# SPDX-License-Identifier: GPL-2.0-only
#
# Integrity Policy Enforcement (IPE) configuration
#

menuconfig SECURITY_IPE
	bool "Integrity Policy Enforcement (IPE)"
	depends on SECURITY && SECURITYFS && AUDIT && AUDITSYSCALL
	select PKCS7_MESSAGE_PARSER
	select SYSTEM_DATA_VERIFICATION
	select IPE_PROP_DM_VERITY if DM_VERITY
	select IPE_PROP_DM_VERITY_SIGNATURE if DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
	select IPE_PROP_FS_VERITY if FS_VERITY
	select IPE_PROP_FS_VERITY_BUILTIN_SIG if FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
	help
	  This option enables the Integrity Policy Enforcement LSM
	  allowing users to define a policy to enforce a trust-based access
	  control. A key feature of IPE is a customizable policy to allow
	  admins to reconfigure trust requirements on the fly.

	  If unsure, answer N.

if SECURITY_IPE
config IPE_BOOT_POLICY
	string "Integrity policy to apply on system startup"
	help
	  This option specifies a filepath to an IPE policy that is compiled
	  into the kernel. This policy will be enforced until a policy update
	  is deployed via the $securityfs/ipe/policies/$policy_name/active
	  interface.

	  If unsure, leave blank.

menu "IPE Trust Providers"

config IPE_PROP_DM_VERITY
	bool "Enable support for dm-verity based on root hash"
	depends on DM_VERITY
	help
	  This option enables the 'dmverity_roothash' property within IPE
	  policies. The property evaluates to TRUE when a file from a dm-verity
	  volume is evaluated, and the volume's root hash matches the value
	  supplied in the policy.

config IPE_PROP_DM_VERITY_SIGNATURE
	bool "Enable support for dm-verity based on root hash signature"
	depends on DM_VERITY && DM_VERITY_VERIFY_ROOTHASH_SIG
	help
	  This option enables the 'dmverity_signature' property within IPE
	  policies. The property evaluates to TRUE when a file from a dm-verity
	  volume, which has been mounted with a valid signed root hash,
	  is evaluated.

	  If unsure, answer Y.

config IPE_PROP_FS_VERITY
	bool "Enable support for fs-verity based on file digest"
	depends on FS_VERITY
	help
	  This option enables the 'fsverity_digest' property within IPE
	  policies. The property evaluates to TRUE when a file is fsverity
	  enabled and its digest matches the supplied digest value in the
	  policy.

	  if unsure, answer Y.

config IPE_PROP_FS_VERITY_BUILTIN_SIG
	bool "Enable support for fs-verity based on builtin signature"
	depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
	help
	  This option enables the 'fsverity_signature' property within IPE
	  policies. The property evaluates to TRUE when a file is fsverity
	  enabled and it has a valid builtin signature whose signing cert
	  is in the .fs-verity keyring.

	  if unsure, answer Y.

config IPE_PROP_INTENDED_PATHNAME
	bool "Enable property for targeting applications based on application provided-path"
	help
	  This option enables IPE's "intended_pathname" property. This is the
	  original userland, application-provided pathname passed to any open
	  system call. This can be used by the userland application to signal
	  its purpose to enforce integrity requirements on paths, such as
	  verifying all config files in /etc.
	  WARNING: intended_pathname is not a security property and should
	  only be used for targeting an application via its intent to open
	  a file.
	  if unsure, answer N.

endmenu

config SECURITY_IPE_KUNIT_TEST
	bool "Build KUnit tests for IPE" if !KUNIT_ALL_TESTS
	depends on KUNIT=y
	default KUNIT_ALL_TESTS
	help
	  This builds the IPE KUnit tests.

	  KUnit tests run during boot and output the results to the debug log
	  in TAP format (https://testanything.org/). Only useful for kernel devs
	  running KUnit test harness and are not for inclusion into a
	  production build.

	  For more information on KUnit and unit tests in general please refer
	  to the KUnit documentation in Documentation/dev-tools/kunit/.

	  If unsure, say N.

endif
