selftests/seccomp: Enhance per-arch ptrace syscall skip tests

[mirror_ubuntu-bionic-kernel.git] / certs / Kconfig

diff --git a/certs/Kconfig b/certs/Kconfig
index 5f7663df6e8e306fb7181e7fb94c11a88a49c828..9e3ca57a1a38f2ea8609dc1267b6444cf995263d 100644 (file)
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -83,4 +83,28 @@ config SYSTEM_BLACKLIST_HASH_LIST
          wrapper to incorporate the list into the kernel.  Each <hash> should
          be a string of hex digits.
 
+config EFI_SIGNATURE_LIST_PARSER
+       bool "EFI signature list parser"
+       depends on EFI
+       select X509_CERTIFICATE_PARSER
+       help
+         This option provides support for parsing EFI signature lists for
+         X.509 certificates and turning them into keys.
+
+config LOAD_UEFI_KEYS
+       bool "Load certs and blacklist from UEFI db for module checking"
+       depends on SYSTEM_BLACKLIST_KEYRING
+       depends on SECONDARY_TRUSTED_KEYRING
+       depends on EFI
+       depends on EFI_SIGNATURE_LIST_PARSER
+       help
+         If the kernel is booted in secure boot mode, this option will cause
+         the kernel to load the certificates from the UEFI db and MokListRT
+         into the secondary trusted keyring.  It will also load any X.509
+         SHA256 hashes in the dbx list into the blacklist.
+
+         The effect of this is that, if the kernel is booted in secure boot
+         mode, modules signed with UEFI-stored keys will be permitted to be
+         loaded and keys that match the blacklist will be rejected.
+
 endmenu