kernel/linux.git/security/integrity/Kconfig, branch v6.18.21

integrity: Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS

2025-10-03T11:50:56+00:00

Select CRYPTO from INTEGRITY_ASYMMETRIC_KEYS, since INTEGRITY_ASYMMETRIC_KEYS selects several options that depend on CRYPTO. This unblocks the removal of the CRYPTO selection from SIGNATURE. SIGNATURE (lib/digsig.c) itself will no longer need CRYPTO, but INTEGRITY_ASYMMETRIC_KEYS was depending on it indirectly via the chain SIGNATURE => INTEGRITY_SIGNATURE => INTEGRITY_ASYMMETRIC_KEYS. Signed-off-by: Eric Biggers Reviewed-by: Paul Menzel Signed-off-by: Mimi Zohar

Merge tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

2023-11-02T16:53:22+00:00

Pull integrity updates from Mimi Zohar: "Four integrity changes: two IMA-overlay updates, an integrity Kconfig cleanup, and a secondary keyring update" * tag 'integrity-v6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: detect changes to the backing overlay file certs: Only allow certs signed by keys on the builtin keyring integrity: fix indentation of config attributes ima: annotate iint mutex to avoid lockdep false positive warnings

integrity: fix indentation of config attributes

2023-10-31T12:22:36+00:00

Fix indentation of config attributes. Attributes are generally indented with a leading tab(\t) character. Signed-off-by: Prasad Pandit Signed-off-by: Mimi Zohar

integrity: powerpc: Do not select CA_MACHINE_KEYRING

2023-10-24T00:16:38+00:00

No other platform needs CA_MACHINE_KEYRING, either. This is policy that should be decided by the administrator, not Kconfig dependencies. Cc: stable@vger.kernel.org # v6.6+ Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement") Signed-off-by: Michal Suchanek Signed-off-by: Jarkko Sakkinen

integrity: PowerVM machine keyring enablement

2023-08-17T20:12:35+00:00

Update Kconfig to enable machine keyring and limit to CA certificates on PowerVM. Only key signing CA keys are allowed. Signed-off-by: Nayna Jain Reviewed-and-tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Tested-by: Nageswara R Sastry Signed-off-by: Jarkko Sakkinen

integrity: machine keyring CA configuration

2023-04-24T13:15:53+00:00

Add machine keyring CA restriction options to control the type of keys that may be added to it. The motivation is separation of certificate signing from code signing keys. Subsquent work will limit certificates being loaded into the IMA keyring to code signing keys used for signature verification. When no restrictions are selected, all Machine Owner Keys (MOK) are added to the machine keyring. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING is selected, the CA bit must be true. Also the key usage must contain keyCertSign, any other usage field may be set as well. When CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX is selected, the CA bit must be true. Also the key usage must contain keyCertSign and the digitialSignature usage may not be set. Signed-off-by: Eric Snowberg Acked-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Tested-by: Mimi Zohar Signed-off-by: Jarkko Sakkinen

integrity: Introduce a Linux keyring called machine

2022-03-08T11:55:52+00:00

Many UEFI Linux distributions boot using shim. The UEFI shim provides what is called Machine Owner Keys (MOK). Shim uses both the UEFI Secure Boot DB and MOK keys to validate the next step in the boot chain. The MOK facility can be used to import user generated keys. These keys can be used to sign an end-users development kernel build. When Linux boots, both UEFI Secure Boot DB and MOK keys get loaded in the Linux .platform keyring. Define a new Linux keyring called machine. This keyring shall contain just MOK keys and not the remaining keys in the platform keyring. This new machine keyring will be used in follow on patches. Unlike keys in the platform keyring, keys contained in the machine keyring will be trusted within the kernel if the end-user has chosen to do so. Signed-off-by: Eric Snowberg Tested-by: Jarkko Sakkinen Tested-by: Mimi Zohar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen

powerpc: Load firmware trusted keys/hashes into kernel keyring

2019-11-12T13:33:23+00:00

The keys used to verify the Host OS kernel are managed by firmware as secure variables. This patch loads the verification keys into the .platform keyring and revocation hashes into .blacklist keyring. This enables verification and loading of the kernels signed by the boot time keys which are trusted by firmware. Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar Signed-off-by: Eric Richter [mpe: Search by compatible in load_powerpc_certs(), not using format] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1573441836-3632-5-git-send-email-nayna@linux.ibm.com

integrity: Select CONFIG_KEYS instead of depending on it

2019-08-05T22:40:20+00:00

This avoids a dependency cycle in soon-to-be-introduced CONFIG_IMA_APPRAISE_MODSIG: it will select CONFIG_MODULE_SIG_FORMAT which in turn selects CONFIG_KEYS. Kconfig then complains that CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS. Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar

treewide: Add SPDX license identifier - Makefile/Kconfig

2019-05-21T08:50:46+00:00

Add SPDX license identifiers to all Make/Kconfig files which: - Have no license information of any form These files fall under the project license, GPL v2 only. The resulting SPDX license identifier is: GPL-2.0-only Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman