summaryrefslogtreecommitdiffstats
path: root/security/integrity/Kconfig
diff options
context:
space:
mode:
authorDmitry Kasatkin <dmitry.kasatkin@intel.com>2011-10-05 11:54:46 +0300
committerDmitry Kasatkin <dmitry.kasatkin@intel.com>2011-11-09 16:51:09 +0200
commit8607c501478432b23654739c7321bc7456053cb6 (patch)
tree598ef1649a261954cb1cafc05189ddedb3bd3ff8 /security/integrity/Kconfig
parent051dbb918c7fb7da8e64a2cd0d804ba73399709f (diff)
integrity: digital signature verification using multiple keyrings
Define separate keyrings for each of the different use cases - evm, ima, and modules. Using different keyrings improves search performance, and also allows "locking" specific keyring to prevent adding new keys. This is useful for evm and module keyrings, when keys are usually only added from initramfs. Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Diffstat (limited to 'security/integrity/Kconfig')
-rw-r--r--security/integrity/Kconfig14
1 files changed, 14 insertions, 0 deletions
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 4bf00acf793..d87fa2a8fa3 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -3,5 +3,19 @@ config INTEGRITY
def_bool y
depends on IMA || EVM
+config INTEGRITY_DIGSIG
+ boolean "Digital signature verification using multiple keyrings"
+ depends on INTEGRITY
+ default n
+ select DIGSIG
+ help
+ This option enables digital signature verification support
+ using multiple keyrings. It defines separate keyrings for each
+ of the different use cases - evm, ima, and modules.
+ Different keyrings improves search performance, but also allow
+ to "lock" certain keyring to prevent adding new keys.
+ This is useful for evm and module keyrings, when keys are
+ usually only added from initramfs.
+
source security/integrity/ima/Kconfig
source security/integrity/evm/Kconfig