162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci# 362306a36Sopenharmony_ciconfig INTEGRITY 462306a36Sopenharmony_ci bool "Integrity subsystem" 562306a36Sopenharmony_ci depends on SECURITY 662306a36Sopenharmony_ci default y 762306a36Sopenharmony_ci help 862306a36Sopenharmony_ci This option enables the integrity subsystem, which is comprised 962306a36Sopenharmony_ci of a number of different components including the Integrity 1062306a36Sopenharmony_ci Measurement Architecture (IMA), Extended Verification Module 1162306a36Sopenharmony_ci (EVM), IMA-appraisal extension, digital signature verification 1262306a36Sopenharmony_ci extension and audit measurement log support. 1362306a36Sopenharmony_ci 1462306a36Sopenharmony_ci Each of these components can be enabled/disabled separately. 1562306a36Sopenharmony_ci Refer to the individual components for additional details. 1662306a36Sopenharmony_ci 1762306a36Sopenharmony_ciif INTEGRITY 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ciconfig INTEGRITY_SIGNATURE 2062306a36Sopenharmony_ci bool "Digital signature verification using multiple keyrings" 2162306a36Sopenharmony_ci default n 2262306a36Sopenharmony_ci select KEYS 2362306a36Sopenharmony_ci select SIGNATURE 2462306a36Sopenharmony_ci help 2562306a36Sopenharmony_ci This option enables digital signature verification support 2662306a36Sopenharmony_ci using multiple keyrings. It defines separate keyrings for each 2762306a36Sopenharmony_ci of the different use cases - evm, ima, and modules. 2862306a36Sopenharmony_ci Different keyrings improves search performance, but also allow 2962306a36Sopenharmony_ci to "lock" certain keyring to prevent adding new keys. 3062306a36Sopenharmony_ci This is useful for evm and module keyrings, when keys are 3162306a36Sopenharmony_ci usually only added from initramfs. 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_ciconfig INTEGRITY_ASYMMETRIC_KEYS 3462306a36Sopenharmony_ci bool "Enable asymmetric keys support" 3562306a36Sopenharmony_ci depends on INTEGRITY_SIGNATURE 3662306a36Sopenharmony_ci default n 3762306a36Sopenharmony_ci select ASYMMETRIC_KEY_TYPE 3862306a36Sopenharmony_ci select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 3962306a36Sopenharmony_ci select CRYPTO_RSA 4062306a36Sopenharmony_ci select X509_CERTIFICATE_PARSER 4162306a36Sopenharmony_ci help 4262306a36Sopenharmony_ci This option enables digital signature verification using 4362306a36Sopenharmony_ci asymmetric keys. 4462306a36Sopenharmony_ci 4562306a36Sopenharmony_ciconfig INTEGRITY_TRUSTED_KEYRING 4662306a36Sopenharmony_ci bool "Require all keys on the integrity keyrings be signed" 4762306a36Sopenharmony_ci depends on SYSTEM_TRUSTED_KEYRING 4862306a36Sopenharmony_ci depends on INTEGRITY_ASYMMETRIC_KEYS 4962306a36Sopenharmony_ci default y 5062306a36Sopenharmony_ci help 5162306a36Sopenharmony_ci This option requires that all keys added to the .ima and 5262306a36Sopenharmony_ci .evm keyrings be signed by a key on the system trusted 5362306a36Sopenharmony_ci keyring. 5462306a36Sopenharmony_ci 5562306a36Sopenharmony_ciconfig INTEGRITY_PLATFORM_KEYRING 5662306a36Sopenharmony_ci bool "Provide keyring for platform/firmware trusted keys" 5762306a36Sopenharmony_ci depends on INTEGRITY_ASYMMETRIC_KEYS 5862306a36Sopenharmony_ci depends on SYSTEM_BLACKLIST_KEYRING 5962306a36Sopenharmony_ci help 6062306a36Sopenharmony_ci Provide a separate, distinct keyring for platform trusted keys, which 6162306a36Sopenharmony_ci the kernel automatically populates during initialization from values 6262306a36Sopenharmony_ci provided by the platform for verifying the kexec'ed kerned image 6362306a36Sopenharmony_ci and, possibly, the initramfs signature. 6462306a36Sopenharmony_ci 6562306a36Sopenharmony_ciconfig INTEGRITY_MACHINE_KEYRING 6662306a36Sopenharmony_ci bool "Provide a keyring to which Machine Owner Keys may be added" 6762306a36Sopenharmony_ci depends on SECONDARY_TRUSTED_KEYRING 6862306a36Sopenharmony_ci depends on INTEGRITY_ASYMMETRIC_KEYS 6962306a36Sopenharmony_ci depends on SYSTEM_BLACKLIST_KEYRING 7062306a36Sopenharmony_ci depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS 7162306a36Sopenharmony_ci help 7262306a36Sopenharmony_ci If set, provide a keyring to which Machine Owner Keys (MOK) may 7362306a36Sopenharmony_ci be added. This keyring shall contain just MOK keys. Unlike keys 7462306a36Sopenharmony_ci in the platform keyring, keys contained in the .machine keyring will 7562306a36Sopenharmony_ci be trusted within the kernel. 7662306a36Sopenharmony_ci 7762306a36Sopenharmony_ciconfig INTEGRITY_CA_MACHINE_KEYRING 7862306a36Sopenharmony_ci bool "Enforce Machine Keyring CA Restrictions" 7962306a36Sopenharmony_ci depends on INTEGRITY_MACHINE_KEYRING 8062306a36Sopenharmony_ci default n 8162306a36Sopenharmony_ci help 8262306a36Sopenharmony_ci The .machine keyring can be configured to enforce CA restriction 8362306a36Sopenharmony_ci on any key added to it. By default no restrictions are in place 8462306a36Sopenharmony_ci and all Machine Owner Keys (MOK) are added to the machine keyring. 8562306a36Sopenharmony_ci If enabled only CA keys are added to the machine keyring, all 8662306a36Sopenharmony_ci other MOK keys load into the platform keyring. 8762306a36Sopenharmony_ci 8862306a36Sopenharmony_ciconfig INTEGRITY_CA_MACHINE_KEYRING_MAX 8962306a36Sopenharmony_ci bool "Only CA keys without DigitialSignature usage set" 9062306a36Sopenharmony_ci depends on INTEGRITY_CA_MACHINE_KEYRING 9162306a36Sopenharmony_ci default n 9262306a36Sopenharmony_ci help 9362306a36Sopenharmony_ci When selected, only load CA keys are loaded into the machine 9462306a36Sopenharmony_ci keyring that contain the CA bit set along with the keyCertSign 9562306a36Sopenharmony_ci Usage field. Keys containing the digitialSignature Usage field 9662306a36Sopenharmony_ci will not be loaded. The remaining MOK keys are loaded into the 9762306a36Sopenharmony_ci .platform keyring. 9862306a36Sopenharmony_ci 9962306a36Sopenharmony_ciconfig LOAD_UEFI_KEYS 10062306a36Sopenharmony_ci depends on INTEGRITY_PLATFORM_KEYRING 10162306a36Sopenharmony_ci depends on EFI 10262306a36Sopenharmony_ci def_bool y 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_ciconfig LOAD_IPL_KEYS 10562306a36Sopenharmony_ci depends on INTEGRITY_PLATFORM_KEYRING 10662306a36Sopenharmony_ci depends on S390 10762306a36Sopenharmony_ci def_bool y 10862306a36Sopenharmony_ci 10962306a36Sopenharmony_ciconfig LOAD_PPC_KEYS 11062306a36Sopenharmony_ci bool "Enable loading of platform and blacklisted keys for POWER" 11162306a36Sopenharmony_ci depends on INTEGRITY_PLATFORM_KEYRING 11262306a36Sopenharmony_ci depends on PPC_SECURE_BOOT 11362306a36Sopenharmony_ci default y 11462306a36Sopenharmony_ci help 11562306a36Sopenharmony_ci Enable loading of keys to the .platform keyring and blacklisted 11662306a36Sopenharmony_ci hashes to the .blacklist keyring for powerpc based platforms. 11762306a36Sopenharmony_ci 11862306a36Sopenharmony_ciconfig INTEGRITY_AUDIT 11962306a36Sopenharmony_ci bool "Enables integrity auditing support " 12062306a36Sopenharmony_ci depends on AUDIT 12162306a36Sopenharmony_ci default y 12262306a36Sopenharmony_ci help 12362306a36Sopenharmony_ci In addition to enabling integrity auditing support, this 12462306a36Sopenharmony_ci option adds a kernel parameter 'integrity_audit', which 12562306a36Sopenharmony_ci controls the level of integrity auditing messages. 12662306a36Sopenharmony_ci 0 - basic integrity auditing messages (default) 12762306a36Sopenharmony_ci 1 - additional integrity auditing messages 12862306a36Sopenharmony_ci 12962306a36Sopenharmony_ci Additional informational integrity auditing messages would 13062306a36Sopenharmony_ci be enabled by specifying 'integrity_audit=1' on the kernel 13162306a36Sopenharmony_ci command line. 13262306a36Sopenharmony_ci 13362306a36Sopenharmony_cisource "security/integrity/ima/Kconfig" 13462306a36Sopenharmony_cisource "security/integrity/evm/Kconfig" 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_ciendif # if INTEGRITY 137