12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 |
- #
- config INTEGRITY
- bool "Integrity subsystem"
- depends on SECURITY
- default y
- help
- This option enables the integrity subsystem, which is comprised
- of a number of different components including the Integrity
- Measurement Architecture (IMA), Extended Verification Module
- (EVM), IMA-appraisal extension, digital signature verification
- extension and audit measurement log support.
- Each of these components can be enabled/disabled separately.
- Refer to the individual components for additional details.
- if INTEGRITY
- config INTEGRITY_SIGNATURE
- bool "Digital signature verification using multiple keyrings"
- depends on KEYS
- default n
- select SIGNATURE
- help
- This option enables digital signature verification support
- using multiple keyrings. It defines separate keyrings for each
- of the different use cases - evm, ima, and modules.
- Different keyrings improves search performance, but also allow
- to "lock" certain keyring to prevent adding new keys.
- This is useful for evm and module keyrings, when keys are
- usually only added from initramfs.
- config INTEGRITY_ASYMMETRIC_KEYS
- bool "Enable asymmetric keys support"
- depends on INTEGRITY_SIGNATURE
- default n
- select ASYMMETRIC_KEY_TYPE
- select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
- select CRYPTO_RSA
- select X509_CERTIFICATE_PARSER
- help
- This option enables digital signature verification using
- asymmetric keys.
- config INTEGRITY_TRUSTED_KEYRING
- bool "Require all keys on the integrity keyrings be signed"
- depends on SYSTEM_TRUSTED_KEYRING
- depends on INTEGRITY_ASYMMETRIC_KEYS
- default y
- help
- This option requires that all keys added to the .ima and
- .evm keyrings be signed by a key on the system trusted
- keyring.
- config INTEGRITY_AUDIT
- bool "Enables integrity auditing support "
- depends on AUDIT
- default y
- help
- In addition to enabling integrity auditing support, this
- option adds a kernel parameter 'integrity_audit', which
- controls the level of integrity auditing messages.
- 0 - basic integrity auditing messages (default)
- 1 - additional integrity auditing messages
- Additional informational integrity auditing messages would
- be enabled by specifying 'integrity_audit=1' on the kernel
- command line.
- source security/integrity/ima/Kconfig
- source security/integrity/evm/Kconfig
- endif # if INTEGRITY
|