1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Integrity Policy Enforcement (IPE) configuration 4# 5 6menuconfig SECURITY_IPE 7 bool "Integrity Policy Enforcement (IPE)" 8 depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL 9 select CRYPTO_LIB_SHA256 10 select PKCS7_MESSAGE_PARSER 11 select SYSTEM_DATA_VERIFICATION 12 select IPE_PROP_DM_VERITY if DM_VERITY 13 select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 14 select IPE_PROP_FS_VERITY if FS_VERITY 15 select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 16 help 17 This option enables the Integrity Policy Enforcement LSM 18 allowing users to define a policy to enforce a trust-based access 19 control. A key feature of IPE is a customizable policy to allow 20 admins to reconfigure trust requirements on the fly. 21 22 If unsure, answer N. 23 24if SECURITY_IPE 25config IPE_BOOT_POLICY 26 string "Integrity policy to apply on system startup" 27 help 28 This option specifies a filepath to an IPE policy that is compiled 29 into the kernel. This policy will be enforced until a policy update 30 is deployed via the $securityfs/ipe/policies/$policy_name/active 31 interface. 32 33 If unsure, leave blank. 34 35config IPE_POLICY_SIG_SECONDARY_KEYRING 36 bool "IPE policy update verification with secondary keyring" 37 default y 38 depends on SECONDARY_TRUSTED_KEYRING 39 help 40 Also allow the secondary trusted keyring to verify IPE policy 41 updates. 42 43 If unsure, answer Y. 44 45config IPE_POLICY_SIG_PLATFORM_KEYRING 46 bool "IPE policy update verification with platform keyring" 47 default y 48 depends on INTEGRITY_PLATFORM_KEYRING 49 help 50 Also allow the platform keyring to verify IPE policy updates. 51 52 If unsure, answer Y. 53 54menu "IPE Trust Providers" 55 56config IPE_PROP_DM_VERITY 57 bool "Enable support for dm-verity based on root hash" 58 depends on DM_VERITY 59 help 60 This option enables the 'dmverity_roothash' property within IPE 61 policies. The property evaluates to TRUE when a file from a dm-verity 62 volume is evaluated, and the volume's root hash matches the value 63 supplied in the policy. 64 65config IPE_PROP_DM_VERITY_SIGNATURE 66 bool "Enable support for dm-verity based on root hash signature" 67 depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG 68 help 69 This option enables the 'dmverity_signature' property within IPE 70 policies. The property evaluates to TRUE when a file from a dm-verity 71 volume, which has been mounted with a valid signed root hash, 72 is evaluated. 73 74 If unsure, answer Y. 75 76config IPE_PROP_FS_VERITY 77 bool "Enable support for fs-verity based on file digest" 78 depends on FS_VERITY 79 help 80 This option enables the 'fsverity_digest' property within IPE 81 policies. The property evaluates to TRUE when a file is fsverity 82 enabled and its digest matches the supplied digest value in the 83 policy. 84 85 if unsure, answer Y. 86 87config IPE_PROP_FS_VERITY_BUILTIN_SIG 88 bool "Enable support for fs-verity based on builtin signature" 89 depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES 90 help 91 This option enables the 'fsverity_signature' property within IPE 92 policies. The property evaluates to TRUE when a file is fsverity 93 enabled and it has a valid builtin signature whose signing cert 94 is in the .fs-verity keyring. 95 96 if unsure, answer Y. 97 98endmenu 99 100config SECURITY_IPE_KUNIT_TEST 101 bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS 102 depends on KUNIT=y 103 default KUNIT_ALL_TESTS 104 help 105 This builds the IPE KUnit tests. 106 107 KUnit tests run during boot and output the results to the debug log 108 in TAP format (https://testanything.org/). Only useful for kernel devs 109 running KUnit test harness and are not for inclusion into a 110 production build. 111 112 For more information on KUnit and unit tests in general please refer 113 to the KUnit documentation in Documentation/dev-tools/kunit/. 114 115 If unsure, say N. 116 117endif 118