Home Explore Help
Sign In
Rydia
/
linux-phytium
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 6793c0e942
Branches Tags
linux-phytium
/
security
/
integrity
/
Kconfig

Kconfig 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. #
    2. 

  2. config INTEGRITY
    3. 

  3. 	bool "Integrity subsystem"
    4. 

  4. 	depends on SECURITY
    5. 

  5. 	default y
    6. 

  6. 	help
    7. 

  7. 	  This option enables the integrity subsystem, which is comprised
    8. 

  8. 	  of a number of different components including the Integrity
    9. 

  9. 	  Measurement Architecture (IMA), Extended Verification Module
    10. 

  10. 	  (EVM), IMA-appraisal extension, digital signature verification
    11. 

  11. 	  extension and audit measurement log support.
    12. 

  12. 

  13. 	  Each of these components can be enabled/disabled separately.
    14. 

  14. 	  Refer to the individual components for additional details.
    15. 

  15. 

  16. if INTEGRITY
    17. 

  17. 

  18. config INTEGRITY_SIGNATURE
    19. 

  19. 	bool "Digital signature verification using multiple keyrings"
    20. 

  20. 	depends on KEYS
    21. 

  21. 	default n
    22. 

  22. 	select SIGNATURE
    23. 

  23. 	help
    24. 

  24. 	  This option enables digital signature verification support
    25. 

  25. 	  using multiple keyrings. It defines separate keyrings for each
    26. 

  26. 	  of the different use cases - evm, ima, and modules.
    27. 

  27. 	  Different keyrings improves search performance, but also allow
    28. 

  28. 	  to "lock" certain keyring to prevent adding new keys.
    29. 

  29. 	  This is useful for evm and module keyrings, when keys are
    30. 

  30. 	  usually only added from initramfs.
    31. 

  31. 

  32. config INTEGRITY_ASYMMETRIC_KEYS
    33. 

  33. 	bool "Enable asymmetric keys support"
    34. 

  34. 	depends on INTEGRITY_SIGNATURE
    35. 

  35. 	default n
    36. 

  36.         select ASYMMETRIC_KEY_TYPE
    37. 

  37.         select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
    38. 

  38.         select CRYPTO_RSA
    39. 

  39.         select X509_CERTIFICATE_PARSER
    40. 

  40. 	help
    41. 

  41. 	  This option enables digital signature verification using
    42. 

  42. 	  asymmetric keys.
    43. 

  43. 

  44. config INTEGRITY_TRUSTED_KEYRING
    45. 

  45. 	bool "Require all keys on the integrity keyrings be signed"
    46. 

  46. 	depends on SYSTEM_TRUSTED_KEYRING
    47. 

  47. 	depends on INTEGRITY_ASYMMETRIC_KEYS
    48. 

  48. 	default y
    49. 

  49. 	help
    50. 

  50. 	   This option requires that all keys added to the .ima and
    51. 

  51. 	   .evm keyrings be signed by a key on the system trusted
    52. 

  52. 	   keyring.
    53. 

  53. 

  54. config INTEGRITY_AUDIT
    55. 

  55. 	bool "Enables integrity auditing support "
    56. 

  56. 	depends on AUDIT
    57. 

  57. 	default y
    58. 

  58. 	help
    59. 

  59. 	  In addition to enabling integrity auditing support, this
    60. 

  60. 	  option adds a kernel parameter 'integrity_audit', which
    61. 

  61. 	  controls the level of integrity auditing messages.
    62. 

  62. 	  0 - basic integrity auditing messages (default)
    63. 

  63. 	  1 - additional integrity auditing messages
    64. 

  64. 

  65. 	  Additional informational integrity auditing messages would
    66. 

  66. 	  be enabled by specifying 'integrity_audit=1' on the kernel
    67. 

  67. 	  command line.
    68. 

  68. 

  69. source security/integrity/ima/Kconfig
    70. 

  70. source security/integrity/evm/Kconfig
    71. 

  71. 

  72. endif   # if INTEGRITY
    73. 

  73.