1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyunmenu "Certificates for signature checking" 3*4882a593Smuzhiyun 4*4882a593Smuzhiyunconfig MODULE_SIG_KEY 5*4882a593Smuzhiyun string "File name or PKCS#11 URI of module signing key" 6*4882a593Smuzhiyun default "certs/signing_key.pem" 7*4882a593Smuzhiyun depends on MODULE_SIG 8*4882a593Smuzhiyun help 9*4882a593Smuzhiyun Provide the file name of a private key/certificate in PEM format, 10*4882a593Smuzhiyun or a PKCS#11 URI according to RFC7512. The file should contain, or 11*4882a593Smuzhiyun the URI should identify, both the certificate and its corresponding 12*4882a593Smuzhiyun private key. 13*4882a593Smuzhiyun 14*4882a593Smuzhiyun If this option is unchanged from its default "certs/signing_key.pem", 15*4882a593Smuzhiyun then the kernel will automatically generate the private key and 16*4882a593Smuzhiyun certificate as described in Documentation/admin-guide/module-signing.rst 17*4882a593Smuzhiyun 18*4882a593Smuzhiyunconfig SYSTEM_TRUSTED_KEYRING 19*4882a593Smuzhiyun bool "Provide system-wide ring of trusted keys" 20*4882a593Smuzhiyun depends on KEYS 21*4882a593Smuzhiyun depends on ASYMMETRIC_KEY_TYPE 22*4882a593Smuzhiyun help 23*4882a593Smuzhiyun Provide a system keyring to which trusted keys can be added. Keys in 24*4882a593Smuzhiyun the keyring are considered to be trusted. Keys may be added at will 25*4882a593Smuzhiyun by the kernel from compiled-in data and from hardware key stores, but 26*4882a593Smuzhiyun userspace may only add extra keys if those keys can be verified by 27*4882a593Smuzhiyun keys already in the keyring. 28*4882a593Smuzhiyun 29*4882a593Smuzhiyun Keys in this keyring are used by module signature checking. 30*4882a593Smuzhiyun 31*4882a593Smuzhiyunconfig SYSTEM_TRUSTED_KEYS 32*4882a593Smuzhiyun string "Additional X.509 keys for default system keyring" 33*4882a593Smuzhiyun depends on SYSTEM_TRUSTED_KEYRING 34*4882a593Smuzhiyun help 35*4882a593Smuzhiyun If set, this option should be the filename of a PEM-formatted file 36*4882a593Smuzhiyun containing trusted X.509 certificates to be included in the default 37*4882a593Smuzhiyun system keyring. Any certificate used for module signing is implicitly 38*4882a593Smuzhiyun also trusted. 39*4882a593Smuzhiyun 40*4882a593Smuzhiyun NOTE: If you previously provided keys for the system keyring in the 41*4882a593Smuzhiyun form of DER-encoded *.x509 files in the top-level build directory, 42*4882a593Smuzhiyun those are no longer used. You will need to set this option instead. 43*4882a593Smuzhiyun 44*4882a593Smuzhiyunconfig SYSTEM_EXTRA_CERTIFICATE 45*4882a593Smuzhiyun bool "Reserve area for inserting a certificate without recompiling" 46*4882a593Smuzhiyun depends on SYSTEM_TRUSTED_KEYRING 47*4882a593Smuzhiyun help 48*4882a593Smuzhiyun If set, space for an extra certificate will be reserved in the kernel 49*4882a593Smuzhiyun image. This allows introducing a trusted certificate to the default 50*4882a593Smuzhiyun system keyring without recompiling the kernel. 51*4882a593Smuzhiyun 52*4882a593Smuzhiyunconfig SYSTEM_EXTRA_CERTIFICATE_SIZE 53*4882a593Smuzhiyun int "Number of bytes to reserve for the extra certificate" 54*4882a593Smuzhiyun depends on SYSTEM_EXTRA_CERTIFICATE 55*4882a593Smuzhiyun default 4096 56*4882a593Smuzhiyun help 57*4882a593Smuzhiyun This is the number of bytes reserved in the kernel image for a 58*4882a593Smuzhiyun certificate to be inserted. 59*4882a593Smuzhiyun 60*4882a593Smuzhiyunconfig SECONDARY_TRUSTED_KEYRING 61*4882a593Smuzhiyun bool "Provide a keyring to which extra trustable keys may be added" 62*4882a593Smuzhiyun depends on SYSTEM_TRUSTED_KEYRING 63*4882a593Smuzhiyun help 64*4882a593Smuzhiyun If set, provide a keyring to which extra keys may be added, provided 65*4882a593Smuzhiyun those keys are not blacklisted and are vouched for by a key built 66*4882a593Smuzhiyun into the kernel or already in the secondary trusted keyring. 67*4882a593Smuzhiyun 68*4882a593Smuzhiyunconfig SYSTEM_BLACKLIST_KEYRING 69*4882a593Smuzhiyun bool "Provide system-wide ring of blacklisted keys" 70*4882a593Smuzhiyun depends on KEYS 71*4882a593Smuzhiyun help 72*4882a593Smuzhiyun Provide a system keyring to which blacklisted keys can be added. 73*4882a593Smuzhiyun Keys in the keyring are considered entirely untrusted. Keys in this 74*4882a593Smuzhiyun keyring are used by the module signature checking to reject loading 75*4882a593Smuzhiyun of modules signed with a blacklisted key. 76*4882a593Smuzhiyun 77*4882a593Smuzhiyunconfig SYSTEM_BLACKLIST_HASH_LIST 78*4882a593Smuzhiyun string "Hashes to be preloaded into the system blacklist keyring" 79*4882a593Smuzhiyun depends on SYSTEM_BLACKLIST_KEYRING 80*4882a593Smuzhiyun help 81*4882a593Smuzhiyun If set, this option should be the filename of a list of hashes in the 82*4882a593Smuzhiyun form "<hash>", "<hash>", ... . This will be included into a C 83*4882a593Smuzhiyun wrapper to incorporate the list into the kernel. Each <hash> should 84*4882a593Smuzhiyun be a string of hex digits. 85*4882a593Smuzhiyun 86*4882a593Smuzhiyunconfig SYSTEM_REVOCATION_LIST 87*4882a593Smuzhiyun bool "Provide system-wide ring of revocation certificates" 88*4882a593Smuzhiyun depends on SYSTEM_BLACKLIST_KEYRING 89*4882a593Smuzhiyun depends on PKCS7_MESSAGE_PARSER=y 90*4882a593Smuzhiyun help 91*4882a593Smuzhiyun If set, this allows revocation certificates to be stored in the 92*4882a593Smuzhiyun blacklist keyring and implements a hook whereby a PKCS#7 message can 93*4882a593Smuzhiyun be checked to see if it matches such a certificate. 94*4882a593Smuzhiyun 95*4882a593Smuzhiyunconfig SYSTEM_REVOCATION_KEYS 96*4882a593Smuzhiyun string "X.509 certificates to be preloaded into the system blacklist keyring" 97*4882a593Smuzhiyun depends on SYSTEM_REVOCATION_LIST 98*4882a593Smuzhiyun help 99*4882a593Smuzhiyun If set, this option should be the filename of a PEM-formatted file 100*4882a593Smuzhiyun containing X.509 certificates to be included in the default blacklist 101*4882a593Smuzhiyun keyring. 102*4882a593Smuzhiyun 103*4882a593Smuzhiyunendmenu 104