Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 66f2c6d9525baa7534640f09f406cd2987e0f287 / . / security / integrity / Kconfig
blob: da9565891738d6c9836804c513595f5f6e238758 [file] [log] [blame]
Mimi Zoharf381c272011-03-09 14:13:22 -0500[diff] [blame]1#
2config INTEGRITY
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +0300[diff] [blame]3 bool "Integrity subsystem"
4 depends on SECURITY
5 default y
6 help
7 This option enables the integrity subsystem, which is comprised
8 of a number of different components including the Integrity
9 Measurement Architecture (IMA), Extended Verification Module
10 (EVM), IMA-appraisal extension, digital signature verification
11 extension and audit measurement log support.
12
13 Each of these components can be enabled/disabled separately.
14 Refer to the individual components for additional details.
15
16if INTEGRITY
Mimi Zoharf381c272011-03-09 14:13:22 -0500[diff] [blame]17
Dmitry Kasatkinf1be2422012-01-17 17:12:07 +0200[diff] [blame]18config INTEGRITY_SIGNATURE
Christoph Jaeger6341e622014-12-20 15:41:11 -0500[diff] [blame]19 bool "Digital signature verification using multiple keyrings"
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +0300[diff] [blame]20 depends on KEYS
Dmitry Kasatkin8607c502011-10-05 11:54:46 +0300[diff] [blame]21 default n
Dmitry Kasatkin5e8898e2012-01-17 17:12:03 +0200[diff] [blame]22 select SIGNATURE
Dmitry Kasatkin8607c502011-10-05 11:54:46 +0300[diff] [blame]23 help
24 This option enables digital signature verification support
25 using multiple keyrings. It defines separate keyrings for each
26 of the different use cases - evm, ima, and modules.
27 Different keyrings improves search performance, but also allow
28 to "lock" certain keyring to prevent adding new keys.
29 This is useful for evm and module keyrings, when keys are
30 usually only added from initramfs.
31
Dmitry Kasatkin1ae8f412014-04-17 14:41:06 +0300[diff] [blame]32config INTEGRITY_ASYMMETRIC_KEYS
Christoph Jaeger6341e622014-12-20 15:41:11 -0500[diff] [blame]33 bool "Enable asymmetric keys support"
Dmitry Kasatkin1ae8f412014-04-17 14:41:06 +0300[diff] [blame]34 depends on INTEGRITY_SIGNATURE
35 default n
36 select ASYMMETRIC_KEY_TYPE
37 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
Tadeusz Strukeb5798f2016-02-02 10:08:58 -0800[diff] [blame]38 select CRYPTO_RSA
Dmitry Kasatkin1ae8f412014-04-17 14:41:06 +0300[diff] [blame]39 select X509_CERTIFICATE_PARSER
40 help
41 This option enables digital signature verification using
42 asymmetric keys.
43
Dmitry Kasatkinf4dc3772015-10-22 21:26:10 +0300[diff] [blame]44config INTEGRITY_TRUSTED_KEYRING
45 bool "Require all keys on the integrity keyrings be signed"
46 depends on SYSTEM_TRUSTED_KEYRING
47 depends on INTEGRITY_ASYMMETRIC_KEYS
Dmitry Kasatkinf4dc3772015-10-22 21:26:10 +0300[diff] [blame]48 default y
49 help
50 This option requires that all keys added to the .ima and
51 .evm keyrings be signed by a key on the system trusted
52 keyring.
53
Mimi Zohard726d8d2013-03-18 14:48:02 -0400[diff] [blame]54config INTEGRITY_AUDIT
55 bool "Enables integrity auditing support "
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +0300[diff] [blame]56 depends on AUDIT
Mimi Zohard726d8d2013-03-18 14:48:02 -0400[diff] [blame]57 default y
58 help
59 In addition to enabling integrity auditing support, this
60 option adds a kernel parameter 'integrity_audit', which
61 controls the level of integrity auditing messages.
62 0 - basic integrity auditing messages (default)
63 1 - additional integrity auditing messages
64
65 Additional informational integrity auditing messages would
66 be enabled by specifying 'integrity_audit=1' on the kernel
67 command line.
68
Mimi Zoharf381c272011-03-09 14:13:22 -0500[diff] [blame]69source security/integrity/ima/Kconfig
Mimi Zohar66dbc3252011-03-15 16:12:09 -0400[diff] [blame]70source security/integrity/evm/Kconfig
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +0300[diff] [blame]71
72endif # if INTEGRITY