Merge tag 'defconfig-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

[linux-2.6-microblaze.git] / certs / Kconfig

diff --git a/certs/Kconfig b/certs/Kconfig
index f4e6111..ae7f2e8 100644 (file)
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -15,6 +15,32 @@ config MODULE_SIG_KEY
          then the kernel will automatically generate the private key and
          certificate as described in Documentation/admin-guide/module-signing.rst
 
+choice
+       prompt "Type of module signing key to be generated"
+       default MODULE_SIG_KEY_TYPE_RSA
+       help
+        The type of module signing key type to generate. This option
+        does not apply if a #PKCS11 URI is used.
+
+config MODULE_SIG_KEY_TYPE_RSA
+       bool "RSA"
+       depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
+       help
+        Use an RSA key for module signing.
+
+config MODULE_SIG_KEY_TYPE_ECDSA
+       bool "ECDSA"
+       select CRYPTO_ECDSA
+       depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
+       help
+        Use an elliptic curve key (NIST P384) for module signing. Consider
+        using a strong hash like sha256 or sha384 for hashing modules.
+
+        Note: Remove all ECDSA signing keys, e.g. certs/signing_key.pem,
+        when falling back to building Linux 5.14 and older kernels.
+
+endchoice
+
 config SYSTEM_TRUSTED_KEYRING
        bool "Provide system-wide ring of trusted keys"
        depends on KEYS