Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

Open Menu /security/keys/Kconfig 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# SPDX-License-Identifier: GPL-2.0-only
#
# Key management configuration
#

config CONFIG_KEYS
	bool "Enable access key retention support"
	select CONFIG_ASSOCIATIVE_ARRAY
	help
	  This option provides support for retaining authentication tokens and
	  access keys in the kernel.

	  It also includes provision of methods by which such keys might be
	  associated with a process so that network filesystems, encryption
	  support and the like can find them.

	  Furthermore, a special type of key is available that acts as keyring:
	  a searchable sequence of keys. Each process is equipped with access
	  to five standard keyrings: UID-specific, GID-specific, session,
	  process and thread.

	  If you are unsure as to whether this is required, answer N.

config CONFIG_KEYS_COMPAT
	def_bool y
	depends on CONFIG_COMPAT && CONFIG_KEYS

config CONFIG_KEYS_REQUEST_CACHE
	bool "Enable temporary caching of the last request_key() result"
	depends on CONFIG_KEYS
	help
	  This option causes the result of the last successful request_key()
	  call that didn't upcall to the kernel to be cached temporarily in the
	  task_struct.  The cache is cleared by exit and just prior to the
	  resumption of userspace.

	  This allows the key used for multiple step processes where each step
	  wants to request a key that is likely the same as the one requested
	  by the last step to save on the searching.

	  An example of such a process is a pathwalk through a network
	  filesystem in which each method needs to request an authentication
	  key.  Pathwalk will call multiple methods for each dentry traversed
	  (permission, d_revalidate, lookup, getxattr, getacl, ...).

config CONFIG_PERSISTENT_KEYRINGS
	bool "Enable register of persistent per-UID keyrings"
	depends on CONFIG_KEYS
	help
	  This option provides a register of persistent per-UID keyrings,
	  primarily aimed at Kerberos key storage.  The keyrings are persistent
	  in the sense that they stay around after all processes of that UID
	  have exited, not that they survive the machine being rebooted.

	  CONFIG_A particular keyring may be accessed by either the user whose keyring
	  it is or by a process with administrative privileges.  The active
	  LSMs gets to rule on which admin-level processes get to access the
	  cache.

	  Keyrings are created and added into the register upon demand and get
	  removed if they expire (a default timeout is set upon creation).

config CONFIG_BIG_KEYS
	bool "Large payload keys"
	depends on CONFIG_KEYS
	depends on CONFIG_TMPFS
	select CONFIG_CRYPTO
	select CONFIG_CRYPTO_AES
	select CONFIG_CRYPTO_GCM
	help
	  This option provides support for holding large keys within the kernel
	  (for example Kerberos ticket caches).  The data may be stored out to
	  swapspace by tmpfs.

	  If you are unsure as to whether this is required, answer N.

config CONFIG_TRUSTED_KEYS
	tristate "TRUSTED KEYS"
	depends on CONFIG_KEYS && CONFIG_TCG_TPM
	select CONFIG_CRYPTO
	select CONFIG_CRYPTO_HMAC
	select CONFIG_CRYPTO_SHA1
	select CONFIG_CRYPTO_HASH_INFO
	help
	  This option provides support for creating, sealing, and unsealing
	  keys in the kernel. Trusted keys are random number symmetric keys,
	  generated and RSA-sealed by the TPM. The TPM only unseals the keys,
	  if the boot PCRs and other criteria match.  Userspace will only ever
	  see encrypted blobs.

	  If you are unsure as to whether this is required, answer N.

config CONFIG_ENCRYPTED_KEYS
	tristate "ENCRYPTED KEYS"
	depends on CONFIG_KEYS
	select CONFIG_CRYPTO
	select CONFIG_CRYPTO_HMAC
	select CONFIG_CRYPTO_AES
	select CONFIG_CRYPTO_CBC
	select CONFIG_CRYPTO_SHA256
	select CONFIG_CRYPTO_RNG
	help
	  This option provides support for create/encrypting/decrypting keys
	  in the kernel.  Encrypted keys are kernel generated random numbers,
	  which are encrypted/decrypted with a 'master' symmetric key. The
	  'master' key can be either a trusted-key or user-key type.
	  Userspace only ever sees/stores encrypted blobs.

	  If you are unsure as to whether this is required, answer N.

config CONFIG_KEY_DH_OPERATIONS
       bool "Diffie-Hellman operations on retained keys"
       depends on CONFIG_KEYS
       select CONFIG_CRYPTO
       select CONFIG_CRYPTO_HASH
       select CONFIG_CRYPTO_DH
       help
	 This option provides support for calculating Diffie-Hellman
	 public keys and shared secrets using values stored as keys
	 in the kernel.

	 If you are unsure as to whether this is required, answer N.