Greg Kroah-Hartman | b244131 | 2017-11-01 15:07:57 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0 |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 2 | menu "Certificates for signature checking" |
| 3 | |
| 4 | config MODULE_SIG_KEY |
| 5 | string "File name or PKCS#11 URI of module signing key" |
| 6 | default "certs/signing_key.pem" |
| 7 | depends on MODULE_SIG |
| 8 | help |
| 9 | Provide the file name of a private key/certificate in PEM format, |
| 10 | or a PKCS#11 URI according to RFC7512. The file should contain, or |
| 11 | the URI should identify, both the certificate and its corresponding |
| 12 | private key. |
| 13 | |
| 14 | If this option is unchanged from its default "certs/signing_key.pem", |
| 15 | then the kernel will automatically generate the private key and |
| 16 | certificate as described in Documentation/module-signing.txt |
| 17 | |
| 18 | config SYSTEM_TRUSTED_KEYRING |
| 19 | bool "Provide system-wide ring of trusted keys" |
| 20 | depends on KEYS |
David Howells | 99716b7 | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 21 | depends on ASYMMETRIC_KEY_TYPE |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 22 | help |
| 23 | Provide a system keyring to which trusted keys can be added. Keys in |
| 24 | the keyring are considered to be trusted. Keys may be added at will |
| 25 | by the kernel from compiled-in data and from hardware key stores, but |
| 26 | userspace may only add extra keys if those keys can be verified by |
| 27 | keys already in the keyring. |
| 28 | |
| 29 | Keys in this keyring are used by module signature checking. |
| 30 | |
| 31 | config SYSTEM_TRUSTED_KEYS |
| 32 | string "Additional X.509 keys for default system keyring" |
| 33 | depends on SYSTEM_TRUSTED_KEYRING |
| 34 | help |
| 35 | If set, this option should be the filename of a PEM-formatted file |
| 36 | containing trusted X.509 certificates to be included in the default |
| 37 | system keyring. Any certificate used for module signing is implicitly |
| 38 | also trusted. |
| 39 | |
| 40 | NOTE: If you previously provided keys for the system keyring in the |
| 41 | form of DER-encoded *.x509 files in the top-level build directory, |
| 42 | those are no longer used. You will need to set this option instead. |
| 43 | |
Mehmet Kayaalp | c4c3610 | 2015-11-24 16:18:05 -0500 | [diff] [blame] | 44 | config SYSTEM_EXTRA_CERTIFICATE |
| 45 | bool "Reserve area for inserting a certificate without recompiling" |
| 46 | depends on SYSTEM_TRUSTED_KEYRING |
| 47 | help |
| 48 | If set, space for an extra certificate will be reserved in the kernel |
| 49 | image. This allows introducing a trusted certificate to the default |
| 50 | system keyring without recompiling the kernel. |
| 51 | |
| 52 | config SYSTEM_EXTRA_CERTIFICATE_SIZE |
| 53 | int "Number of bytes to reserve for the extra certificate" |
| 54 | depends on SYSTEM_EXTRA_CERTIFICATE |
| 55 | default 4096 |
| 56 | help |
| 57 | This is the number of bytes reserved in the kernel image for a |
| 58 | certificate to be inserted. |
| 59 | |
David Howells | d3bfe84 | 2016-04-06 16:14:27 +0100 | [diff] [blame] | 60 | config SECONDARY_TRUSTED_KEYRING |
| 61 | bool "Provide a keyring to which extra trustable keys may be added" |
| 62 | depends on SYSTEM_TRUSTED_KEYRING |
| 63 | help |
| 64 | If set, provide a keyring to which extra keys may be added, provided |
| 65 | those keys are not blacklisted and are vouched for by a key built |
| 66 | into the kernel or already in the secondary trusted keyring. |
| 67 | |
David Howells | 734114f | 2017-04-03 16:07:24 +0100 | [diff] [blame] | 68 | config SYSTEM_BLACKLIST_KEYRING |
| 69 | bool "Provide system-wide ring of blacklisted keys" |
| 70 | depends on KEYS |
| 71 | help |
| 72 | Provide a system keyring to which blacklisted keys can be added. |
| 73 | Keys in the keyring are considered entirely untrusted. Keys in this |
| 74 | keyring are used by the module signature checking to reject loading |
| 75 | of modules signed with a blacklisted key. |
| 76 | |
| 77 | config SYSTEM_BLACKLIST_HASH_LIST |
| 78 | string "Hashes to be preloaded into the system blacklist keyring" |
| 79 | depends on SYSTEM_BLACKLIST_KEYRING |
| 80 | help |
| 81 | If set, this option should be the filename of a list of hashes in the |
| 82 | form "<hash>", "<hash>", ... . This will be included into a C |
| 83 | wrapper to incorporate the list into the kernel. Each <hash> should |
| 84 | be a string of hex digits. |
| 85 | |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 86 | endmenu |