certs/Kconfig
Source file repositories/reference/linux-study-clean/certs/Kconfig
File Facts
- System
- Linux kernel
- Corpus path
certs/Kconfig- Extension
[no extension]- Size
- 7711 bytes
- Lines
- 198
- Domain
- Core OS
- Bucket
- Core Kernel Interface
- Inferred role
- Core OS: build/configuration rule
- Status
- atlas-only
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
# SPDX-License-Identifier: GPL-2.0
menu "Certificates for signature checking"
config MODULE_SIG_KEY
string "File name or PKCS#11 URI of module signing key"
default "certs/signing_key.pem"
depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
help
Provide the file name of a private key/certificate in PEM format,
or a PKCS#11 URI according to RFC7512. The file should contain, or
the URI should identify, both the certificate and its corresponding
private key.
If this option is unchanged from its default "certs/signing_key.pem",
then the kernel will automatically generate the private key and
certificate as described in Documentation/admin-guide/module-signing.rst
choice
prompt "Type of module signing key to be generated"
depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
help
The type of module signing key type to generate. This option
does not apply if a #PKCS11 URI is used.
config MODULE_SIG_KEY_TYPE_RSA
bool "RSA"
help
Use an RSA key for module signing.
config MODULE_SIG_KEY_TYPE_ECDSA
bool "ECDSA"
select CRYPTO_ECDSA
depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)
help
Use an elliptic curve key (NIST P384) for module signing. Use
a strong hash of same or higher bit length, i.e. sha384 or
sha512 for hashing modules.
Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem,
when falling back to building Linux 5.14 and older kernels.
config MODULE_SIG_KEY_TYPE_MLDSA_44
bool "ML-DSA-44"
select CRYPTO_MLDSA
depends on OPENSSL_SUPPORTS_ML_DSA
help
Use an ML-DSA-44 key (NIST FIPS 204) for module signing. ML-DSA
support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With
the latter, the entire module body will be signed; with the former,
signedAttrs will be used as it lacks support for CMS_NOATTR with
ML-DSA.
config MODULE_SIG_KEY_TYPE_MLDSA_65
bool "ML-DSA-65"
select CRYPTO_MLDSA
depends on OPENSSL_SUPPORTS_ML_DSA
help
Use an ML-DSA-65 key (NIST FIPS 204) for module signing. ML-DSA
support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With
the latter, the entire module body will be signed; with the former,
signedAttrs will be used as it lacks support for CMS_NOATTR with
ML-DSA.
config MODULE_SIG_KEY_TYPE_MLDSA_87
bool "ML-DSA-87"
select CRYPTO_MLDSA
depends on OPENSSL_SUPPORTS_ML_DSA
help
Use an ML-DSA-87 key (NIST FIPS 204) for module signing. ML-DSA
support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+. With
Annotation
- Atlas domain: Core OS / Core Kernel Interface.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.