certs/Kconfig

Source file repositories/reference/linux-study-clean/certs/Kconfig

File Facts

System
Linux kernel
Corpus path
certs/Kconfig
Extension
[no extension]
Size
7711 bytes
Lines
198
Domain
Core OS
Bucket
Core Kernel Interface
Inferred role
Core OS: build/configuration rule
Status
atlas-only

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

# SPDX-License-Identifier: GPL-2.0
menu "Certificates for signature checking"

config MODULE_SIG_KEY
	string "File name or PKCS#11 URI of module signing key"
	default "certs/signing_key.pem"
	depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
	help
	 Provide the file name of a private key/certificate in PEM format,
	 or a PKCS#11 URI according to RFC7512. The file should contain, or
	 the URI should identify, both the certificate and its corresponding
	 private key.

	 If this option is unchanged from its default "certs/signing_key.pem",
	 then the kernel will automatically generate the private key and
	 certificate as described in Documentation/admin-guide/module-signing.rst

choice
	prompt "Type of module signing key to be generated"
	depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
	help
	 The type of module signing key type to generate. This option
	 does not apply if a #PKCS11 URI is used.

config MODULE_SIG_KEY_TYPE_RSA
	bool "RSA"
	help
	 Use an RSA key for module signing.

config MODULE_SIG_KEY_TYPE_ECDSA
	bool "ECDSA"
	select CRYPTO_ECDSA
	depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)
	help
	 Use an elliptic curve key (NIST P384) for module signing. Use
	 a strong hash of same or higher bit length, i.e. sha384 or
	 sha512 for hashing modules.

	 Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem,
	 when falling back to building Linux 5.14 and older kernels.

config MODULE_SIG_KEY_TYPE_MLDSA_44
	bool "ML-DSA-44"
	select CRYPTO_MLDSA
	depends on OPENSSL_SUPPORTS_ML_DSA
	help
	  Use an ML-DSA-44 key (NIST FIPS 204) for module signing.  ML-DSA
	  support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+.  With
	  the latter, the entire module body will be signed; with the former,
	  signedAttrs will be used as it lacks support for CMS_NOATTR with
	  ML-DSA.

config MODULE_SIG_KEY_TYPE_MLDSA_65
	bool "ML-DSA-65"
	select CRYPTO_MLDSA
	depends on OPENSSL_SUPPORTS_ML_DSA
	help
	  Use an ML-DSA-65 key (NIST FIPS 204) for module signing.  ML-DSA
	  support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+.  With
	  the latter, the entire module body will be signed; with the former,
	  signedAttrs will be used as it lacks support for CMS_NOATTR with
	  ML-DSA.

config MODULE_SIG_KEY_TYPE_MLDSA_87
	bool "ML-DSA-87"
	select CRYPTO_MLDSA
	depends on OPENSSL_SUPPORTS_ML_DSA
	help
	  Use an ML-DSA-87 key (NIST FIPS 204) for module signing.  ML-DSA
	  support requires OpenSSL-3.5 minimum; preferably OpenSSL-4+.  With

Annotation

Implementation Notes