18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_cimenu "Certificates for signature checking" 38c2ecf20Sopenharmony_ci 48c2ecf20Sopenharmony_ciconfig MODULE_SIG_KEY 58c2ecf20Sopenharmony_ci string "File name or PKCS#11 URI of module signing key" 68c2ecf20Sopenharmony_ci default "certs/signing_key.pem" 78c2ecf20Sopenharmony_ci depends on MODULE_SIG 88c2ecf20Sopenharmony_ci help 98c2ecf20Sopenharmony_ci Provide the file name of a private key/certificate in PEM format, 108c2ecf20Sopenharmony_ci or a PKCS#11 URI according to RFC7512. The file should contain, or 118c2ecf20Sopenharmony_ci the URI should identify, both the certificate and its corresponding 128c2ecf20Sopenharmony_ci private key. 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ci If this option is unchanged from its default "certs/signing_key.pem", 158c2ecf20Sopenharmony_ci then the kernel will automatically generate the private key and 168c2ecf20Sopenharmony_ci certificate as described in Documentation/admin-guide/module-signing.rst 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_cichoice 198c2ecf20Sopenharmony_ci prompt "Type of module signing key to be generated" 208c2ecf20Sopenharmony_ci default MODULE_SIG_KEY_TYPE_RSA 218c2ecf20Sopenharmony_ci help 228c2ecf20Sopenharmony_ci The type of module signing key type to generate. This option 238c2ecf20Sopenharmony_ci does not apply if a #PKCS11 URI is used. 248c2ecf20Sopenharmony_ci 258c2ecf20Sopenharmony_ciconfig MODULE_SIG_KEY_TYPE_RSA 268c2ecf20Sopenharmony_ci bool "RSA" 278c2ecf20Sopenharmony_ci depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) 288c2ecf20Sopenharmony_ci help 298c2ecf20Sopenharmony_ci Use an RSA key for module signing. 308c2ecf20Sopenharmony_ci 318c2ecf20Sopenharmony_ciconfig MODULE_SIG_KEY_TYPE_ECDSA 328c2ecf20Sopenharmony_ci bool "ECDSA" 338c2ecf20Sopenharmony_ci select CRYPTO_ECDSA 348c2ecf20Sopenharmony_ci depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) 358c2ecf20Sopenharmony_ci help 368c2ecf20Sopenharmony_ci Use an elliptic curve key (NIST P384) for module signing. Consider 378c2ecf20Sopenharmony_ci using a strong hash like sha256 or sha384 for hashing modules. 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ci Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, 408c2ecf20Sopenharmony_ci when falling back to building Linux 5.14 and older kernels. 418c2ecf20Sopenharmony_ci 428c2ecf20Sopenharmony_ciendchoice 438c2ecf20Sopenharmony_ci 448c2ecf20Sopenharmony_ciconfig SYSTEM_TRUSTED_KEYRING 458c2ecf20Sopenharmony_ci bool "Provide system-wide ring of trusted keys" 468c2ecf20Sopenharmony_ci depends on KEYS 478c2ecf20Sopenharmony_ci depends on ASYMMETRIC_KEY_TYPE 488c2ecf20Sopenharmony_ci help 498c2ecf20Sopenharmony_ci Provide a system keyring to which trusted keys can be added. Keys in 508c2ecf20Sopenharmony_ci the keyring are considered to be trusted. Keys may be added at will 518c2ecf20Sopenharmony_ci by the kernel from compiled-in data and from hardware key stores, but 528c2ecf20Sopenharmony_ci userspace may only add extra keys if those keys can be verified by 538c2ecf20Sopenharmony_ci keys already in the keyring. 548c2ecf20Sopenharmony_ci 558c2ecf20Sopenharmony_ci Keys in this keyring are used by module signature checking. 568c2ecf20Sopenharmony_ci 578c2ecf20Sopenharmony_ciconfig SYSTEM_TRUSTED_KEYS 588c2ecf20Sopenharmony_ci string "Additional X.509 keys for default system keyring" 598c2ecf20Sopenharmony_ci depends on SYSTEM_TRUSTED_KEYRING 608c2ecf20Sopenharmony_ci help 618c2ecf20Sopenharmony_ci If set, this option should be the filename of a PEM-formatted file 628c2ecf20Sopenharmony_ci containing trusted X.509 certificates to be included in the default 638c2ecf20Sopenharmony_ci system keyring. Any certificate used for module signing is implicitly 648c2ecf20Sopenharmony_ci also trusted. 658c2ecf20Sopenharmony_ci 668c2ecf20Sopenharmony_ci NOTE: If you previously provided keys for the system keyring in the 678c2ecf20Sopenharmony_ci form of DER-encoded *.x509 files in the top-level build directory, 688c2ecf20Sopenharmony_ci those are no longer used. You will need to set this option instead. 698c2ecf20Sopenharmony_ci 708c2ecf20Sopenharmony_ciconfig SYSTEM_EXTRA_CERTIFICATE 718c2ecf20Sopenharmony_ci bool "Reserve area for inserting a certificate without recompiling" 728c2ecf20Sopenharmony_ci depends on SYSTEM_TRUSTED_KEYRING 738c2ecf20Sopenharmony_ci help 748c2ecf20Sopenharmony_ci If set, space for an extra certificate will be reserved in the kernel 758c2ecf20Sopenharmony_ci image. This allows introducing a trusted certificate to the default 768c2ecf20Sopenharmony_ci system keyring without recompiling the kernel. 778c2ecf20Sopenharmony_ci 788c2ecf20Sopenharmony_ciconfig SYSTEM_EXTRA_CERTIFICATE_SIZE 798c2ecf20Sopenharmony_ci int "Number of bytes to reserve for the extra certificate" 808c2ecf20Sopenharmony_ci depends on SYSTEM_EXTRA_CERTIFICATE 818c2ecf20Sopenharmony_ci default 4096 828c2ecf20Sopenharmony_ci help 838c2ecf20Sopenharmony_ci This is the number of bytes reserved in the kernel image for a 848c2ecf20Sopenharmony_ci certificate to be inserted. 858c2ecf20Sopenharmony_ci 868c2ecf20Sopenharmony_ciconfig SECONDARY_TRUSTED_KEYRING 878c2ecf20Sopenharmony_ci bool "Provide a keyring to which extra trustable keys may be added" 888c2ecf20Sopenharmony_ci depends on SYSTEM_TRUSTED_KEYRING 898c2ecf20Sopenharmony_ci help 908c2ecf20Sopenharmony_ci If set, provide a keyring to which extra keys may be added, provided 918c2ecf20Sopenharmony_ci those keys are not blacklisted and are vouched for by a key built 928c2ecf20Sopenharmony_ci into the kernel or already in the secondary trusted keyring. 938c2ecf20Sopenharmony_ci 948c2ecf20Sopenharmony_ciconfig SYSTEM_BLACKLIST_KEYRING 958c2ecf20Sopenharmony_ci bool "Provide system-wide ring of blacklisted keys" 968c2ecf20Sopenharmony_ci depends on KEYS 978c2ecf20Sopenharmony_ci help 988c2ecf20Sopenharmony_ci Provide a system keyring to which blacklisted keys can be added. 998c2ecf20Sopenharmony_ci Keys in the keyring are considered entirely untrusted. Keys in this 1008c2ecf20Sopenharmony_ci keyring are used by the module signature checking to reject loading 1018c2ecf20Sopenharmony_ci of modules signed with a blacklisted key. 1028c2ecf20Sopenharmony_ci 1038c2ecf20Sopenharmony_ciconfig SYSTEM_BLACKLIST_HASH_LIST 1048c2ecf20Sopenharmony_ci string "Hashes to be preloaded into the system blacklist keyring" 1058c2ecf20Sopenharmony_ci depends on SYSTEM_BLACKLIST_KEYRING 1068c2ecf20Sopenharmony_ci help 1078c2ecf20Sopenharmony_ci If set, this option should be the filename of a list of hashes in the 1088c2ecf20Sopenharmony_ci form "<hash>", "<hash>", ... . This will be included into a C 1098c2ecf20Sopenharmony_ci wrapper to incorporate the list into the kernel. Each <hash> should 1108c2ecf20Sopenharmony_ci be a string of hex digits. 1118c2ecf20Sopenharmony_ci 1128c2ecf20Sopenharmony_ciconfig SYSTEM_REVOCATION_LIST 1138c2ecf20Sopenharmony_ci bool "Provide system-wide ring of revocation certificates" 1148c2ecf20Sopenharmony_ci depends on SYSTEM_BLACKLIST_KEYRING 1158c2ecf20Sopenharmony_ci depends on PKCS7_MESSAGE_PARSER=y 1168c2ecf20Sopenharmony_ci help 1178c2ecf20Sopenharmony_ci If set, this allows revocation certificates to be stored in the 1188c2ecf20Sopenharmony_ci blacklist keyring and implements a hook whereby a PKCS#7 message can 1198c2ecf20Sopenharmony_ci be checked to see if it matches such a certificate. 1208c2ecf20Sopenharmony_ci 1218c2ecf20Sopenharmony_ciconfig SYSTEM_REVOCATION_KEYS 1228c2ecf20Sopenharmony_ci string "X.509 certificates to be preloaded into the system blacklist keyring" 1238c2ecf20Sopenharmony_ci depends on SYSTEM_REVOCATION_LIST 1248c2ecf20Sopenharmony_ci help 1258c2ecf20Sopenharmony_ci If set, this option should be the filename of a PEM-formatted file 1268c2ecf20Sopenharmony_ci containing X.509 certificates to be included in the default blacklist 1278c2ecf20Sopenharmony_ci keyring. 1288c2ecf20Sopenharmony_ci 1298c2ecf20Sopenharmony_ciendmenu 130