summaryrefslogtreecommitdiff
path: root/security/ipe/Kconfig
diff options
context:
space:
mode:
Diffstat (limited to 'security/ipe/Kconfig')
-rw-r--r--security/ipe/Kconfig97
1 files changed, 97 insertions, 0 deletions
diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
new file mode 100644
index 000000000000..3ab582606ed2
--- /dev/null
+++ b/security/ipe/Kconfig
@@ -0,0 +1,97 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Integrity Policy Enforcement (IPE) configuration
+#
+
+menuconfig SECURITY_IPE
+ bool "Integrity Policy Enforcement (IPE)"
+ depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
+ select PKCS7_MESSAGE_PARSER
+ select SYSTEM_DATA_VERIFICATION
+ select IPE_PROP_DM_VERITY if DM_VERITY
+ select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
+ select IPE_PROP_FS_VERITY if FS_VERITY
+ select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
+ help
+ This option enables the Integrity Policy Enforcement LSM
+ allowing users to define a policy to enforce a trust-based access
+ control. A key feature of IPE is a customizable policy to allow
+ admins to reconfigure trust requirements on the fly.
+
+ If unsure, answer N.
+
+if SECURITY_IPE
+config IPE_BOOT_POLICY
+ string "Integrity policy to apply on system startup"
+ help
+ This option specifies a filepath to an IPE policy that is compiled
+ into the kernel. This policy will be enforced until a policy update
+ is deployed via the $securityfs/ipe/policies/$policy_name/active
+ interface.
+
+ If unsure, leave blank.
+
+menu "IPE Trust Providers"
+
+config IPE_PROP_DM_VERITY
+ bool "Enable support for dm-verity based on root hash"
+ depends on DM_VERITY
+ help
+ This option enables the 'dmverity_roothash' property within IPE
+ policies. The property evaluates to TRUE when a file from a dm-verity
+ volume is evaluated, and the volume's root hash matches the value
+ supplied in the policy.
+
+config IPE_PROP_DM_VERITY_SIGNATURE
+ bool "Enable support for dm-verity based on root hash signature"
+ depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
+ help
+ This option enables the 'dmverity_signature' property within IPE
+ policies. The property evaluates to TRUE when a file from a dm-verity
+ volume, which has been mounted with a valid signed root hash,
+ is evaluated.
+
+ If unsure, answer Y.
+
+config IPE_PROP_FS_VERITY
+ bool "Enable support for fs-verity based on file digest"
+ depends on FS_VERITY
+ help
+ This option enables the 'fsverity_digest' property within IPE
+ policies. The property evaluates to TRUE when a file is fsverity
+ enabled and its digest matches the supplied digest value in the
+ policy.
+
+ if unsure, answer Y.
+
+config IPE_PROP_FS_VERITY_BUILTIN_SIG
+ bool "Enable support for fs-verity based on builtin signature"
+ depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
+ help
+ This option enables the 'fsverity_signature' property within IPE
+ policies. The property evaluates to TRUE when a file is fsverity
+ enabled and it has a valid builtin signature whose signing cert
+ is in the .fs-verity keyring.
+
+ if unsure, answer Y.
+
+endmenu
+
+config SECURITY_IPE_KUNIT_TEST
+ bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
+ depends on KUNIT=y
+ default KUNIT_ALL_TESTS
+ help
+ This builds the IPE KUnit tests.
+
+ KUnit tests run during boot and output the results to the debug log
+ in TAP format (https://testanything.org/). Only useful for kernel devs
+ running KUnit test harness and are not for inclusion into a
+ production build.
+
+ For more information on KUnit and unit tests in general please refer
+ to the KUnit documentation in Documentation/dev-tools/kunit/.
+
+ If unsure, say N.
+
+endif