18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
28c2ecf20Sopenharmony_ci#
38c2ecf20Sopenharmony_ciconfig INTEGRITY
48c2ecf20Sopenharmony_ci	bool "Integrity subsystem"
58c2ecf20Sopenharmony_ci	depends on SECURITY
68c2ecf20Sopenharmony_ci	default y
78c2ecf20Sopenharmony_ci	help
88c2ecf20Sopenharmony_ci	  This option enables the integrity subsystem, which is comprised
98c2ecf20Sopenharmony_ci	  of a number of different components including the Integrity
108c2ecf20Sopenharmony_ci	  Measurement Architecture (IMA), Extended Verification Module
118c2ecf20Sopenharmony_ci	  (EVM), IMA-appraisal extension, digital signature verification
128c2ecf20Sopenharmony_ci	  extension and audit measurement log support.
138c2ecf20Sopenharmony_ci
148c2ecf20Sopenharmony_ci	  Each of these components can be enabled/disabled separately.
158c2ecf20Sopenharmony_ci	  Refer to the individual components for additional details.
168c2ecf20Sopenharmony_ci
178c2ecf20Sopenharmony_ciif INTEGRITY
188c2ecf20Sopenharmony_ci
198c2ecf20Sopenharmony_ciconfig INTEGRITY_SIGNATURE
208c2ecf20Sopenharmony_ci	bool "Digital signature verification using multiple keyrings"
218c2ecf20Sopenharmony_ci	default n
228c2ecf20Sopenharmony_ci	select KEYS
238c2ecf20Sopenharmony_ci	select SIGNATURE
248c2ecf20Sopenharmony_ci	help
258c2ecf20Sopenharmony_ci	  This option enables digital signature verification support
268c2ecf20Sopenharmony_ci	  using multiple keyrings. It defines separate keyrings for each
278c2ecf20Sopenharmony_ci	  of the different use cases - evm, ima, and modules.
288c2ecf20Sopenharmony_ci	  Different keyrings improves search performance, but also allow
298c2ecf20Sopenharmony_ci	  to "lock" certain keyring to prevent adding new keys.
308c2ecf20Sopenharmony_ci	  This is useful for evm and module keyrings, when keys are
318c2ecf20Sopenharmony_ci	  usually only added from initramfs.
328c2ecf20Sopenharmony_ci
338c2ecf20Sopenharmony_ciconfig INTEGRITY_ASYMMETRIC_KEYS
348c2ecf20Sopenharmony_ci	bool "Enable asymmetric keys support"
358c2ecf20Sopenharmony_ci	depends on INTEGRITY_SIGNATURE
368c2ecf20Sopenharmony_ci	default n
378c2ecf20Sopenharmony_ci        select ASYMMETRIC_KEY_TYPE
388c2ecf20Sopenharmony_ci        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
398c2ecf20Sopenharmony_ci        select CRYPTO_RSA
408c2ecf20Sopenharmony_ci        select X509_CERTIFICATE_PARSER
418c2ecf20Sopenharmony_ci	help
428c2ecf20Sopenharmony_ci	  This option enables digital signature verification using
438c2ecf20Sopenharmony_ci	  asymmetric keys.
448c2ecf20Sopenharmony_ci
458c2ecf20Sopenharmony_ciconfig INTEGRITY_TRUSTED_KEYRING
468c2ecf20Sopenharmony_ci	bool "Require all keys on the integrity keyrings be signed"
478c2ecf20Sopenharmony_ci	depends on SYSTEM_TRUSTED_KEYRING
488c2ecf20Sopenharmony_ci	depends on INTEGRITY_ASYMMETRIC_KEYS
498c2ecf20Sopenharmony_ci	default y
508c2ecf20Sopenharmony_ci	help
518c2ecf20Sopenharmony_ci	   This option requires that all keys added to the .ima and
528c2ecf20Sopenharmony_ci	   .evm keyrings be signed by a key on the system trusted
538c2ecf20Sopenharmony_ci	   keyring.
548c2ecf20Sopenharmony_ci
558c2ecf20Sopenharmony_ciconfig INTEGRITY_PLATFORM_KEYRING
568c2ecf20Sopenharmony_ci        bool "Provide keyring for platform/firmware trusted keys"
578c2ecf20Sopenharmony_ci        depends on INTEGRITY_ASYMMETRIC_KEYS
588c2ecf20Sopenharmony_ci        depends on SYSTEM_BLACKLIST_KEYRING
598c2ecf20Sopenharmony_ci        help
608c2ecf20Sopenharmony_ci         Provide a separate, distinct keyring for platform trusted keys, which
618c2ecf20Sopenharmony_ci         the kernel automatically populates during initialization from values
628c2ecf20Sopenharmony_ci         provided by the platform for verifying the kexec'ed kerned image
638c2ecf20Sopenharmony_ci         and, possibly, the initramfs signature.
648c2ecf20Sopenharmony_ci
658c2ecf20Sopenharmony_ciconfig LOAD_UEFI_KEYS
668c2ecf20Sopenharmony_ci       depends on INTEGRITY_PLATFORM_KEYRING
678c2ecf20Sopenharmony_ci       depends on EFI
688c2ecf20Sopenharmony_ci       def_bool y
698c2ecf20Sopenharmony_ci
708c2ecf20Sopenharmony_ciconfig LOAD_IPL_KEYS
718c2ecf20Sopenharmony_ci       depends on INTEGRITY_PLATFORM_KEYRING
728c2ecf20Sopenharmony_ci       depends on S390
738c2ecf20Sopenharmony_ci       def_bool y
748c2ecf20Sopenharmony_ci
758c2ecf20Sopenharmony_ciconfig LOAD_PPC_KEYS
768c2ecf20Sopenharmony_ci	bool "Enable loading of platform and blacklisted keys for POWER"
778c2ecf20Sopenharmony_ci	depends on INTEGRITY_PLATFORM_KEYRING
788c2ecf20Sopenharmony_ci	depends on PPC_SECURE_BOOT
798c2ecf20Sopenharmony_ci	default y
808c2ecf20Sopenharmony_ci	help
818c2ecf20Sopenharmony_ci	  Enable loading of keys to the .platform keyring and blacklisted
828c2ecf20Sopenharmony_ci	  hashes to the .blacklist keyring for powerpc based platforms.
838c2ecf20Sopenharmony_ci
848c2ecf20Sopenharmony_ciconfig INTEGRITY_AUDIT
858c2ecf20Sopenharmony_ci	bool "Enables integrity auditing support "
868c2ecf20Sopenharmony_ci	depends on AUDIT
878c2ecf20Sopenharmony_ci	default y
888c2ecf20Sopenharmony_ci	help
898c2ecf20Sopenharmony_ci	  In addition to enabling integrity auditing support, this
908c2ecf20Sopenharmony_ci	  option adds a kernel parameter 'integrity_audit', which
918c2ecf20Sopenharmony_ci	  controls the level of integrity auditing messages.
928c2ecf20Sopenharmony_ci	  0 - basic integrity auditing messages (default)
938c2ecf20Sopenharmony_ci	  1 - additional integrity auditing messages
948c2ecf20Sopenharmony_ci
958c2ecf20Sopenharmony_ci	  Additional informational integrity auditing messages would
968c2ecf20Sopenharmony_ci	  be enabled by specifying 'integrity_audit=1' on the kernel
978c2ecf20Sopenharmony_ci	  command line.
988c2ecf20Sopenharmony_ci
998c2ecf20Sopenharmony_cisource "security/integrity/ima/Kconfig"
1008c2ecf20Sopenharmony_cisource "security/integrity/evm/Kconfig"
1018c2ecf20Sopenharmony_ci
1028c2ecf20Sopenharmony_ciendif   # if INTEGRITY
103