linux-next/security/ipe/Kconfig
Luca Boccassi 02e2f9aa33 ipe: allow secondary and platform keyrings to install/update policies
The current policy management makes it impossible to use IPE
in a general purpose distribution. In such cases the users are not
building the kernel, the distribution is, and access to the private
key included in the trusted keyring is, for obvious reason, not
available.
This means that users have no way to enable IPE, since there will
be no built-in generic policy, and no access to the key to sign
updates validated by the trusted keyring.

Just as we do for dm-verity, kernel modules and more, allow the
secondary and platform keyrings to also validate policies. This
allows users enrolling their own keys in UEFI db or MOK to also
sign policies, and enroll them. This makes it sensible to enable
IPE in general purpose distributions, as it becomes usable by
any user wishing to do so. Keys in these keyrings can already
load kernels and kernel modules, so there is no security
downgrade.

Add a kconfig each, like dm-verity does, but default to enabled if
the dependencies are available.

Signed-off-by: Luca Boccassi <bluca@debian.org>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
[FW: fixed some style issues]
Signed-off-by: Fan Wu <wufan@kernel.org>
2024-10-17 11:46:10 -07:00

117 lines
3.7 KiB
Plaintext

# SPDX-License-Identifier: GPL-2.0-only
#
# Integrity Policy Enforcement (IPE) configuration
#
menuconfig SECURITY_IPE
bool "Integrity Policy Enforcement (IPE)"
depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
select PKCS7_MESSAGE_PARSER
select SYSTEM_DATA_VERIFICATION
select IPE_PROP_DM_VERITY if DM_VERITY
select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
select IPE_PROP_FS_VERITY if FS_VERITY
select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
help
This option enables the Integrity Policy Enforcement LSM
allowing users to define a policy to enforce a trust-based access
control. A key feature of IPE is a customizable policy to allow
admins to reconfigure trust requirements on the fly.
If unsure, answer N.
if SECURITY_IPE
config IPE_BOOT_POLICY
string "Integrity policy to apply on system startup"
help
This option specifies a filepath to an IPE policy that is compiled
into the kernel. This policy will be enforced until a policy update
is deployed via the $securityfs/ipe/policies/$policy_name/active
interface.
If unsure, leave blank.
config IPE_POLICY_SIG_SECONDARY_KEYRING
bool "IPE policy update verification with secondary keyring"
default y
depends on SECONDARY_TRUSTED_KEYRING
help
Also allow the secondary trusted keyring to verify IPE policy
updates.
If unsure, answer Y.
config IPE_POLICY_SIG_PLATFORM_KEYRING
bool "IPE policy update verification with platform keyring"
default y
depends on INTEGRITY_PLATFORM_KEYRING
help
Also allow the platform keyring to verify IPE policy updates.
If unsure, answer Y.
menu "IPE Trust Providers"
config IPE_PROP_DM_VERITY
bool "Enable support for dm-verity based on root hash"
depends on DM_VERITY
help
This option enables the 'dmverity_roothash' property within IPE
policies. The property evaluates to TRUE when a file from a dm-verity
volume is evaluated, and the volume's root hash matches the value
supplied in the policy.
config IPE_PROP_DM_VERITY_SIGNATURE
bool "Enable support for dm-verity based on root hash signature"
depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
help
This option enables the 'dmverity_signature' property within IPE
policies. The property evaluates to TRUE when a file from a dm-verity
volume, which has been mounted with a valid signed root hash,
is evaluated.
If unsure, answer Y.
config IPE_PROP_FS_VERITY
bool "Enable support for fs-verity based on file digest"
depends on FS_VERITY
help
This option enables the 'fsverity_digest' property within IPE
policies. The property evaluates to TRUE when a file is fsverity
enabled and its digest matches the supplied digest value in the
policy.
if unsure, answer Y.
config IPE_PROP_FS_VERITY_BUILTIN_SIG
bool "Enable support for fs-verity based on builtin signature"
depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
help
This option enables the 'fsverity_signature' property within IPE
policies. The property evaluates to TRUE when a file is fsverity
enabled and it has a valid builtin signature whose signing cert
is in the .fs-verity keyring.
if unsure, answer Y.
endmenu
config SECURITY_IPE_KUNIT_TEST
bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
depends on KUNIT=y
default KUNIT_ALL_TESTS
help
This builds the IPE KUnit tests.
KUnit tests run during boot and output the results to the debug log
in TAP format (https://testanything.org/). Only useful for kernel devs
running KUnit test harness and are not for inclusion into a
production build.
For more information on KUnit and unit tests in general please refer
to the KUnit documentation in Documentation/dev-tools/kunit/.
If unsure, say N.
endif