]>
Commit | Line | Data |
---|---|---|
b2441318 | 1 | # SPDX-License-Identifier: GPL-2.0 |
cfc411e7 DH |
2 | menu "Certificates for signature checking" |
3 | ||
4 | config MODULE_SIG_KEY | |
5 | string "File name or PKCS#11 URI of module signing key" | |
6 | default "certs/signing_key.pem" | |
7 | depends on MODULE_SIG | |
8 | help | |
9 | Provide the file name of a private key/certificate in PEM format, | |
10 | or a PKCS#11 URI according to RFC7512. The file should contain, or | |
11 | the URI should identify, both the certificate and its corresponding | |
12 | private key. | |
13 | ||
14 | If this option is unchanged from its default "certs/signing_key.pem", | |
15 | then the kernel will automatically generate the private key and | |
16 | certificate as described in Documentation/module-signing.txt | |
17 | ||
18 | config SYSTEM_TRUSTED_KEYRING | |
19 | bool "Provide system-wide ring of trusted keys" | |
20 | depends on KEYS | |
99716b7c | 21 | depends on ASYMMETRIC_KEY_TYPE |
cfc411e7 DH |
22 | help |
23 | Provide a system keyring to which trusted keys can be added. Keys in | |
24 | the keyring are considered to be trusted. Keys may be added at will | |
25 | by the kernel from compiled-in data and from hardware key stores, but | |
26 | userspace may only add extra keys if those keys can be verified by | |
27 | keys already in the keyring. | |
28 | ||
29 | Keys in this keyring are used by module signature checking. | |
30 | ||
31 | config SYSTEM_TRUSTED_KEYS | |
32 | string "Additional X.509 keys for default system keyring" | |
33 | depends on SYSTEM_TRUSTED_KEYRING | |
34 | help | |
35 | If set, this option should be the filename of a PEM-formatted file | |
36 | containing trusted X.509 certificates to be included in the default | |
37 | system keyring. Any certificate used for module signing is implicitly | |
38 | also trusted. | |
39 | ||
40 | NOTE: If you previously provided keys for the system keyring in the | |
41 | form of DER-encoded *.x509 files in the top-level build directory, | |
42 | those are no longer used. You will need to set this option instead. | |
43 | ||
c4c36105 MK |
44 | config SYSTEM_EXTRA_CERTIFICATE |
45 | bool "Reserve area for inserting a certificate without recompiling" | |
46 | depends on SYSTEM_TRUSTED_KEYRING | |
47 | help | |
48 | If set, space for an extra certificate will be reserved in the kernel | |
49 | image. This allows introducing a trusted certificate to the default | |
50 | system keyring without recompiling the kernel. | |
51 | ||
52 | config SYSTEM_EXTRA_CERTIFICATE_SIZE | |
53 | int "Number of bytes to reserve for the extra certificate" | |
54 | depends on SYSTEM_EXTRA_CERTIFICATE | |
55 | default 4096 | |
56 | help | |
57 | This is the number of bytes reserved in the kernel image for a | |
58 | certificate to be inserted. | |
59 | ||
d3bfe841 DH |
60 | config SECONDARY_TRUSTED_KEYRING |
61 | bool "Provide a keyring to which extra trustable keys may be added" | |
62 | depends on SYSTEM_TRUSTED_KEYRING | |
63 | help | |
64 | If set, provide a keyring to which extra keys may be added, provided | |
65 | those keys are not blacklisted and are vouched for by a key built | |
66 | into the kernel or already in the secondary trusted keyring. | |
67 | ||
734114f8 DH |
68 | config SYSTEM_BLACKLIST_KEYRING |
69 | bool "Provide system-wide ring of blacklisted keys" | |
70 | depends on KEYS | |
71 | help | |
72 | Provide a system keyring to which blacklisted keys can be added. | |
73 | Keys in the keyring are considered entirely untrusted. Keys in this | |
74 | keyring are used by the module signature checking to reject loading | |
75 | of modules signed with a blacklisted key. | |
76 | ||
77 | config SYSTEM_BLACKLIST_HASH_LIST | |
78 | string "Hashes to be preloaded into the system blacklist keyring" | |
79 | depends on SYSTEM_BLACKLIST_KEYRING | |
80 | help | |
81 | If set, this option should be the filename of a list of hashes in the | |
82 | form "<hash>", "<hash>", ... . This will be included into a C | |
83 | wrapper to incorporate the list into the kernel. Each <hash> should | |
84 | be a string of hex digits. | |
85 | ||
910132be DH |
86 | config EFI_SIGNATURE_LIST_PARSER |
87 | bool "EFI signature list parser" | |
88 | depends on EFI | |
89 | select X509_CERTIFICATE_PARSER | |
90 | help | |
91 | This option provides support for parsing EFI signature lists for | |
92 | X.509 certificates and turning them into keys. | |
93 | ||
2d2a8d41 JB |
94 | config LOAD_UEFI_KEYS |
95 | bool "Load certs and blacklist from UEFI db for module checking" | |
96 | depends on SYSTEM_BLACKLIST_KEYRING | |
97 | depends on SECONDARY_TRUSTED_KEYRING | |
98 | depends on EFI | |
99 | depends on EFI_SIGNATURE_LIST_PARSER | |
100 | help | |
101 | If the kernel is booted in secure boot mode, this option will cause | |
102 | the kernel to load the certificates from the UEFI db and MokListRT | |
103 | into the secondary trusted keyring. It will also load any X.509 | |
104 | SHA256 hashes in the dbx list into the blacklist. | |
105 | ||
106 | The effect of this is that, if the kernel is booted in secure boot | |
107 | mode, modules signed with UEFI-stored keys will be permitted to be | |
108 | loaded and keys that match the blacklist will be rejected. | |
109 | ||
cfc411e7 | 110 | endmenu |