Blame - security/integrity/Kconfig - kernel/msm-4.9

blob: 21d756832b754322f71722f6b0857294e1a5ffd2 [file] [log] [blame]

Mimi Zohar	f381c27	2011-03-09 14:13:22 -0500	[diff] [blame]	1	#
				2	config INTEGRITY
Dmitry Kasatkin	7ef84e6	2014-04-17 15:07:15 +0300	[diff] [blame]	3	bool "Integrity subsystem"
				4	depends on SECURITY
				5	default y
				6	help
				7	This option enables the integrity subsystem, which is comprised
				8	of a number of different components including the Integrity
				9	Measurement Architecture (IMA), Extended Verification Module
				10	(EVM), IMA-appraisal extension, digital signature verification
				11	extension and audit measurement log support.
				12
				13	Each of these components can be enabled/disabled separately.
				14	Refer to the individual components for additional details.
				15
				16	if INTEGRITY
Mimi Zohar	f381c27	2011-03-09 14:13:22 -0500	[diff] [blame]	17
Dmitry Kasatkin	f1be242	2012-01-17 17:12:07 +0200	[diff] [blame]	18	config INTEGRITY_SIGNATURE
Christoph Jaeger	6341e62	2014-12-20 15:41:11 -0500	[diff] [blame]	19	bool "Digital signature verification using multiple keyrings"
Dmitry Kasatkin	7ef84e6	2014-04-17 15:07:15 +0300	[diff] [blame]	20	depends on KEYS
Dmitry Kasatkin	8607c50	2011-10-05 11:54:46 +0300	[diff] [blame]	21	default n
Dmitry Kasatkin	5e8898e	2012-01-17 17:12:03 +0200	[diff] [blame]	22	select SIGNATURE
Dmitry Kasatkin	8607c50	2011-10-05 11:54:46 +0300	[diff] [blame]	23	help
				24	This option enables digital signature verification support
				25	using multiple keyrings. It defines separate keyrings for each
				26	of the different use cases - evm, ima, and modules.
				27	Different keyrings improves search performance, but also allow
				28	to "lock" certain keyring to prevent adding new keys.
				29	This is useful for evm and module keyrings, when keys are
				30	usually only added from initramfs.
				31
Dmitry Kasatkin	1ae8f41	2014-04-17 14:41:06 +0300	[diff] [blame]	32	config INTEGRITY_ASYMMETRIC_KEYS
Christoph Jaeger	6341e62	2014-12-20 15:41:11 -0500	[diff] [blame]	33	bool "Enable asymmetric keys support"
Dmitry Kasatkin	1ae8f41	2014-04-17 14:41:06 +0300	[diff] [blame]	34	depends on INTEGRITY_SIGNATURE
				35	default n
				36	select ASYMMETRIC_KEY_TYPE
				37	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
				38	select PUBLIC_KEY_ALGO_RSA
				39	select X509_CERTIFICATE_PARSER
				40	help
				41	This option enables digital signature verification using
				42	asymmetric keys.
				43
Dmitry Kasatkin	f4dc377	2015-10-22 21:26:10 +0300	[diff] [blame]	44	config INTEGRITY_TRUSTED_KEYRING
				45	bool "Require all keys on the integrity keyrings be signed"
				46	depends on SYSTEM_TRUSTED_KEYRING
				47	depends on INTEGRITY_ASYMMETRIC_KEYS
				48	select KEYS_DEBUG_PROC_KEYS
				49	default y
				50	help
				51	This option requires that all keys added to the .ima and
				52	.evm keyrings be signed by a key on the system trusted
				53	keyring.
				54
Mimi Zohar	d726d8d	2013-03-18 14:48:02 -0400	[diff] [blame]	55	config INTEGRITY_AUDIT
				56	bool "Enables integrity auditing support "
Dmitry Kasatkin	7ef84e6	2014-04-17 15:07:15 +0300	[diff] [blame]	57	depends on AUDIT
Mimi Zohar	d726d8d	2013-03-18 14:48:02 -0400	[diff] [blame]	58	default y
				59	help
				60	In addition to enabling integrity auditing support, this
				61	option adds a kernel parameter 'integrity_audit', which
				62	controls the level of integrity auditing messages.
				63	0 - basic integrity auditing messages (default)
				64	1 - additional integrity auditing messages
				65
				66	Additional informational integrity auditing messages would
				67	be enabled by specifying 'integrity_audit=1' on the kernel
				68	command line.
				69
Mimi Zohar	f381c27	2011-03-09 14:13:22 -0500	[diff] [blame]	70	source security/integrity/ima/Kconfig
Mimi Zohar	66dbc325	2011-03-15 16:12:09 -0400	[diff] [blame]	71	source security/integrity/evm/Kconfig
Dmitry Kasatkin	7ef84e6	2014-04-17 15:07:15 +0300	[diff] [blame]	72
				73	endif # if INTEGRITY