support "
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) depends on AUDIT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) In addition to enabling integrity auditing support, this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) option adds a kernel parameter 'integrity_audit', which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) controls the level of integrity auditing messages.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) 0 - basic integrity auditing messages (default)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) 1 - additional integrity auditing messages
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) Additional informational integrity auditing messages would
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) be enabled by specifying 'integrity_audit=1' on the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) command line.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) source "security/integrity/ima/Kconfig"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) source "security/integrity/evm/Kconfig"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) endif # if INTEGRITY
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags