blob: fc5955f5fc8a92c0fb20dcf528b000e0d6ed0ed7
1 | menu "Certificates for signature checking" |
2 | |
3 | config MODULE_SIG_KEY |
4 | string "File name or PKCS#11 URI of module signing key" |
5 | default "certs/signing_key.pem" |
6 | depends on MODULE_SIG |
7 | help |
8 | Provide the file name of a private key/certificate in PEM format, |
9 | or a PKCS#11 URI according to RFC7512. The file should contain, or |
10 | the URI should identify, both the certificate and its corresponding |
11 | private key. |
12 | |
13 | If this option is unchanged from its default "certs/signing_key.pem", |
14 | then the kernel will automatically generate the private key and |
15 | certificate as described in Documentation/module-signing.txt |
16 | |
17 | config SYSTEM_TRUSTED_KEYRING |
18 | bool "Provide system-wide ring of trusted keys" |
19 | depends on KEYS |
20 | depends on ASYMMETRIC_KEY_TYPE |
21 | help |
22 | Provide a system keyring to which trusted keys can be added. Keys in |
23 | the keyring are considered to be trusted. Keys may be added at will |
24 | by the kernel from compiled-in data and from hardware key stores, but |
25 | userspace may only add extra keys if those keys can be verified by |
26 | keys already in the keyring. |
27 | |
28 | Keys in this keyring are used by module signature checking. |
29 | |
30 | config SYSTEM_TRUSTED_KEYS |
31 | string "Additional X.509 keys for default system keyring" |
32 | depends on SYSTEM_TRUSTED_KEYRING |
33 | help |
34 | If set, this option should be the filename of a PEM-formatted file |
35 | containing trusted X.509 certificates to be included in the default |
36 | system keyring. Any certificate used for module signing is implicitly |
37 | also trusted. |
38 | |
39 | NOTE: If you previously provided keys for the system keyring in the |
40 | form of DER-encoded *.x509 files in the top-level build directory, |
41 | those are no longer used. You will need to set this option instead. |
42 | |
43 | config SYSTEM_EXTRA_CERTIFICATE |
44 | bool "Reserve area for inserting a certificate without recompiling" |
45 | depends on SYSTEM_TRUSTED_KEYRING |
46 | help |
47 | If set, space for an extra certificate will be reserved in the kernel |
48 | image. This allows introducing a trusted certificate to the default |
49 | system keyring without recompiling the kernel. |
50 | |
51 | config SYSTEM_EXTRA_CERTIFICATE_SIZE |
52 | int "Number of bytes to reserve for the extra certificate" |
53 | depends on SYSTEM_EXTRA_CERTIFICATE |
54 | default 4096 |
55 | help |
56 | This is the number of bytes reserved in the kernel image for a |
57 | certificate to be inserted. |
58 | |
59 | config SECONDARY_TRUSTED_KEYRING |
60 | bool "Provide a keyring to which extra trustable keys may be added" |
61 | depends on SYSTEM_TRUSTED_KEYRING |
62 | help |
63 | If set, provide a keyring to which extra keys may be added, provided |
64 | those keys are not blacklisted and are vouched for by a key built |
65 | into the kernel or already in the secondary trusted keyring. |
66 | |
67 | endmenu |
68 |