^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) # SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) # Key management configuration
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) config KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) bool "Enable access key retention support"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) select ASSOCIATIVE_ARRAY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) This option provides support for retaining authentication tokens and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) access keys in the kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) It also includes provision of methods by which such keys might be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) associated with a process so that network filesystems, encryption
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) support and the like can find them.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) Furthermore, a special type of key is available that acts as keyring:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) a searchable sequence of keys. Each process is equipped with access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) to five standard keyrings: UID-specific, GID-specific, session,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) process and thread.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) If you are unsure as to whether this is required, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) config KEYS_REQUEST_CACHE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) bool "Enable temporary caching of the last request_key() result"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) depends on KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) This option causes the result of the last successful request_key()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) call that didn't upcall to the kernel to be cached temporarily in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) task_struct. The cache is cleared by exit and just prior to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) resumption of userspace.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) This allows the key used for multiple step processes where each step
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) wants to request a key that is likely the same as the one requested
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) by the last step to save on the searching.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) An example of such a process is a pathwalk through a network
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) filesystem in which each method needs to request an authentication
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) key. Pathwalk will call multiple methods for each dentry traversed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) (permission, d_revalidate, lookup, getxattr, getacl, ...).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) config PERSISTENT_KEYRINGS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) bool "Enable register of persistent per-UID keyrings"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) depends on KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) This option provides a register of persistent per-UID keyrings,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) primarily aimed at Kerberos key storage. The keyrings are persistent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) in the sense that they stay around after all processes of that UID
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) have exited, not that they survive the machine being rebooted.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) A particular keyring may be accessed by either the user whose keyring
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) it is or by a process with administrative privileges. The active
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) LSMs gets to rule on which admin-level processes get to access the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) cache.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) Keyrings are created and added into the register upon demand and get
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) removed if they expire (a default timeout is set upon creation).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) config BIG_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) bool "Large payload keys"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) depends on KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) depends on TMPFS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) depends on CRYPTO_LIB_CHACHA20POLY1305 = y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) This option provides support for holding large keys within the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) (for example Kerberos ticket caches). The data may be stored out to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) swapspace by tmpfs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) If you are unsure as to whether this is required, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) config TRUSTED_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) tristate "TRUSTED KEYS"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) depends on KEYS && TCG_TPM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) select CRYPTO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) select CRYPTO_HMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) select CRYPTO_SHA1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) select CRYPTO_HASH_INFO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) This option provides support for creating, sealing, and unsealing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) keys in the kernel. Trusted keys are random number symmetric keys,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) generated and RSA-sealed by the TPM. The TPM only unseals the keys,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) if the boot PCRs and other criteria match. Userspace will only ever
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) see encrypted blobs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) If you are unsure as to whether this is required, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) config ENCRYPTED_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) tristate "ENCRYPTED KEYS"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) depends on KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) select CRYPTO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) select CRYPTO_HMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) select CRYPTO_AES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) select CRYPTO_CBC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) select CRYPTO_SHA256
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) select CRYPTO_RNG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) This option provides support for create/encrypting/decrypting keys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) in the kernel. Encrypted keys are kernel generated random numbers,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) which are encrypted/decrypted with a 'master' symmetric key. The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 'master' key can be either a trusted-key or user-key type.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) Userspace only ever sees/stores encrypted blobs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) If you are unsure as to whether this is required, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) config KEY_DH_OPERATIONS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) bool "Diffie-Hellman operations on retained keys"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) depends on KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) select CRYPTO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) select CRYPTO_HASH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) select CRYPTO_DH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) This option provides support for calculating Diffie-Hellman
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) public keys and shared secrets using values stored as keys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) in the kernel.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) If you are unsure as to whether this is required, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) config KEY_NOTIFICATIONS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) bool "Provide key/keyring change notifications"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) depends on KEYS && WATCH_QUEUE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) This option provides support for getting change notifications
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) on keys and keyrings on which the caller has View permission.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) This makes use of pipes to handle the notification buffer and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) provides KEYCTL_WATCH_KEY to enable/disable watches.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags