diff options
Diffstat (limited to 'certs/Kconfig')
| -rw-r--r-- | certs/Kconfig | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/certs/Kconfig b/certs/Kconfig index f4e61116f94e..ae7f2e876a31 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -15,6 +15,32 @@ config MODULE_SIG_KEY then the kernel will automatically generate the private key and certificate as described in Documentation/admin-guide/module-signing.rst +choice + prompt "Type of module signing key to be generated" + default MODULE_SIG_KEY_TYPE_RSA + help + The type of module signing key type to generate. This option + does not apply if a #PKCS11 URI is used. + +config MODULE_SIG_KEY_TYPE_RSA + bool "RSA" + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) + help + Use an RSA key for module signing. + +config MODULE_SIG_KEY_TYPE_ECDSA + bool "ECDSA" + select CRYPTO_ECDSA + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES) + help + Use an elliptic curve key (NIST P384) for module signing. Consider + using a strong hash like sha256 or sha384 for hashing modules. + + Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem, + when falling back to building Linux 5.14 and older kernels. + +endchoice + config SYSTEM_TRUSTED_KEYRING bool "Provide system-wide ring of trusted keys" depends on KEYS |