| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 |
- #
- # Key management configuration
- #
- config KEYS
- bool "Enable access key retention support"
- select ASSOCIATIVE_ARRAY
- help
- This option provides support for retaining authentication tokens and
- access keys in the kernel.
- It also includes provision of methods by which such keys might be
- associated with a process so that network filesystems, encryption
- support and the like can find them.
- Furthermore, a special type of key is available that acts as keyring:
- a searchable sequence of keys. Each process is equipped with access
- to five standard keyrings: UID-specific, GID-specific, session,
- process and thread.
- If you are unsure as to whether this is required, answer N.
- config PERSISTENT_KEYRINGS
- bool "Enable register of persistent per-UID keyrings"
- depends on KEYS
- help
- This option provides a register of persistent per-UID keyrings,
- primarily aimed at Kerberos key storage. The keyrings are persistent
- in the sense that they stay around after all processes of that UID
- have exited, not that they survive the machine being rebooted.
- A particular keyring may be accessed by either the user whose keyring
- it is or by a process with administrative privileges. The active
- LSMs gets to rule on which admin-level processes get to access the
- cache.
- Keyrings are created and added into the register upon demand and get
- removed if they expire (a default timeout is set upon creation).
- config BIG_KEYS
- bool "Large payload keys"
- depends on KEYS
- depends on TMPFS
- depends on (CRYPTO_ANSI_CPRNG = y || CRYPTO_DRBG = y)
- select CRYPTO_AES
- select CRYPTO_ECB
- select CRYPTO_RNG
- help
- This option provides support for holding large keys within the kernel
- (for example Kerberos ticket caches). The data may be stored out to
- swapspace by tmpfs.
- If you are unsure as to whether this is required, answer N.
- config TRUSTED_KEYS
- tristate "TRUSTED KEYS"
- depends on KEYS && TCG_TPM
- select CRYPTO
- select CRYPTO_HMAC
- select CRYPTO_SHA1
- select CRYPTO_HASH_INFO
- help
- This option provides support for creating, sealing, and unsealing
- keys in the kernel. Trusted keys are random number symmetric keys,
- generated and RSA-sealed by the TPM. The TPM only unseals the keys,
- if the boot PCRs and other criteria match. Userspace will only ever
- see encrypted blobs.
- If you are unsure as to whether this is required, answer N.
- config ENCRYPTED_KEYS
- tristate "ENCRYPTED KEYS"
- depends on KEYS
- select CRYPTO
- select CRYPTO_HMAC
- select CRYPTO_AES
- select CRYPTO_CBC
- select CRYPTO_SHA256
- select CRYPTO_RNG
- help
- This option provides support for create/encrypting/decrypting keys
- in the kernel. Encrypted keys are kernel generated random numbers,
- which are encrypted/decrypted with a 'master' symmetric key. The
- 'master' key can be either a trusted-key or user-key type.
- Userspace only ever sees/stores encrypted blobs.
- If you are unsure as to whether this is required, answer N.
- config KEY_DH_OPERATIONS
- bool "Diffie-Hellman operations on retained keys"
- depends on KEYS
- select MPILIB
- help
- This option provides support for calculating Diffie-Hellman
- public keys and shared secrets using values stored as keys
- in the kernel.
- If you are unsure as to whether this is required, answer N.
|
