ba199dc909
Enables an IPE policy to be enforced from kernel start, enabling access control based on trust from kernel startup. This is accomplished by transforming an IPE policy indicated by CONFIG_IPE_BOOT_POLICY into a c-string literal that is parsed at kernel startup as an unsigned policy. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
2.7 KiB
SPDX-License-Identifier: GPL-2.0-only
Integrity Policy Enforcement (IPE) configuration
menuconfig SECURITY_IPE bool "Integrity Policy Enforcement (IPE)" depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL select PKCS7_MESSAGE_PARSER select SYSTEM_DATA_VERIFICATION select IPE_PROP_DM_VERITY if DM_VERITY select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG select IPE_PROP_FS_VERITY if FS_VERITY select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES help This option enables the Integrity Policy Enforcement LSM allowing users to define a policy to enforce a trust-based access control. A key feature of IPE is a customizable policy to allow admins to reconfigure trust requirements on the fly.
If unsure, answer N.
if SECURITY_IPE config IPE_BOOT_POLICY string "Integrity policy to apply on system startup" help This option specifies a filepath to an IPE policy that is compiled into the kernel. This policy will be enforced until a policy update is deployed via the $securityfs/ipe/policies/$policy_name/active interface.
If unsure, leave blank.
menu "IPE Trust Providers"
config IPE_PROP_DM_VERITY bool "Enable support for dm-verity based on root hash" depends on DM_VERITY help This option enables the 'dmverity_roothash' property within IPE policies. The property evaluates to TRUE when a file from a dm-verity volume is evaluated, and the volume's root hash matches the value supplied in the policy.
config IPE_PROP_DM_VERITY_SIGNATURE bool "Enable support for dm-verity based on root hash signature" depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG help This option enables the 'dmverity_signature' property within IPE policies. The property evaluates to TRUE when a file from a dm-verity volume, which has been mounted with a valid signed root hash, is evaluated.
If unsure, answer Y.
config IPE_PROP_FS_VERITY bool "Enable support for fs-verity based on file digest" depends on FS_VERITY help This option enables the 'fsverity_digest' property within IPE policies. The property evaluates to TRUE when a file is fsverity enabled and its digest matches the supplied digest value in the policy.
if unsure, answer Y.
config IPE_PROP_FS_VERITY_BUILTIN_SIG bool "Enable support for fs-verity based on builtin signature" depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES help This option enables the 'fsverity_signature' property within IPE policies. The property evaluates to TRUE when a file is fsverity enabled and it has a valid builtin signature whose signing cert is in the .fs-verity keyring.
if unsure, answer Y.
endmenu
endif