18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci# 38c2ecf20Sopenharmony_ci# Key management configuration 48c2ecf20Sopenharmony_ci# 58c2ecf20Sopenharmony_ci 68c2ecf20Sopenharmony_ciconfig KEYS 78c2ecf20Sopenharmony_ci bool "Enable access key retention support" 88c2ecf20Sopenharmony_ci select ASSOCIATIVE_ARRAY 98c2ecf20Sopenharmony_ci help 108c2ecf20Sopenharmony_ci This option provides support for retaining authentication tokens and 118c2ecf20Sopenharmony_ci access keys in the kernel. 128c2ecf20Sopenharmony_ci 138c2ecf20Sopenharmony_ci It also includes provision of methods by which such keys might be 148c2ecf20Sopenharmony_ci associated with a process so that network filesystems, encryption 158c2ecf20Sopenharmony_ci support and the like can find them. 168c2ecf20Sopenharmony_ci 178c2ecf20Sopenharmony_ci Furthermore, a special type of key is available that acts as keyring: 188c2ecf20Sopenharmony_ci a searchable sequence of keys. Each process is equipped with access 198c2ecf20Sopenharmony_ci to five standard keyrings: UID-specific, GID-specific, session, 208c2ecf20Sopenharmony_ci process and thread. 218c2ecf20Sopenharmony_ci 228c2ecf20Sopenharmony_ci If you are unsure as to whether this is required, answer N. 238c2ecf20Sopenharmony_ci 248c2ecf20Sopenharmony_ciconfig KEYS_REQUEST_CACHE 258c2ecf20Sopenharmony_ci bool "Enable temporary caching of the last request_key() result" 268c2ecf20Sopenharmony_ci depends on KEYS 278c2ecf20Sopenharmony_ci help 288c2ecf20Sopenharmony_ci This option causes the result of the last successful request_key() 298c2ecf20Sopenharmony_ci call that didn't upcall to the kernel to be cached temporarily in the 308c2ecf20Sopenharmony_ci task_struct. The cache is cleared by exit and just prior to the 318c2ecf20Sopenharmony_ci resumption of userspace. 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ci This allows the key used for multiple step processes where each step 348c2ecf20Sopenharmony_ci wants to request a key that is likely the same as the one requested 358c2ecf20Sopenharmony_ci by the last step to save on the searching. 368c2ecf20Sopenharmony_ci 378c2ecf20Sopenharmony_ci An example of such a process is a pathwalk through a network 388c2ecf20Sopenharmony_ci filesystem in which each method needs to request an authentication 398c2ecf20Sopenharmony_ci key. Pathwalk will call multiple methods for each dentry traversed 408c2ecf20Sopenharmony_ci (permission, d_revalidate, lookup, getxattr, getacl, ...). 418c2ecf20Sopenharmony_ci 428c2ecf20Sopenharmony_ciconfig PERSISTENT_KEYRINGS 438c2ecf20Sopenharmony_ci bool "Enable register of persistent per-UID keyrings" 448c2ecf20Sopenharmony_ci depends on KEYS 458c2ecf20Sopenharmony_ci help 468c2ecf20Sopenharmony_ci This option provides a register of persistent per-UID keyrings, 478c2ecf20Sopenharmony_ci primarily aimed at Kerberos key storage. The keyrings are persistent 488c2ecf20Sopenharmony_ci in the sense that they stay around after all processes of that UID 498c2ecf20Sopenharmony_ci have exited, not that they survive the machine being rebooted. 508c2ecf20Sopenharmony_ci 518c2ecf20Sopenharmony_ci A particular keyring may be accessed by either the user whose keyring 528c2ecf20Sopenharmony_ci it is or by a process with administrative privileges. The active 538c2ecf20Sopenharmony_ci LSMs gets to rule on which admin-level processes get to access the 548c2ecf20Sopenharmony_ci cache. 558c2ecf20Sopenharmony_ci 568c2ecf20Sopenharmony_ci Keyrings are created and added into the register upon demand and get 578c2ecf20Sopenharmony_ci removed if they expire (a default timeout is set upon creation). 588c2ecf20Sopenharmony_ci 598c2ecf20Sopenharmony_ciconfig BIG_KEYS 608c2ecf20Sopenharmony_ci bool "Large payload keys" 618c2ecf20Sopenharmony_ci depends on KEYS 628c2ecf20Sopenharmony_ci depends on TMPFS 638c2ecf20Sopenharmony_ci depends on CRYPTO_LIB_CHACHA20POLY1305 = y 648c2ecf20Sopenharmony_ci help 658c2ecf20Sopenharmony_ci This option provides support for holding large keys within the kernel 668c2ecf20Sopenharmony_ci (for example Kerberos ticket caches). The data may be stored out to 678c2ecf20Sopenharmony_ci swapspace by tmpfs. 688c2ecf20Sopenharmony_ci 698c2ecf20Sopenharmony_ci If you are unsure as to whether this is required, answer N. 708c2ecf20Sopenharmony_ci 718c2ecf20Sopenharmony_ciconfig TRUSTED_KEYS 728c2ecf20Sopenharmony_ci tristate "TRUSTED KEYS" 738c2ecf20Sopenharmony_ci depends on KEYS && TCG_TPM 748c2ecf20Sopenharmony_ci select CRYPTO 758c2ecf20Sopenharmony_ci select CRYPTO_HMAC 768c2ecf20Sopenharmony_ci select CRYPTO_SHA1 778c2ecf20Sopenharmony_ci select CRYPTO_HASH_INFO 788c2ecf20Sopenharmony_ci help 798c2ecf20Sopenharmony_ci This option provides support for creating, sealing, and unsealing 808c2ecf20Sopenharmony_ci keys in the kernel. Trusted keys are random number symmetric keys, 818c2ecf20Sopenharmony_ci generated and RSA-sealed by the TPM. The TPM only unseals the keys, 828c2ecf20Sopenharmony_ci if the boot PCRs and other criteria match. Userspace will only ever 838c2ecf20Sopenharmony_ci see encrypted blobs. 848c2ecf20Sopenharmony_ci 858c2ecf20Sopenharmony_ci If you are unsure as to whether this is required, answer N. 868c2ecf20Sopenharmony_ci 878c2ecf20Sopenharmony_ciconfig ENCRYPTED_KEYS 888c2ecf20Sopenharmony_ci tristate "ENCRYPTED KEYS" 898c2ecf20Sopenharmony_ci depends on KEYS 908c2ecf20Sopenharmony_ci select CRYPTO 918c2ecf20Sopenharmony_ci select CRYPTO_HMAC 928c2ecf20Sopenharmony_ci select CRYPTO_AES 938c2ecf20Sopenharmony_ci select CRYPTO_CBC 948c2ecf20Sopenharmony_ci select CRYPTO_SHA256 958c2ecf20Sopenharmony_ci select CRYPTO_RNG 968c2ecf20Sopenharmony_ci help 978c2ecf20Sopenharmony_ci This option provides support for create/encrypting/decrypting keys 988c2ecf20Sopenharmony_ci in the kernel. Encrypted keys are kernel generated random numbers, 998c2ecf20Sopenharmony_ci which are encrypted/decrypted with a 'master' symmetric key. The 1008c2ecf20Sopenharmony_ci 'master' key can be either a trusted-key or user-key type. 1018c2ecf20Sopenharmony_ci Userspace only ever sees/stores encrypted blobs. 1028c2ecf20Sopenharmony_ci 1038c2ecf20Sopenharmony_ci If you are unsure as to whether this is required, answer N. 1048c2ecf20Sopenharmony_ci 1058c2ecf20Sopenharmony_ciconfig KEY_DH_OPERATIONS 1068c2ecf20Sopenharmony_ci bool "Diffie-Hellman operations on retained keys" 1078c2ecf20Sopenharmony_ci depends on KEYS 1088c2ecf20Sopenharmony_ci select CRYPTO 1098c2ecf20Sopenharmony_ci select CRYPTO_HASH 1108c2ecf20Sopenharmony_ci select CRYPTO_DH 1118c2ecf20Sopenharmony_ci help 1128c2ecf20Sopenharmony_ci This option provides support for calculating Diffie-Hellman 1138c2ecf20Sopenharmony_ci public keys and shared secrets using values stored as keys 1148c2ecf20Sopenharmony_ci in the kernel. 1158c2ecf20Sopenharmony_ci 1168c2ecf20Sopenharmony_ci If you are unsure as to whether this is required, answer N. 1178c2ecf20Sopenharmony_ci 1188c2ecf20Sopenharmony_ciconfig KEY_NOTIFICATIONS 1198c2ecf20Sopenharmony_ci bool "Provide key/keyring change notifications" 1208c2ecf20Sopenharmony_ci depends on KEYS && WATCH_QUEUE 1218c2ecf20Sopenharmony_ci help 1228c2ecf20Sopenharmony_ci This option provides support for getting change notifications 1238c2ecf20Sopenharmony_ci on keys and keyrings on which the caller has View permission. 1248c2ecf20Sopenharmony_ci This makes use of pipes to handle the notification buffer and 1258c2ecf20Sopenharmony_ci provides KEYCTL_WATCH_KEY to enable/disable watches. 126