security/integrity/Kconfig

Source file repositories/reference/linux-study-clean/security/integrity/Kconfig

File Facts

System
Linux kernel
Corpus path
security/integrity/Kconfig
Extension
[no extension]
Size
4711 bytes
Lines
138
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: build/configuration rule
Status
atlas-only

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

# SPDX-License-Identifier: GPL-2.0-only
#
config INTEGRITY
	bool "Integrity subsystem"
	depends on SECURITY
	default y
	help
	  This option enables the integrity subsystem, which is comprised
	  of a number of different components including the Integrity
	  Measurement Architecture (IMA), Extended Verification Module
	  (EVM), IMA-appraisal extension, digital signature verification
	  extension and audit measurement log support.

	  Each of these components can be enabled/disabled separately.
	  Refer to the individual components for additional details.

if INTEGRITY

config INTEGRITY_SIGNATURE
	bool "Digital signature verification using multiple keyrings"
	default n
	select KEYS
	select SIGNATURE
	help
	  This option enables digital signature verification support
	  using multiple keyrings. It defines separate keyrings for each
	  of the different use cases - evm, ima, and modules.
	  Different keyrings improves search performance, but also allow
	  to "lock" certain keyring to prevent adding new keys.
	  This is useful for evm and module keyrings, when keys are
	  usually only added from initramfs.

config INTEGRITY_ASYMMETRIC_KEYS
	bool "Enable asymmetric keys support"
	depends on INTEGRITY_SIGNATURE
	default n
	select ASYMMETRIC_KEY_TYPE
	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
	select CRYPTO
	select CRYPTO_RSA
	select X509_CERTIFICATE_PARSER
	help
	  This option enables digital signature verification using
	  asymmetric keys.

config INTEGRITY_TRUSTED_KEYRING
	bool "Require all keys on the integrity keyrings be signed"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	default y
	help
	   This option requires that all keys added to the .ima and
	   .evm keyrings be signed by a key on the system trusted
	   keyring.

config INTEGRITY_PLATFORM_KEYRING
	bool "Provide keyring for platform/firmware trusted keys"
	depends on INTEGRITY_ASYMMETRIC_KEYS
	depends on SYSTEM_BLACKLIST_KEYRING
	help
	  Provide a separate, distinct keyring for platform trusted keys, which
	  the kernel automatically populates during initialization from values
	  provided by the platform for verifying the kexec'ed kerned image
	  and, possibly, the initramfs signature.

config INTEGRITY_MACHINE_KEYRING
	bool "Provide a keyring to which Machine Owner Keys may be added"
	depends on SECONDARY_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	depends on SYSTEM_BLACKLIST_KEYRING

Annotation

Implementation Notes