]>
Commit | Line | Data |
---|---|---|
cfc411e7 DH |
1 | menu "Certificates for signature checking" |
2 | ||
3 | config MODULE_SIG_KEY | |
4 | string "File name or PKCS#11 URI of module signing key" | |
5 | default "certs/signing_key.pem" | |
6 | depends on MODULE_SIG | |
7 | help | |
8 | Provide the file name of a private key/certificate in PEM format, | |
9 | or a PKCS#11 URI according to RFC7512. The file should contain, or | |
10 | the URI should identify, both the certificate and its corresponding | |
11 | private key. | |
12 | ||
13 | If this option is unchanged from its default "certs/signing_key.pem", | |
14 | then the kernel will automatically generate the private key and | |
15 | certificate as described in Documentation/module-signing.txt | |
16 | ||
17 | config SYSTEM_TRUSTED_KEYRING | |
18 | bool "Provide system-wide ring of trusted keys" | |
19 | depends on KEYS | |
20 | help | |
21 | Provide a system keyring to which trusted keys can be added. Keys in | |
22 | the keyring are considered to be trusted. Keys may be added at will | |
23 | by the kernel from compiled-in data and from hardware key stores, but | |
24 | userspace may only add extra keys if those keys can be verified by | |
25 | keys already in the keyring. | |
26 | ||
27 | Keys in this keyring are used by module signature checking. | |
28 | ||
29 | config SYSTEM_TRUSTED_KEYS | |
30 | string "Additional X.509 keys for default system keyring" | |
31 | depends on SYSTEM_TRUSTED_KEYRING | |
32 | help | |
33 | If set, this option should be the filename of a PEM-formatted file | |
34 | containing trusted X.509 certificates to be included in the default | |
35 | system keyring. Any certificate used for module signing is implicitly | |
36 | also trusted. | |
37 | ||
38 | NOTE: If you previously provided keys for the system keyring in the | |
39 | form of DER-encoded *.x509 files in the top-level build directory, | |
40 | those are no longer used. You will need to set this option instead. | |
41 | ||
42 | endmenu |