| # SPDX-License-Identifier: GPL-2.0-only |
| # |
| # Integrity Policy Enforcement (IPE) configuration |
| # |
| |
| menuconfig SECURITY_IPE |
| bool "Integrity Policy Enforcement (IPE)" |
| depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL |
| select PKCS7_MESSAGE_PARSER |
| select SYSTEM_DATA_VERIFICATION |
| select IPE_PROP_DM_VERITY if DM_VERITY |
| select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG |
| select IPE_PROP_FS_VERITY if FS_VERITY |
| select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES |
| help |
| This option enables the Integrity Policy Enforcement LSM |
| allowing users to define a policy to enforce a trust-based access |
| control. A key feature of IPE is a customizable policy to allow |
| admins to reconfigure trust requirements on the fly. |
| |
| If unsure, answer N. |
| |
| if SECURITY_IPE |
| config IPE_BOOT_POLICY |
| string "Integrity policy to apply on system startup" |
| help |
| This option specifies a filepath to an IPE policy that is compiled |
| into the kernel. This policy will be enforced until a policy update |
| is deployed via the $securityfs/ipe/policies/$policy_name/active |
| interface. |
| |
| If unsure, leave blank. |
| |
| menu "IPE Trust Providers" |
| |
| config IPE_PROP_DM_VERITY |
| bool "Enable support for dm-verity based on root hash" |
| depends on DM_VERITY |
| help |
| This option enables the 'dmverity_roothash' property within IPE |
| policies. The property evaluates to TRUE when a file from a dm-verity |
| volume is evaluated, and the volume's root hash matches the value |
| supplied in the policy. |
| |
| config IPE_PROP_DM_VERITY_SIGNATURE |
| bool "Enable support for dm-verity based on root hash signature" |
| depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG |
| help |
| This option enables the 'dmverity_signature' property within IPE |
| policies. The property evaluates to TRUE when a file from a dm-verity |
| volume, which has been mounted with a valid signed root hash, |
| is evaluated. |
| |
| If unsure, answer Y. |
| |
| config IPE_PROP_FS_VERITY |
| bool "Enable support for fs-verity based on file digest" |
| depends on FS_VERITY |
| help |
| This option enables the 'fsverity_digest' property within IPE |
| policies. The property evaluates to TRUE when a file is fsverity |
| enabled and its digest matches the supplied digest value in the |
| policy. |
| |
| if unsure, answer Y. |
| |
| config IPE_PROP_FS_VERITY_BUILTIN_SIG |
| bool "Enable support for fs-verity based on builtin signature" |
| depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES |
| help |
| This option enables the 'fsverity_signature' property within IPE |
| policies. The property evaluates to TRUE when a file is fsverity |
| enabled and it has a valid builtin signature whose signing cert |
| is in the .fs-verity keyring. |
| |
| if unsure, answer Y. |
| |
| endmenu |
| |
| config SECURITY_IPE_KUNIT_TEST |
| bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS |
| depends on KUNIT=y |
| default KUNIT_ALL_TESTS |
| help |
| This builds the IPE KUnit tests. |
| |
| KUnit tests run during boot and output the results to the debug log |
| in TAP format (https://testanything.org/). Only useful for kernel devs |
| running KUnit test harness and are not for inclusion into a |
| production build. |
| |
| For more information on KUnit and unit tests in general please refer |
| to the KUnit documentation in Documentation/dev-tools/kunit/. |
| |
| If unsure, say N. |
| |
| endif |