02e2f9aa33
The current policy management makes it impossible to use IPE in a general purpose distribution. In such cases the users are not building the kernel, the distribution is, and access to the private key included in the trusted keyring is, for obvious reason, not available. This means that users have no way to enable IPE, since there will be no built-in generic policy, and no access to the key to sign updates validated by the trusted keyring. Just as we do for dm-verity, kernel modules and more, allow the secondary and platform keyrings to also validate policies. This allows users enrolling their own keys in UEFI db or MOK to also sign policies, and enroll them. This makes it sensible to enable IPE in general purpose distributions, as it becomes usable by any user wishing to do so. Keys in these keyrings can already load kernels and kernel modules, so there is no security downgrade. Add a kconfig each, like dm-verity does, but default to enabled if the dependencies are available. Signed-off-by: Luca Boccassi <bluca@debian.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> [FW: fixed some style issues] Signed-off-by: Fan Wu <wufan@kernel.org>
117 lines
3.7 KiB
Plaintext
117 lines
3.7 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
#
|
|
# Integrity Policy Enforcement (IPE) configuration
|
|
#
|
|
|
|
menuconfig SECURITY_IPE
|
|
bool "Integrity Policy Enforcement (IPE)"
|
|
depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
|
|
select PKCS7_MESSAGE_PARSER
|
|
select SYSTEM_DATA_VERIFICATION
|
|
select IPE_PROP_DM_VERITY if DM_VERITY
|
|
select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
|
|
select IPE_PROP_FS_VERITY if FS_VERITY
|
|
select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
|
|
help
|
|
This option enables the Integrity Policy Enforcement LSM
|
|
allowing users to define a policy to enforce a trust-based access
|
|
control. A key feature of IPE is a customizable policy to allow
|
|
admins to reconfigure trust requirements on the fly.
|
|
|
|
If unsure, answer N.
|
|
|
|
if SECURITY_IPE
|
|
config IPE_BOOT_POLICY
|
|
string "Integrity policy to apply on system startup"
|
|
help
|
|
This option specifies a filepath to an IPE policy that is compiled
|
|
into the kernel. This policy will be enforced until a policy update
|
|
is deployed via the $securityfs/ipe/policies/$policy_name/active
|
|
interface.
|
|
|
|
If unsure, leave blank.
|
|
|
|
config IPE_POLICY_SIG_SECONDARY_KEYRING
|
|
bool "IPE policy update verification with secondary keyring"
|
|
default y
|
|
depends on SECONDARY_TRUSTED_KEYRING
|
|
help
|
|
Also allow the secondary trusted keyring to verify IPE policy
|
|
updates.
|
|
|
|
If unsure, answer Y.
|
|
|
|
config IPE_POLICY_SIG_PLATFORM_KEYRING
|
|
bool "IPE policy update verification with platform keyring"
|
|
default y
|
|
depends on INTEGRITY_PLATFORM_KEYRING
|
|
help
|
|
Also allow the platform keyring to verify IPE policy updates.
|
|
|
|
If unsure, answer Y.
|
|
|
|
menu "IPE Trust Providers"
|
|
|
|
config IPE_PROP_DM_VERITY
|
|
bool "Enable support for dm-verity based on root hash"
|
|
depends on DM_VERITY
|
|
help
|
|
This option enables the 'dmverity_roothash' property within IPE
|
|
policies. The property evaluates to TRUE when a file from a dm-verity
|
|
volume is evaluated, and the volume's root hash matches the value
|
|
supplied in the policy.
|
|
|
|
config IPE_PROP_DM_VERITY_SIGNATURE
|
|
bool "Enable support for dm-verity based on root hash signature"
|
|
depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
|
|
help
|
|
This option enables the 'dmverity_signature' property within IPE
|
|
policies. The property evaluates to TRUE when a file from a dm-verity
|
|
volume, which has been mounted with a valid signed root hash,
|
|
is evaluated.
|
|
|
|
If unsure, answer Y.
|
|
|
|
config IPE_PROP_FS_VERITY
|
|
bool "Enable support for fs-verity based on file digest"
|
|
depends on FS_VERITY
|
|
help
|
|
This option enables the 'fsverity_digest' property within IPE
|
|
policies. The property evaluates to TRUE when a file is fsverity
|
|
enabled and its digest matches the supplied digest value in the
|
|
policy.
|
|
|
|
if unsure, answer Y.
|
|
|
|
config IPE_PROP_FS_VERITY_BUILTIN_SIG
|
|
bool "Enable support for fs-verity based on builtin signature"
|
|
depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
|
|
help
|
|
This option enables the 'fsverity_signature' property within IPE
|
|
policies. The property evaluates to TRUE when a file is fsverity
|
|
enabled and it has a valid builtin signature whose signing cert
|
|
is in the .fs-verity keyring.
|
|
|
|
if unsure, answer Y.
|
|
|
|
endmenu
|
|
|
|
config SECURITY_IPE_KUNIT_TEST
|
|
bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
|
|
depends on KUNIT=y
|
|
default KUNIT_ALL_TESTS
|
|
help
|
|
This builds the IPE KUnit tests.
|
|
|
|
KUnit tests run during boot and output the results to the debug log
|
|
in TAP format (https://testanything.org/). Only useful for kernel devs
|
|
running KUnit test harness and are not for inclusion into a
|
|
production build.
|
|
|
|
For more information on KUnit and unit tests in general please refer
|
|
to the KUnit documentation in Documentation/dev-tools/kunit/.
|
|
|
|
If unsure, say N.
|
|
|
|
endif
|