linux/security/integrity/Kconfig

#
config INTEGRITY
	bool "Integrity subsystem"
	depends on SECURITY
	default y
	help
	  This option enables the integrity subsystem, which is comprised
	  of a number of different components including the Integrity
	  Measurement Architecture (IMA), Extended Verification Module
	  (EVM), IMA-appraisal extension, digital signature verification
	  extension and audit measurement log support.

	  Each of these components can be enabled/disabled separately.
	  Refer to the individual components for additional details.

if INTEGRITY

config INTEGRITY_SIGNATURE
	bool "Digital signature verification using multiple keyrings"
	depends on KEYS
	default n
	select SIGNATURE
	help
	  This option enables digital signature verification support
	  using multiple keyrings. It defines separate keyrings for each
	  of the different use cases - evm, ima, and modules.
	  Different keyrings improves search performance, but also allow
	  to "lock" certain keyring to prevent adding new keys.
	  This is useful for evm and module keyrings, when keys are
	  usually only added from initramfs.

config INTEGRITY_ASYMMETRIC_KEYS
	bool "Enable asymmetric keys support"
	depends on INTEGRITY_SIGNATURE
	default n
        select ASYMMETRIC_KEY_TYPE
        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
        select CRYPTO_RSA
        select X509_CERTIFICATE_PARSER
	help
	  This option enables digital signature verification using
	  asymmetric keys.

config INTEGRITY_TRUSTED_KEYRING
	bool "Require all keys on the integrity keyrings be signed"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	default y
	help
	   This option requires that all keys added to the .ima and
	   .evm keyrings be signed by a key on the system trusted
	   keyring.

config INTEGRITY_PLATFORM_KEYRING
        bool "Provide keyring for platform/firmware trusted keys"
        depends on INTEGRITY_ASYMMETRIC_KEYS
        depends on SYSTEM_BLACKLIST_KEYRING
        depends on EFI
        help
         Provide a separate, distinct keyring for platform trusted keys, which
         the kernel automatically populates during initialization from values
         provided by the platform for verifying the kexec'ed kerned image
         and, possibly, the initramfs signature.

config INTEGRITY_AUDIT
	bool "Enables integrity auditing support "
	depends on AUDIT
	default y
	help
	  In addition to enabling integrity auditing support, this
	  option adds a kernel parameter 'integrity_audit', which
	  controls the level of integrity auditing messages.
	  0 - basic integrity auditing messages (default)
	  1 - additional integrity auditing messages

	  Additional informational integrity auditing messages would
	  be enabled by specifying 'integrity_audit=1' on the kernel
	  command line.

source "security/integrity/ima/Kconfig"
source "security/integrity/evm/Kconfig"

endif   # if INTEGRITY
integrity: move ima inode integrity data management Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com> 2011-03-09 20:13:22 +01:00			`#`
			`config INTEGRITY`
integrity: base integrity subsystem kconfig options on integrity The integrity subsystem has lots of options and takes more than half of the security menu. This patch consolidates the options under "integrity", which are hidden if not enabled. This change does not affect existing configurations. Re-configuration is not needed. Changes v4: - no need to change "integrity subsystem" to menuconfig as options are hidden, when not enabled. (Mimi) - add INTEGRITY Kconfig help description Changes v3: - dependency to INTEGRITY removed when behind 'if INTEGRITY' Changes v2: - previous patch moved integrity out of the 'security' menu. This version keeps integrity as a security option (Mimi). Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-04-17 14:07:15 +02:00			`bool "Integrity subsystem"`
			`depends on SECURITY`
			`default y`
			`help`
			`This option enables the integrity subsystem, which is comprised`
			`of a number of different components including the Integrity`
			`Measurement Architecture (IMA), Extended Verification Module`
			`(EVM), IMA-appraisal extension, digital signature verification`
			`extension and audit measurement log support.`

			`Each of these components can be enabled/disabled separately.`
			`Refer to the individual components for additional details.`

			`if INTEGRITY`
integrity: move ima inode integrity data management Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com> 2011-03-09 20:13:22 +01:00
integrity: digital signature config option name change Similar to SIGNATURE, rename INTEGRITY_DIGSIG to INTEGRITY_SIGNATURE. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: James Morris <jmorris@namei.org> 2012-01-17 16:12:07 +01:00			`config INTEGRITY_SIGNATURE`
kconfig: use bool instead of boolean for type definition attributes Support for keyword 'boolean' will be dropped later on. No functional change. Reference: http://lkml.kernel.org/r/cover.1418003065.git.cj@linux.com Signed-off-by: Christoph Jaeger <cj@linux.com> Signed-off-by: Michal Marek <mmarek@suse.cz> 2014-12-20 21:41:11 +01:00			`bool "Digital signature verification using multiple keyrings"`
integrity: base integrity subsystem kconfig options on integrity The integrity subsystem has lots of options and takes more than half of the security menu. This patch consolidates the options under "integrity", which are hidden if not enabled. This change does not affect existing configurations. Re-configuration is not needed. Changes v4: - no need to change "integrity subsystem" to menuconfig as options are hidden, when not enabled. (Mimi) - add INTEGRITY Kconfig help description Changes v3: - dependency to INTEGRITY removed when behind 'if INTEGRITY' Changes v2: - previous patch moved integrity out of the 'security' menu. This version keeps integrity as a security option (Mimi). Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-04-17 14:07:15 +02:00			`depends on KEYS`
integrity: digital signature verification using multiple keyrings Define separate keyrings for each of the different use cases - evm, ima, and modules. Using different keyrings improves search performance, and also allows "locking" specific keyring to prevent adding new keys. This is useful for evm and module keyrings, when keys are usually only added from initramfs. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2011-10-05 10:54:46 +02:00			`default n`
lib: digital signature config option name change It was reported that DIGSIG is confusing name for digital signature module. It was suggested to rename DIGSIG to SIGNATURE. Requested-by: Linus Torvalds <torvalds@linux-foundation.org> Suggested-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> Signed-off-by: James Morris <jmorris@namei.org> 2012-01-17 16:12:03 +01:00			`select SIGNATURE`
integrity: digital signature verification using multiple keyrings Define separate keyrings for each of the different use cases - evm, ima, and modules. Using different keyrings improves search performance, and also allows "locking" specific keyring to prevent adding new keys. This is useful for evm and module keyrings, when keys are usually only added from initramfs. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com> 2011-10-05 10:54:46 +02:00			`help`
			`This option enables digital signature verification support`
			`using multiple keyrings. It defines separate keyrings for each`
			`of the different use cases - evm, ima, and modules.`
			`Different keyrings improves search performance, but also allow`
			`to "lock" certain keyring to prevent adding new keys.`
			`This is useful for evm and module keyrings, when keys are`
			`usually only added from initramfs.`

integrity: move asymmetric keys config option For better visual appearance it is better to co-locate asymmetric key options together with signature support. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-04-17 13:41:06 +02:00			`config INTEGRITY_ASYMMETRIC_KEYS`
kconfig: use bool instead of boolean for type definition attributes Support for keyword 'boolean' will be dropped later on. No functional change. Reference: http://lkml.kernel.org/r/cover.1418003065.git.cj@linux.com Signed-off-by: Christoph Jaeger <cj@linux.com> Signed-off-by: Michal Marek <mmarek@suse.cz> 2014-12-20 21:41:11 +01:00			`bool "Enable asymmetric keys support"`
integrity: move asymmetric keys config option For better visual appearance it is better to co-locate asymmetric key options together with signature support. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-04-17 13:41:06 +02:00			`depends on INTEGRITY_SIGNATURE`
			`default n`
			`select ASYMMETRIC_KEY_TYPE`
			`select ASYMMETRIC_PUBLIC_KEY_SUBTYPE`
integrity: convert digsig to akcipher api Convert asymmetric_verify to akcipher api. Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David Howells <dhowells@redhat.com> 2016-02-02 19:08:58 +01:00			`select CRYPTO_RSA`
integrity: move asymmetric keys config option For better visual appearance it is better to co-locate asymmetric key options together with signature support. Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-04-17 13:41:06 +02:00			`select X509_CERTIFICATE_PARSER`
			`help`
			`This option enables digital signature verification using`
			`asymmetric keys.`

integrity: define '.evm' as a builtin 'trusted' keyring Require all keys added to the EVM keyring be signed by an existing trusted key on the system trusted keyring. This patch also switches IMA to use integrity_init_keyring(). Changes in v3: * Added 'init_keyring' config based variable to skip initializing keyring instead of using __integrity_init_keyring() wrapper. * Added dependency back to CONFIG_IMA_TRUSTED_KEYRING Changes in v2: * Replace CONFIG_EVM_TRUSTED_KEYRING with IMA and EVM common CONFIG_INTEGRITY_TRUSTED_KEYRING configuration option * Deprecate CONFIG_IMA_TRUSTED_KEYRING but keep it for config file compatibility. (Mimi Zohar) Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2015-10-22 20:26:10 +02:00			`config INTEGRITY_TRUSTED_KEYRING`
			`bool "Require all keys on the integrity keyrings be signed"`
			`depends on SYSTEM_TRUSTED_KEYRING`
			`depends on INTEGRITY_ASYMMETRIC_KEYS`
			`default y`
			`help`
			`This option requires that all keys added to the .ima and`
			`.evm keyrings be signed by a key on the system trusted`
			`keyring.`

integrity: Define a trusted platform keyring On secure boot enabled systems, a verified kernel may need to kexec additional kernels. For example, it may be used as a bootloader needing to kexec a target kernel or it may need to kexec a crashdump kernel. In such cases, it may want to verify the signature of the next kernel image. It is further possible that the kernel image is signed with third party keys which are stored as platform or firmware keys in the 'db' variable. The kernel, however, can not directly verify these platform keys, and an administrator may therefore not want to trust them for arbitrary usage. In order to differentiate platform keys from other keys and provide the necessary separation of trust, the kernel needs an additional keyring to store platform keys. This patch creates the new keyring called ".platform" to isolate keys provided by platform from keys by kernel. These keys are used to facilitate signature verification during kexec. Since the scope of this keyring is only the platform/firmware keys, it cannot be updated from userspace. This keyring can be enabled by setting CONFIG_INTEGRITY_PLATFORM_KEYRING. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Acked-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: James Morris <james.morris@microsoft.com> Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 2018-12-08 21:26:59 +01:00			`config INTEGRITY_PLATFORM_KEYRING`
			`bool "Provide keyring for platform/firmware trusted keys"`
			`depends on INTEGRITY_ASYMMETRIC_KEYS`
			`depends on SYSTEM_BLACKLIST_KEYRING`
			`depends on EFI`
			`help`
			`Provide a separate, distinct keyring for platform trusted keys, which`
			`the kernel automatically populates during initialization from values`
			`provided by the platform for verifying the kexec'ed kerned image`
			`and, possibly, the initramfs signature.`

integrity: move integrity_audit_msg() This patch moves the integrity_audit_msg() function and defintion to security/integrity/, the parent directory, renames the 'ima_audit' boot command line option to 'integrity_audit', and fixes the Kconfig help text to reflect the actual code. Changelog: - Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu) Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-03-18 19:48:02 +01:00			`config INTEGRITY_AUDIT`
			`bool "Enables integrity auditing support "`
integrity: base integrity subsystem kconfig options on integrity The integrity subsystem has lots of options and takes more than half of the security menu. This patch consolidates the options under "integrity", which are hidden if not enabled. This change does not affect existing configurations. Re-configuration is not needed. Changes v4: - no need to change "integrity subsystem" to menuconfig as options are hidden, when not enabled. (Mimi) - add INTEGRITY Kconfig help description Changes v3: - dependency to INTEGRITY removed when behind 'if INTEGRITY' Changes v2: - previous patch moved integrity out of the 'security' menu. This version keeps integrity as a security option (Mimi). Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-04-17 14:07:15 +02:00			`depends on AUDIT`
integrity: move integrity_audit_msg() This patch moves the integrity_audit_msg() function and defintion to security/integrity/, the parent directory, renames the 'ima_audit' boot command line option to 'integrity_audit', and fixes the Kconfig help text to reflect the actual code. Changelog: - Fixed ifdef inclusion of integrity_audit_msg() (Fengguang Wu) Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2013-03-18 19:48:02 +01:00			`default y`
			`help`
			`In addition to enabling integrity auditing support, this`
			`option adds a kernel parameter 'integrity_audit', which`
			`controls the level of integrity auditing messages.`
			`0 - basic integrity auditing messages (default)`
			`1 - additional integrity auditing messages`

			`Additional informational integrity auditing messages would`
			`be enabled by specifying 'integrity_audit=1' on the kernel`
			`command line.`

treewide: surround Kconfig file paths with double quotes The Kconfig lexer supports special characters such as '.' and '/' in the parameter context. In my understanding, the reason is just to support bare file paths in the source statement. I do not see a good reason to complicate Kconfig for the room of ambiguity. The majority of code already surrounds file paths with double quotes, and it makes sense since file paths are constant string literals. Make it treewide consistent now. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Acked-by: Wolfram Sang <wsa@the-dreams.de> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> Acked-by: Ingo Molnar <mingo@kernel.org> 2018-12-11 12:01:04 +01:00			`source "security/integrity/ima/Kconfig"`
			`source "security/integrity/evm/Kconfig"`
integrity: base integrity subsystem kconfig options on integrity The integrity subsystem has lots of options and takes more than half of the security menu. This patch consolidates the options under "integrity", which are hidden if not enabled. This change does not affect existing configurations. Re-configuration is not needed. Changes v4: - no need to change "integrity subsystem" to menuconfig as options are hidden, when not enabled. (Mimi) - add INTEGRITY Kconfig help description Changes v3: - dependency to INTEGRITY removed when behind 'if INTEGRITY' Changes v2: - previous patch moved integrity out of the 'security' menu. This version keeps integrity as a security option (Mimi). Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com> 2014-04-17 14:07:15 +02:00
			`endif # if INTEGRITY`