| # SPDX-License-Identifier: GPL-2.0 |
| menu "Certificates for signature checking" |
| |
| config MODULE_SIG_KEY |
| string "File name or PKCS#11 URI of module signing key" |
| default "certs/signing_key.pem" |
| depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) |
| help |
| Provide the file name of a private key/certificate in PEM format, |
| or a PKCS#11 URI according to RFC7512. The file should contain, or |
| the URI should identify, both the certificate and its corresponding |
| private key. |
| |
| If this option is unchanged from its default "certs/signing_key.pem", |
| then the kernel will automatically generate the private key and |
| certificate as described in Documentation/admin-guide/module-signing.rst |
| |
| choice |
| prompt "Type of module signing key to be generated" |
| depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) |
| help |
| The type of module signing key type to generate. This option |
| does not apply if a #PKCS11 URI is used. |
| |
| config MODULE_SIG_KEY_TYPE_RSA |
| bool "RSA" |
| help |
| Use an RSA key for module signing. |
| |
| config MODULE_SIG_KEY_TYPE_ECDSA |
| bool "ECDSA" |
| select CRYPTO_ECDSA |
| help |
| Use an elliptic curve key (NIST P384) for module signing. Consider |
| using a strong hash like sha256 or sha384 for hashing modules. |
| |
| Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, |
| when falling back to building Linux 5.14 and older kernels. |
| |
| endchoice |
| |
| config SYSTEM_TRUSTED_KEYRING |
| bool "Provide system-wide ring of trusted keys" |
| depends on KEYS |
| depends on ASYMMETRIC_KEY_TYPE |
| depends on X509_CERTIFICATE_PARSER |
| help |
| Provide a system keyring to which trusted keys can be added. Keys in |
| the keyring are considered to be trusted. Keys may be added at will |
| by the kernel from compiled-in data and from hardware key stores, but |
| userspace may only add extra keys if those keys can be verified by |
| keys already in the keyring. |
| |
| Keys in this keyring are used by module signature checking. |
| |
| config SYSTEM_TRUSTED_KEYS |
| string "Additional X.509 keys for default system keyring" |
| depends on SYSTEM_TRUSTED_KEYRING |
| help |
| If set, this option should be the filename of a PEM-formatted file |
| containing trusted X.509 certificates to be included in the default |
| system keyring. Any certificate used for module signing is implicitly |
| also trusted. |
| |
| NOTE: If you previously provided keys for the system keyring in the |
| form of DER-encoded *.x509 files in the top-level build directory, |
| those are no longer used. You will need to set this option instead. |
| |
| config SYSTEM_EXTRA_CERTIFICATE |
| bool "Reserve area for inserting a certificate without recompiling" |
| depends on SYSTEM_TRUSTED_KEYRING |
| help |
| If set, space for an extra certificate will be reserved in the kernel |
| image. This allows introducing a trusted certificate to the default |
| system keyring without recompiling the kernel. |
| |
| config SYSTEM_EXTRA_CERTIFICATE_SIZE |
| int "Number of bytes to reserve for the extra certificate" |
| depends on SYSTEM_EXTRA_CERTIFICATE |
| default 4096 |
| help |
| This is the number of bytes reserved in the kernel image for a |
| certificate to be inserted. |
| |
| config SECONDARY_TRUSTED_KEYRING |
| bool "Provide a keyring to which extra trustable keys may be added" |
| depends on SYSTEM_TRUSTED_KEYRING |
| help |
| If set, provide a keyring to which extra keys may be added, provided |
| those keys are not blacklisted and are vouched for by a key built |
| into the kernel or already in the secondary trusted keyring. |
| |
| config SYSTEM_BLACKLIST_KEYRING |
| bool "Provide system-wide ring of blacklisted keys" |
| depends on KEYS |
| help |
| Provide a system keyring to which blacklisted keys can be added. |
| Keys in the keyring are considered entirely untrusted. Keys in this |
| keyring are used by the module signature checking to reject loading |
| of modules signed with a blacklisted key. |
| |
| config SYSTEM_BLACKLIST_HASH_LIST |
| string "Hashes to be preloaded into the system blacklist keyring" |
| depends on SYSTEM_BLACKLIST_KEYRING |
| help |
| If set, this option should be the filename of a list of hashes in the |
| form "<hash>", "<hash>", ... . This will be included into a C |
| wrapper to incorporate the list into the kernel. Each <hash> must be a |
| string starting with a prefix ("tbs" or "bin"), then a colon (":"), and |
| finally an even number of hexadecimal lowercase characters (up to 128). |
| Certificate hashes can be generated with |
| tools/certs/print-cert-tbs-hash.sh . |
| |
| config SYSTEM_REVOCATION_LIST |
| bool "Provide system-wide ring of revocation certificates" |
| depends on SYSTEM_BLACKLIST_KEYRING |
| depends on PKCS7_MESSAGE_PARSER=y |
| help |
| If set, this allows revocation certificates to be stored in the |
| blacklist keyring and implements a hook whereby a PKCS#7 message can |
| be checked to see if it matches such a certificate. |
| |
| config SYSTEM_REVOCATION_KEYS |
| string "X.509 certificates to be preloaded into the system blacklist keyring" |
| depends on SYSTEM_REVOCATION_LIST |
| help |
| If set, this option should be the filename of a PEM-formatted file |
| containing X.509 certificates to be included in the default blacklist |
| keyring. |
| |
| config SYSTEM_BLACKLIST_AUTH_UPDATE |
| bool "Allow root to add signed blacklist keys" |
| depends on SYSTEM_BLACKLIST_KEYRING |
| depends on SYSTEM_DATA_VERIFICATION |
| help |
| If set, provide the ability to load new blacklist keys at run time if |
| they are signed and vouched by a certificate from the builtin trusted |
| keyring. The PKCS#7 signature of the description is set in the key |
| payload. Blacklist keys cannot be removed. |
| |
| endmenu |