Greg Kroah-Hartman | b244131 | 2017-11-01 15:07:57 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0 |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 2 | menu "Certificates for signature checking" |
| 3 | |
| 4 | config MODULE_SIG_KEY |
| 5 | string "File name or PKCS#11 URI of module signing key" |
| 6 | default "certs/signing_key.pem" |
Nayna Jain | 781a573 | 2021-04-22 21:16:02 -0400 | [diff] [blame] | 7 | depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 8 | help |
| 9 | Provide the file name of a private key/certificate in PEM format, |
| 10 | or a PKCS#11 URI according to RFC7512. The file should contain, or |
| 11 | the URI should identify, both the certificate and its corresponding |
| 12 | private key. |
| 13 | |
| 14 | If this option is unchanged from its default "certs/signing_key.pem", |
| 15 | then the kernel will automatically generate the private key and |
Mauro Carvalho Chehab | 5fb94e9 | 2018-05-08 15:14:57 -0300 | [diff] [blame] | 16 | certificate as described in Documentation/admin-guide/module-signing.rst |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 17 | |
Stefan Berger | a4aed36 | 2021-06-29 17:34:21 -0400 | [diff] [blame] | 18 | choice |
| 19 | prompt "Type of module signing key to be generated" |
Masahiro Yamada | be0d5fa7 | 2021-10-01 13:01:26 +0900 | [diff] [blame] | 20 | depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) |
Stefan Berger | a4aed36 | 2021-06-29 17:34:21 -0400 | [diff] [blame] | 21 | help |
| 22 | The type of module signing key type to generate. This option |
| 23 | does not apply if a #PKCS11 URI is used. |
| 24 | |
| 25 | config MODULE_SIG_KEY_TYPE_RSA |
| 26 | bool "RSA" |
Stefan Berger | a4aed36 | 2021-06-29 17:34:21 -0400 | [diff] [blame] | 27 | help |
| 28 | Use an RSA key for module signing. |
| 29 | |
| 30 | config MODULE_SIG_KEY_TYPE_ECDSA |
| 31 | bool "ECDSA" |
| 32 | select CRYPTO_ECDSA |
Dimitri John Ledkov | 446b1e0 | 2023-10-22 19:22:07 +0100 | [diff] [blame] | 33 | depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256) |
Stefan Berger | a4aed36 | 2021-06-29 17:34:21 -0400 | [diff] [blame] | 34 | help |
Dimitri John Ledkov | d4f5bfe | 2023-10-10 22:27:55 +0100 | [diff] [blame] | 35 | Use an elliptic curve key (NIST P384) for module signing. Use |
| 36 | a strong hash of same or higher bit length, i.e. sha384 or |
| 37 | sha512 for hashing modules. |
Stefan Berger | a4aed36 | 2021-06-29 17:34:21 -0400 | [diff] [blame] | 38 | |
| 39 | Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, |
| 40 | when falling back to building Linux 5.14 and older kernels. |
| 41 | |
| 42 | endchoice |
| 43 | |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 44 | config SYSTEM_TRUSTED_KEYRING |
| 45 | bool "Provide system-wide ring of trusted keys" |
| 46 | depends on KEYS |
David Howells | 99716b7 | 2016-04-06 16:14:26 +0100 | [diff] [blame] | 47 | depends on ASYMMETRIC_KEY_TYPE |
Masahiro Yamada | 2154aca | 2022-09-12 15:52:10 +0900 | [diff] [blame] | 48 | depends on X509_CERTIFICATE_PARSER = y |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 49 | help |
| 50 | Provide a system keyring to which trusted keys can be added. Keys in |
| 51 | the keyring are considered to be trusted. Keys may be added at will |
| 52 | by the kernel from compiled-in data and from hardware key stores, but |
| 53 | userspace may only add extra keys if those keys can be verified by |
| 54 | keys already in the keyring. |
| 55 | |
| 56 | Keys in this keyring are used by module signature checking. |
| 57 | |
| 58 | config SYSTEM_TRUSTED_KEYS |
| 59 | string "Additional X.509 keys for default system keyring" |
| 60 | depends on SYSTEM_TRUSTED_KEYRING |
| 61 | help |
| 62 | If set, this option should be the filename of a PEM-formatted file |
| 63 | containing trusted X.509 certificates to be included in the default |
| 64 | system keyring. Any certificate used for module signing is implicitly |
| 65 | also trusted. |
| 66 | |
| 67 | NOTE: If you previously provided keys for the system keyring in the |
| 68 | form of DER-encoded *.x509 files in the top-level build directory, |
| 69 | those are no longer used. You will need to set this option instead. |
| 70 | |
Mehmet Kayaalp | c4c3610 | 2015-11-24 16:18:05 -0500 | [diff] [blame] | 71 | config SYSTEM_EXTRA_CERTIFICATE |
| 72 | bool "Reserve area for inserting a certificate without recompiling" |
| 73 | depends on SYSTEM_TRUSTED_KEYRING |
| 74 | help |
| 75 | If set, space for an extra certificate will be reserved in the kernel |
| 76 | image. This allows introducing a trusted certificate to the default |
| 77 | system keyring without recompiling the kernel. |
| 78 | |
| 79 | config SYSTEM_EXTRA_CERTIFICATE_SIZE |
| 80 | int "Number of bytes to reserve for the extra certificate" |
| 81 | depends on SYSTEM_EXTRA_CERTIFICATE |
| 82 | default 4096 |
| 83 | help |
| 84 | This is the number of bytes reserved in the kernel image for a |
| 85 | certificate to be inserted. |
| 86 | |
David Howells | d3bfe84 | 2016-04-06 16:14:27 +0100 | [diff] [blame] | 87 | config SECONDARY_TRUSTED_KEYRING |
| 88 | bool "Provide a keyring to which extra trustable keys may be added" |
| 89 | depends on SYSTEM_TRUSTED_KEYRING |
| 90 | help |
| 91 | If set, provide a keyring to which extra keys may be added, provided |
| 92 | those keys are not blacklisted and are vouched for by a key built |
Mimi Zohar | b465030 | 2023-10-15 20:18:03 -0400 | [diff] [blame] | 93 | into the kernel, machine keyring (if configured), or already in the |
| 94 | secondary trusted keyring. |
| 95 | |
| 96 | config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN |
| 97 | bool "Only allow additional certs signed by keys on the builtin trusted keyring" |
| 98 | depends on SECONDARY_TRUSTED_KEYRING |
| 99 | help |
| 100 | If set, only certificates signed by keys on the builtin trusted |
| 101 | keyring may be loaded onto the secondary trusted keyring. |
| 102 | |
| 103 | Note: The machine keyring, if configured, will be linked to the |
| 104 | secondary keyring. When enabling this option, it is recommended |
| 105 | to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent |
| 106 | linking code signing keys with imputed trust to the secondary |
| 107 | trusted keyring. |
David Howells | d3bfe84 | 2016-04-06 16:14:27 +0100 | [diff] [blame] | 108 | |
David Howells | 734114f | 2017-04-03 16:07:24 +0100 | [diff] [blame] | 109 | config SYSTEM_BLACKLIST_KEYRING |
| 110 | bool "Provide system-wide ring of blacklisted keys" |
| 111 | depends on KEYS |
| 112 | help |
| 113 | Provide a system keyring to which blacklisted keys can be added. |
| 114 | Keys in the keyring are considered entirely untrusted. Keys in this |
| 115 | keyring are used by the module signature checking to reject loading |
| 116 | of modules signed with a blacklisted key. |
| 117 | |
| 118 | config SYSTEM_BLACKLIST_HASH_LIST |
| 119 | string "Hashes to be preloaded into the system blacklist keyring" |
| 120 | depends on SYSTEM_BLACKLIST_KEYRING |
| 121 | help |
| 122 | If set, this option should be the filename of a list of hashes in the |
| 123 | form "<hash>", "<hash>", ... . This will be included into a C |
Mickaël Salaün | addf466 | 2021-07-12 19:03:10 +0200 | [diff] [blame] | 124 | wrapper to incorporate the list into the kernel. Each <hash> must be a |
| 125 | string starting with a prefix ("tbs" or "bin"), then a colon (":"), and |
| 126 | finally an even number of hexadecimal lowercase characters (up to 128). |
| 127 | Certificate hashes can be generated with |
| 128 | tools/certs/print-cert-tbs-hash.sh . |
David Howells | 734114f | 2017-04-03 16:07:24 +0100 | [diff] [blame] | 129 | |
Eric Snowberg | 56c5812 | 2021-01-22 13:10:51 -0500 | [diff] [blame] | 130 | config SYSTEM_REVOCATION_LIST |
| 131 | bool "Provide system-wide ring of revocation certificates" |
| 132 | depends on SYSTEM_BLACKLIST_KEYRING |
| 133 | depends on PKCS7_MESSAGE_PARSER=y |
| 134 | help |
| 135 | If set, this allows revocation certificates to be stored in the |
| 136 | blacklist keyring and implements a hook whereby a PKCS#7 message can |
| 137 | be checked to see if it matches such a certificate. |
| 138 | |
Eric Snowberg | d1f0441 | 2021-01-22 13:10:53 -0500 | [diff] [blame] | 139 | config SYSTEM_REVOCATION_KEYS |
| 140 | string "X.509 certificates to be preloaded into the system blacklist keyring" |
| 141 | depends on SYSTEM_REVOCATION_LIST |
| 142 | help |
| 143 | If set, this option should be the filename of a PEM-formatted file |
| 144 | containing X.509 certificates to be included in the default blacklist |
| 145 | keyring. |
| 146 | |
Mickaël Salaün | 6364d10 | 2021-07-12 19:03:13 +0200 | [diff] [blame] | 147 | config SYSTEM_BLACKLIST_AUTH_UPDATE |
| 148 | bool "Allow root to add signed blacklist keys" |
| 149 | depends on SYSTEM_BLACKLIST_KEYRING |
| 150 | depends on SYSTEM_DATA_VERIFICATION |
| 151 | help |
| 152 | If set, provide the ability to load new blacklist keys at run time if |
| 153 | they are signed and vouched by a certificate from the builtin trusted |
| 154 | keyring. The PKCS#7 signature of the description is set in the key |
| 155 | payload. Blacklist keys cannot be removed. |
| 156 | |
David Howells | cfc411e | 2015-08-14 15:20:41 +0100 | [diff] [blame] | 157 | endmenu |