| blob | 3c75bf267da4680f1d5dcecc2f77350f4562123c |
1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # Integrity Policy Enforcement (IPE) configuration
4 #
6 menuconfig SECURITY_IPE
7 bool "Integrity Policy Enforcement (IPE)"
8 depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
9 select PKCS7_MESSAGE_PARSER
10 select SYSTEM_DATA_VERIFICATION
11 select IPE_PROP_DM_VERITY if DM_VERITY
12 select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
13 select IPE_PROP_FS_VERITY if FS_VERITY
14 select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
15 help
16 This option enables the Integrity Policy Enforcement LSM
17 allowing users to define a policy to enforce a trust-based access
18 control. A key feature of IPE is a customizable policy to allow
19 admins to reconfigure trust requirements on the fly.
21 If unsure, answer N.
23 if SECURITY_IPE
24 config IPE_BOOT_POLICY
25 string "Integrity policy to apply on system startup"
26 help
27 This option specifies a filepath to an IPE policy that is compiled
28 into the kernel. This policy will be enforced until a policy update
29 is deployed via the $securityfs/ipe/policies/$policy_name/active
30 interface.
32 If unsure, leave blank.
34 config IPE_POLICY_SIG_SECONDARY_KEYRING
35 bool "IPE policy update verification with secondary keyring"
36 default y
37 depends on SECONDARY_TRUSTED_KEYRING
38 help
39 Also allow the secondary trusted keyring to verify IPE policy
40 updates.
42 If unsure, answer Y.
44 config IPE_POLICY_SIG_PLATFORM_KEYRING
45 bool "IPE policy update verification with platform keyring"
46 default y
47 depends on INTEGRITY_PLATFORM_KEYRING
48 help
49 Also allow the platform keyring to verify IPE policy updates.
51 If unsure, answer Y.
53 menu "IPE Trust Providers"
55 config IPE_PROP_DM_VERITY
56 bool "Enable support for dm-verity based on root hash"
57 depends on DM_VERITY
58 help
59 This option enables the 'dmverity_roothash' property within IPE
60 policies. The property evaluates to TRUE when a file from a dm-verity
61 volume is evaluated, and the volume's root hash matches the value
62 supplied in the policy.
64 config IPE_PROP_DM_VERITY_SIGNATURE
65 bool "Enable support for dm-verity based on root hash signature"
66 depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
67 help
68 This option enables the 'dmverity_signature' property within IPE
69 policies. The property evaluates to TRUE when a file from a dm-verity
70 volume, which has been mounted with a valid signed root hash,
71 is evaluated.
73 If unsure, answer Y.
75 config IPE_PROP_FS_VERITY
76 bool "Enable support for fs-verity based on file digest"
77 depends on FS_VERITY
78 help
79 This option enables the 'fsverity_digest' property within IPE
80 policies. The property evaluates to TRUE when a file is fsverity
81 enabled and its digest matches the supplied digest value in the
82 policy.
84 if unsure, answer Y.
86 config IPE_PROP_FS_VERITY_BUILTIN_SIG
87 bool "Enable support for fs-verity based on builtin signature"
88 depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
89 help
90 This option enables the 'fsverity_signature' property within IPE
91 policies. The property evaluates to TRUE when a file is fsverity
92 enabled and it has a valid builtin signature whose signing cert
93 is in the .fs-verity keyring.
95 if unsure, answer Y.
97 endmenu
99 config SECURITY_IPE_KUNIT_TEST
100 bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
101 depends on KUNIT=y
102 default KUNIT_ALL_TESTS
103 help
104 This builds the IPE KUnit tests.
106 KUnit tests run during boot and output the results to the debug log
107 in TAP format (https://testanything.org/). Only useful for kernel devs
108 running KUnit test harness and are not for inclusion into a
109 production build.
111 For more information on KUnit and unit tests in general please refer
112 to the KUnit documentation in Documentation/dev-tools/kunit/.
114 If unsure, say N.
116 endif