Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# Integrity Policy Enforcement (IPE) configuration
4#
5
6menuconfig SECURITY_IPE
7 bool "Integrity Policy Enforcement (IPE)"
8 depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
9 select CRYPTO_LIB_SHA256
10 select PKCS7_MESSAGE_PARSER
11 select SYSTEM_DATA_VERIFICATION
12 select IPE_PROP_DM_VERITY if DM_VERITY
13 select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
14 select IPE_PROP_FS_VERITY if FS_VERITY
15 select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
16 help
17 This option enables the Integrity Policy Enforcement LSM
18 allowing users to define a policy to enforce a trust-based access
19 control. A key feature of IPE is a customizable policy to allow
20 admins to reconfigure trust requirements on the fly.
21
22 If unsure, answer N.
23
24if SECURITY_IPE
25config IPE_BOOT_POLICY
26 string "Integrity policy to apply on system startup"
27 help
28 This option specifies a filepath to an IPE policy that is compiled
29 into the kernel. This policy will be enforced until a policy update
30 is deployed via the $securityfs/ipe/policies/$policy_name/active
31 interface.
32
33 If unsure, leave blank.
34
35config IPE_POLICY_SIG_SECONDARY_KEYRING
36 bool "IPE policy update verification with secondary keyring"
37 default y
38 depends on SECONDARY_TRUSTED_KEYRING
39 help
40 Also allow the secondary trusted keyring to verify IPE policy
41 updates.
42
43 If unsure, answer Y.
44
45config IPE_POLICY_SIG_PLATFORM_KEYRING
46 bool "IPE policy update verification with platform keyring"
47 default y
48 depends on INTEGRITY_PLATFORM_KEYRING
49 help
50 Also allow the platform keyring to verify IPE policy updates.
51
52 If unsure, answer Y.
53
54menu "IPE Trust Providers"
55
56config IPE_PROP_DM_VERITY
57 bool "Enable support for dm-verity based on root hash"
58 depends on DM_VERITY
59 help
60 This option enables the 'dmverity_roothash' property within IPE
61 policies. The property evaluates to TRUE when a file from a dm-verity
62 volume is evaluated, and the volume's root hash matches the value
63 supplied in the policy.
64
65config IPE_PROP_DM_VERITY_SIGNATURE
66 bool "Enable support for dm-verity based on root hash signature"
67 depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
68 help
69 This option enables the 'dmverity_signature' property within IPE
70 policies. The property evaluates to TRUE when a file from a dm-verity
71 volume, which has been mounted with a valid signed root hash,
72 is evaluated.
73
74 If unsure, answer Y.
75
76config IPE_PROP_FS_VERITY
77 bool "Enable support for fs-verity based on file digest"
78 depends on FS_VERITY
79 help
80 This option enables the 'fsverity_digest' property within IPE
81 policies. The property evaluates to TRUE when a file is fsverity
82 enabled and its digest matches the supplied digest value in the
83 policy.
84
85 if unsure, answer Y.
86
87config IPE_PROP_FS_VERITY_BUILTIN_SIG
88 bool "Enable support for fs-verity based on builtin signature"
89 depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
90 help
91 This option enables the 'fsverity_signature' property within IPE
92 policies. The property evaluates to TRUE when a file is fsverity
93 enabled and it has a valid builtin signature whose signing cert
94 is in the .fs-verity keyring.
95
96 if unsure, answer Y.
97
98endmenu
99
100config SECURITY_IPE_KUNIT_TEST
101 bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
102 depends on KUNIT=y
103 default KUNIT_ALL_TESTS
104 help
105 This builds the IPE KUnit tests.
106
107 KUnit tests run during boot and output the results to the debug log
108 in TAP format (https://testanything.org/). Only useful for kernel devs
109 running KUnit test harness and are not for inclusion into a
110 production build.
111
112 For more information on KUnit and unit tests in general please refer
113 to the KUnit documentation in Documentation/dev-tools/kunit/.
114
115 If unsure, say N.
116
117endif