mirror of
https://github.com/torvalds/linux.git
synced 2024-11-25 05:32:00 +00:00
bc3012f4e3
API: - Add virtual-address based lskcipher interface. - Optimise ahash/shash performance in light of costly indirect calls. - Remove ahash alignmask attribute. Algorithms: - Improve AES/XTS performance of 6-way unrolling for ppc. - Remove some uses of obsolete algorithms (md4, md5, sha1). - Add FIPS 202 SHA-3 support in pkcs1pad. - Add fast path for single-page messages in adiantum. - Remove zlib-deflate. Drivers: - Add support for S4 in meson RNG driver. - Add STM32MP13x support in stm32. - Add hwrng interface support in qcom-rng. - Add support for deflate algorithm in hisilicon/zip. -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEn51F/lCuNhUwmDeSxycdCkmxi6cFAmVB3vgACgkQxycdCkmx i6dsOBAAykbnX8BpnpnOXYywE9ZWrl98rAk51MK0N9olZNfg78zRPIv7fFxFdC20 SDJrDSNPmn0Qvaa5e0EfoAdklsm0k2GkXL/BwPKMKWUsyIoJVYI3WrBMnjBy9xMp yfME+h0bKoXJCZKnYkIUSGUejmUPSyRlEylrXoFlH/VWYwAaii/x9zwreQoF+0LR KI24A1q8AYs6Dw9HSfndaAub9GOzrqKYs6fSaMG+77Y4UC5aoi5J9Bp2G3uVyHay x/0bZtIxKXS9wn+LeG/3GspX23x/I5VwBOdAoMigrYmAIaIg5qgyMszudltTAs4R zF1Kh7WsnM5+vpnBSeigzo+/GGOU3QTz8y3tBTg+3ZR7GWGOwQLiizhOYqCyOfAH pIm6c++sZw/OOHiL69Nt4HeLKzGNYYWk3s4X/B/6cqoouPfOsfBaQobZNx9zfy7q ZNEvSVBjrFX/L6wDSotny1LTWLUNjHbmLaMV5uQZ/SQKEtv19fp2Dl7SsLkHH+3v ldOAwfoJR6QcSwz3Ez02TUAvQhtP172Hnxi7u44eiZu2aUboLhCFr7aEU6kVdBCx 1rIRVHD1oqlOEDRwPRXzhF3I8R4QDORJIxZ6UUhg7yueuI+XCGDsBNC+LqBrBmSR IbdjqmSDUBhJyM5yMnt1VFYhqKQ/ZzwZ3JQviwW76Es9pwEIolM= =IZmR -----END PGP SIGNATURE----- Merge tag 'v6.7-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto updates from Herbert Xu: "API: - Add virtual-address based lskcipher interface - Optimise ahash/shash performance in light of costly indirect calls - Remove ahash alignmask attribute Algorithms: - Improve AES/XTS performance of 6-way unrolling for ppc - Remove some uses of obsolete algorithms (md4, md5, sha1) - Add FIPS 202 SHA-3 support in pkcs1pad - Add fast path for single-page messages in adiantum - Remove zlib-deflate Drivers: - Add support for S4 in meson RNG driver - Add STM32MP13x support in stm32 - Add hwrng interface support in qcom-rng - Add support for deflate algorithm in hisilicon/zip" * tag 'v6.7-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (283 commits) crypto: adiantum - flush destination page before unmapping crypto: testmgr - move pkcs1pad(rsa,sha3-*) to correct place Documentation/module-signing.txt: bring up to date module: enable automatic module signing with FIPS 202 SHA-3 crypto: asymmetric_keys - allow FIPS 202 SHA-3 signatures crypto: rsa-pkcs1pad - Add FIPS 202 SHA-3 support crypto: FIPS 202 SHA-3 register in hash info for IMA x509: Add OIDs for FIPS 202 SHA-3 hash and signatures crypto: ahash - optimize performance when wrapping shash crypto: ahash - check for shash type instead of not ahash type crypto: hash - move "ahash wrapping shash" functions to ahash.c crypto: talitos - stop using crypto_ahash::init crypto: chelsio - stop using crypto_ahash::init crypto: ahash - improve file comment crypto: ahash - remove struct ahash_request_priv crypto: ahash - remove crypto_ahash_alignmask crypto: gcm - stop using alignmask of ahash crypto: chacha20poly1305 - stop using alignmask of ahash crypto: ccm - stop using alignmask of ahash net: ipv6: stop checking crypto_ahash_alignmask ...
158 lines
6.1 KiB
Plaintext
158 lines
6.1 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0
|
|
menu "Certificates for signature checking"
|
|
|
|
config MODULE_SIG_KEY
|
|
string "File name or PKCS#11 URI of module signing key"
|
|
default "certs/signing_key.pem"
|
|
depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
|
|
help
|
|
Provide the file name of a private key/certificate in PEM format,
|
|
or a PKCS#11 URI according to RFC7512. The file should contain, or
|
|
the URI should identify, both the certificate and its corresponding
|
|
private key.
|
|
|
|
If this option is unchanged from its default "certs/signing_key.pem",
|
|
then the kernel will automatically generate the private key and
|
|
certificate as described in Documentation/admin-guide/module-signing.rst
|
|
|
|
choice
|
|
prompt "Type of module signing key to be generated"
|
|
depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
|
|
help
|
|
The type of module signing key type to generate. This option
|
|
does not apply if a #PKCS11 URI is used.
|
|
|
|
config MODULE_SIG_KEY_TYPE_RSA
|
|
bool "RSA"
|
|
help
|
|
Use an RSA key for module signing.
|
|
|
|
config MODULE_SIG_KEY_TYPE_ECDSA
|
|
bool "ECDSA"
|
|
select CRYPTO_ECDSA
|
|
depends on !(MODULE_SIG_SHA256 || MODULE_SIG_SHA3_256)
|
|
help
|
|
Use an elliptic curve key (NIST P384) for module signing. Use
|
|
a strong hash of same or higher bit length, i.e. sha384 or
|
|
sha512 for hashing modules.
|
|
|
|
Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem,
|
|
when falling back to building Linux 5.14 and older kernels.
|
|
|
|
endchoice
|
|
|
|
config SYSTEM_TRUSTED_KEYRING
|
|
bool "Provide system-wide ring of trusted keys"
|
|
depends on KEYS
|
|
depends on ASYMMETRIC_KEY_TYPE
|
|
depends on X509_CERTIFICATE_PARSER = y
|
|
help
|
|
Provide a system keyring to which trusted keys can be added. Keys in
|
|
the keyring are considered to be trusted. Keys may be added at will
|
|
by the kernel from compiled-in data and from hardware key stores, but
|
|
userspace may only add extra keys if those keys can be verified by
|
|
keys already in the keyring.
|
|
|
|
Keys in this keyring are used by module signature checking.
|
|
|
|
config SYSTEM_TRUSTED_KEYS
|
|
string "Additional X.509 keys for default system keyring"
|
|
depends on SYSTEM_TRUSTED_KEYRING
|
|
help
|
|
If set, this option should be the filename of a PEM-formatted file
|
|
containing trusted X.509 certificates to be included in the default
|
|
system keyring. Any certificate used for module signing is implicitly
|
|
also trusted.
|
|
|
|
NOTE: If you previously provided keys for the system keyring in the
|
|
form of DER-encoded *.x509 files in the top-level build directory,
|
|
those are no longer used. You will need to set this option instead.
|
|
|
|
config SYSTEM_EXTRA_CERTIFICATE
|
|
bool "Reserve area for inserting a certificate without recompiling"
|
|
depends on SYSTEM_TRUSTED_KEYRING
|
|
help
|
|
If set, space for an extra certificate will be reserved in the kernel
|
|
image. This allows introducing a trusted certificate to the default
|
|
system keyring without recompiling the kernel.
|
|
|
|
config SYSTEM_EXTRA_CERTIFICATE_SIZE
|
|
int "Number of bytes to reserve for the extra certificate"
|
|
depends on SYSTEM_EXTRA_CERTIFICATE
|
|
default 4096
|
|
help
|
|
This is the number of bytes reserved in the kernel image for a
|
|
certificate to be inserted.
|
|
|
|
config SECONDARY_TRUSTED_KEYRING
|
|
bool "Provide a keyring to which extra trustable keys may be added"
|
|
depends on SYSTEM_TRUSTED_KEYRING
|
|
help
|
|
If set, provide a keyring to which extra keys may be added, provided
|
|
those keys are not blacklisted and are vouched for by a key built
|
|
into the kernel, machine keyring (if configured), or already in the
|
|
secondary trusted keyring.
|
|
|
|
config SECONDARY_TRUSTED_KEYRING_SIGNED_BY_BUILTIN
|
|
bool "Only allow additional certs signed by keys on the builtin trusted keyring"
|
|
depends on SECONDARY_TRUSTED_KEYRING
|
|
help
|
|
If set, only certificates signed by keys on the builtin trusted
|
|
keyring may be loaded onto the secondary trusted keyring.
|
|
|
|
Note: The machine keyring, if configured, will be linked to the
|
|
secondary keyring. When enabling this option, it is recommended
|
|
to also configure INTEGRITY_CA_MACHINE_KEYRING_MAX to prevent
|
|
linking code signing keys with imputed trust to the secondary
|
|
trusted keyring.
|
|
|
|
config SYSTEM_BLACKLIST_KEYRING
|
|
bool "Provide system-wide ring of blacklisted keys"
|
|
depends on KEYS
|
|
help
|
|
Provide a system keyring to which blacklisted keys can be added.
|
|
Keys in the keyring are considered entirely untrusted. Keys in this
|
|
keyring are used by the module signature checking to reject loading
|
|
of modules signed with a blacklisted key.
|
|
|
|
config SYSTEM_BLACKLIST_HASH_LIST
|
|
string "Hashes to be preloaded into the system blacklist keyring"
|
|
depends on SYSTEM_BLACKLIST_KEYRING
|
|
help
|
|
If set, this option should be the filename of a list of hashes in the
|
|
form "<hash>", "<hash>", ... . This will be included into a C
|
|
wrapper to incorporate the list into the kernel. Each <hash> must be a
|
|
string starting with a prefix ("tbs" or "bin"), then a colon (":"), and
|
|
finally an even number of hexadecimal lowercase characters (up to 128).
|
|
Certificate hashes can be generated with
|
|
tools/certs/print-cert-tbs-hash.sh .
|
|
|
|
config SYSTEM_REVOCATION_LIST
|
|
bool "Provide system-wide ring of revocation certificates"
|
|
depends on SYSTEM_BLACKLIST_KEYRING
|
|
depends on PKCS7_MESSAGE_PARSER=y
|
|
help
|
|
If set, this allows revocation certificates to be stored in the
|
|
blacklist keyring and implements a hook whereby a PKCS#7 message can
|
|
be checked to see if it matches such a certificate.
|
|
|
|
config SYSTEM_REVOCATION_KEYS
|
|
string "X.509 certificates to be preloaded into the system blacklist keyring"
|
|
depends on SYSTEM_REVOCATION_LIST
|
|
help
|
|
If set, this option should be the filename of a PEM-formatted file
|
|
containing X.509 certificates to be included in the default blacklist
|
|
keyring.
|
|
|
|
config SYSTEM_BLACKLIST_AUTH_UPDATE
|
|
bool "Allow root to add signed blacklist keys"
|
|
depends on SYSTEM_BLACKLIST_KEYRING
|
|
depends on SYSTEM_DATA_VERIFICATION
|
|
help
|
|
If set, provide the ability to load new blacklist keys at run time if
|
|
they are signed and vouched by a certificate from the builtin trusted
|
|
keyring. The PKCS#7 signature of the description is set in the key
|
|
payload. Blacklist keys cannot be removed.
|
|
|
|
endmenu
|