blob: 979be65d22c4260aad2f7c2a9b3fc0b4247656a2 [file] [log] [blame]
Mimi Zoharf381c272011-03-09 14:13:22 -05001#
2config INTEGRITY
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +03003 bool "Integrity subsystem"
4 depends on SECURITY
5 default y
6 help
7 This option enables the integrity subsystem, which is comprised
8 of a number of different components including the Integrity
9 Measurement Architecture (IMA), Extended Verification Module
10 (EVM), IMA-appraisal extension, digital signature verification
11 extension and audit measurement log support.
12
13 Each of these components can be enabled/disabled separately.
14 Refer to the individual components for additional details.
15
16if INTEGRITY
Mimi Zoharf381c272011-03-09 14:13:22 -050017
Dmitry Kasatkinf1be2422012-01-17 17:12:07 +020018config INTEGRITY_SIGNATURE
Christoph Jaeger6341e622014-12-20 15:41:11 -050019 bool "Digital signature verification using multiple keyrings"
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +030020 depends on KEYS
Dmitry Kasatkin8607c502011-10-05 11:54:46 +030021 default n
Dmitry Kasatkin5e8898e2012-01-17 17:12:03 +020022 select SIGNATURE
Dmitry Kasatkin8607c502011-10-05 11:54:46 +030023 help
24 This option enables digital signature verification support
25 using multiple keyrings. It defines separate keyrings for each
26 of the different use cases - evm, ima, and modules.
27 Different keyrings improves search performance, but also allow
28 to "lock" certain keyring to prevent adding new keys.
29 This is useful for evm and module keyrings, when keys are
30 usually only added from initramfs.
31
Dmitry Kasatkin1ae8f412014-04-17 14:41:06 +030032config INTEGRITY_ASYMMETRIC_KEYS
Christoph Jaeger6341e622014-12-20 15:41:11 -050033 bool "Enable asymmetric keys support"
Dmitry Kasatkin1ae8f412014-04-17 14:41:06 +030034 depends on INTEGRITY_SIGNATURE
35 default n
36 select ASYMMETRIC_KEY_TYPE
37 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
38 select PUBLIC_KEY_ALGO_RSA
Tadeusz Strukeb5798f2016-02-02 10:08:58 -080039 select CRYPTO_RSA
Dmitry Kasatkin1ae8f412014-04-17 14:41:06 +030040 select X509_CERTIFICATE_PARSER
41 help
42 This option enables digital signature verification using
43 asymmetric keys.
44
Dmitry Kasatkinf4dc3772015-10-22 21:26:10 +030045config INTEGRITY_TRUSTED_KEYRING
46 bool "Require all keys on the integrity keyrings be signed"
47 depends on SYSTEM_TRUSTED_KEYRING
48 depends on INTEGRITY_ASYMMETRIC_KEYS
Dmitry Kasatkinf4dc3772015-10-22 21:26:10 +030049 default y
50 help
51 This option requires that all keys added to the .ima and
52 .evm keyrings be signed by a key on the system trusted
53 keyring.
54
Mimi Zohard726d8d2013-03-18 14:48:02 -040055config INTEGRITY_AUDIT
56 bool "Enables integrity auditing support "
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +030057 depends on AUDIT
Mimi Zohard726d8d2013-03-18 14:48:02 -040058 default y
59 help
60 In addition to enabling integrity auditing support, this
61 option adds a kernel parameter 'integrity_audit', which
62 controls the level of integrity auditing messages.
63 0 - basic integrity auditing messages (default)
64 1 - additional integrity auditing messages
65
66 Additional informational integrity auditing messages would
67 be enabled by specifying 'integrity_audit=1' on the kernel
68 command line.
69
Mimi Zoharf381c272011-03-09 14:13:22 -050070source security/integrity/ima/Kconfig
Mimi Zohar66dbc3252011-03-15 16:12:09 -040071source security/integrity/evm/Kconfig
Dmitry Kasatkin7ef84e62014-04-17 15:07:15 +030072
73endif # if INTEGRITY