forked from Minki/linux
3cde3174eb
Add some selftests for signature checking when FIPS mode is enabled. These need to be done before we start actually using the signature checking for things and must panic the kernel upon failure. Note that the tests must not check the blacklist lest this provide a way to prevent a kernel from booting by installing a hash of a test key in the appropriate UEFI table. Reported-by: Simo Sorce <simo@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Herbert Xu <herbert@gondor.apana.org.au> cc: keyrings@vger.kernel.org cc: linux-crypto@vger.kernel.org Link: https://lore.kernel.org/r/165515742832.1554877.2073456606206090838.stgit@warthog.procyon.org.uk/
89 lines
2.8 KiB
Plaintext
89 lines
2.8 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0
|
|
menuconfig ASYMMETRIC_KEY_TYPE
|
|
bool "Asymmetric (public-key cryptographic) key type"
|
|
depends on KEYS
|
|
help
|
|
This option provides support for a key type that holds the data for
|
|
the asymmetric keys used for public key cryptographic operations such
|
|
as encryption, decryption, signature generation and signature
|
|
verification.
|
|
|
|
if ASYMMETRIC_KEY_TYPE
|
|
|
|
config ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
|
tristate "Asymmetric public-key crypto algorithm subtype"
|
|
select MPILIB
|
|
select CRYPTO_HASH_INFO
|
|
select CRYPTO_AKCIPHER
|
|
select CRYPTO_HASH
|
|
help
|
|
This option provides support for asymmetric public key type handling.
|
|
If signature generation and/or verification are to be used,
|
|
appropriate hash algorithms (such as SHA-1) must be available.
|
|
ENOPKG will be reported if the requisite algorithm is unavailable.
|
|
|
|
config X509_CERTIFICATE_PARSER
|
|
tristate "X.509 certificate parser"
|
|
depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
|
select ASN1
|
|
select OID_REGISTRY
|
|
help
|
|
This option provides support for parsing X.509 format blobs for key
|
|
data and provides the ability to instantiate a crypto key from a
|
|
public key packet found inside the certificate.
|
|
|
|
config PKCS8_PRIVATE_KEY_PARSER
|
|
tristate "PKCS#8 private key parser"
|
|
depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE
|
|
select ASN1
|
|
select OID_REGISTRY
|
|
help
|
|
This option provides support for parsing PKCS#8 format blobs for
|
|
private key data and provides the ability to instantiate a crypto key
|
|
from that data.
|
|
|
|
config PKCS7_MESSAGE_PARSER
|
|
tristate "PKCS#7 message parser"
|
|
depends on X509_CERTIFICATE_PARSER
|
|
select CRYPTO_HASH
|
|
select ASN1
|
|
select OID_REGISTRY
|
|
help
|
|
This option provides support for parsing PKCS#7 format messages for
|
|
signature data and provides the ability to verify the signature.
|
|
|
|
config PKCS7_TEST_KEY
|
|
tristate "PKCS#7 testing key type"
|
|
depends on SYSTEM_DATA_VERIFICATION
|
|
help
|
|
This option provides a type of key that can be loaded up from a
|
|
PKCS#7 message - provided the message is signed by a trusted key. If
|
|
it is, the PKCS#7 wrapper is discarded and reading the key returns
|
|
just the payload. If it isn't, adding the key will fail with an
|
|
error.
|
|
|
|
This is intended for testing the PKCS#7 parser.
|
|
|
|
config SIGNED_PE_FILE_VERIFICATION
|
|
bool "Support for PE file signature verification"
|
|
depends on PKCS7_MESSAGE_PARSER=y
|
|
depends on SYSTEM_DATA_VERIFICATION
|
|
select CRYPTO_HASH
|
|
select ASN1
|
|
select OID_REGISTRY
|
|
help
|
|
This option provides support for verifying the signature(s) on a
|
|
signed PE binary.
|
|
|
|
config FIPS_SIGNATURE_SELFTEST
|
|
bool "Run FIPS selftests on the X.509+PKCS7 signature verification"
|
|
help
|
|
This option causes some selftests to be run on the signature
|
|
verification code, using some built in data. This is required
|
|
for FIPS.
|
|
depends on KEYS
|
|
depends on ASYMMETRIC_KEY_TYPE
|
|
depends on PKCS7_MESSAGE_PARSER
|
|
|
|
endif # ASYMMETRIC_KEY_TYPE
|