Mimi Zohar | f381c27 | 2011-03-09 14:13:22 -0500 | [diff] [blame] | 1 | # |
| 2 | config INTEGRITY |
Dmitry Kasatkin | 7ef84e6 | 2014-04-17 15:07:15 +0300 | [diff] [blame] | 3 | bool "Integrity subsystem" |
| 4 | depends on SECURITY |
| 5 | default y |
| 6 | help |
| 7 | This option enables the integrity subsystem, which is comprised |
| 8 | of a number of different components including the Integrity |
| 9 | Measurement Architecture (IMA), Extended Verification Module |
| 10 | (EVM), IMA-appraisal extension, digital signature verification |
| 11 | extension and audit measurement log support. |
| 12 | |
| 13 | Each of these components can be enabled/disabled separately. |
| 14 | Refer to the individual components for additional details. |
| 15 | |
| 16 | if INTEGRITY |
Mimi Zohar | f381c27 | 2011-03-09 14:13:22 -0500 | [diff] [blame] | 17 | |
Dmitry Kasatkin | f1be242 | 2012-01-17 17:12:07 +0200 | [diff] [blame] | 18 | config INTEGRITY_SIGNATURE |
Christoph Jaeger | 6341e62 | 2014-12-20 15:41:11 -0500 | [diff] [blame] | 19 | bool "Digital signature verification using multiple keyrings" |
Dmitry Kasatkin | 7ef84e6 | 2014-04-17 15:07:15 +0300 | [diff] [blame] | 20 | depends on KEYS |
Dmitry Kasatkin | 8607c50 | 2011-10-05 11:54:46 +0300 | [diff] [blame] | 21 | default n |
Dmitry Kasatkin | 5e8898e | 2012-01-17 17:12:03 +0200 | [diff] [blame] | 22 | select SIGNATURE |
Dmitry Kasatkin | 8607c50 | 2011-10-05 11:54:46 +0300 | [diff] [blame] | 23 | help |
| 24 | This option enables digital signature verification support |
| 25 | using multiple keyrings. It defines separate keyrings for each |
| 26 | of the different use cases - evm, ima, and modules. |
| 27 | Different keyrings improves search performance, but also allow |
| 28 | to "lock" certain keyring to prevent adding new keys. |
| 29 | This is useful for evm and module keyrings, when keys are |
| 30 | usually only added from initramfs. |
| 31 | |
Dmitry Kasatkin | 1ae8f41 | 2014-04-17 14:41:06 +0300 | [diff] [blame] | 32 | config INTEGRITY_ASYMMETRIC_KEYS |
Christoph Jaeger | 6341e62 | 2014-12-20 15:41:11 -0500 | [diff] [blame] | 33 | bool "Enable asymmetric keys support" |
Dmitry Kasatkin | 1ae8f41 | 2014-04-17 14:41:06 +0300 | [diff] [blame] | 34 | depends on INTEGRITY_SIGNATURE |
| 35 | default n |
| 36 | select ASYMMETRIC_KEY_TYPE |
| 37 | select ASYMMETRIC_PUBLIC_KEY_SUBTYPE |
| 38 | select PUBLIC_KEY_ALGO_RSA |
| 39 | select X509_CERTIFICATE_PARSER |
| 40 | help |
| 41 | This option enables digital signature verification using |
| 42 | asymmetric keys. |
| 43 | |
Mimi Zohar | d726d8d | 2013-03-18 14:48:02 -0400 | [diff] [blame] | 44 | config INTEGRITY_AUDIT |
| 45 | bool "Enables integrity auditing support " |
Dmitry Kasatkin | 7ef84e6 | 2014-04-17 15:07:15 +0300 | [diff] [blame] | 46 | depends on AUDIT |
Mimi Zohar | d726d8d | 2013-03-18 14:48:02 -0400 | [diff] [blame] | 47 | default y |
| 48 | help |
| 49 | In addition to enabling integrity auditing support, this |
| 50 | option adds a kernel parameter 'integrity_audit', which |
| 51 | controls the level of integrity auditing messages. |
| 52 | 0 - basic integrity auditing messages (default) |
| 53 | 1 - additional integrity auditing messages |
| 54 | |
| 55 | Additional informational integrity auditing messages would |
| 56 | be enabled by specifying 'integrity_audit=1' on the kernel |
| 57 | command line. |
| 58 | |
Mimi Zohar | f381c27 | 2011-03-09 14:13:22 -0500 | [diff] [blame] | 59 | source security/integrity/ima/Kconfig |
Mimi Zohar | 66dbc325 | 2011-03-15 16:12:09 -0400 | [diff] [blame] | 60 | source security/integrity/evm/Kconfig |
Dmitry Kasatkin | 7ef84e6 | 2014-04-17 15:07:15 +0300 | [diff] [blame] | 61 | |
| 62 | endif # if INTEGRITY |