integrity: base integrity subsystem kconfig options on integrity

The integrity subsystem has lots of options and takes more than
half of the security menu.  This patch consolidates the options
under "integrity", which are hidden if not enabled.  This change
does not affect existing configurations.  Re-configuration is not
needed.

Changes v4:
- no need to change "integrity subsystem" to menuconfig as
options are hidden, when not enabled. (Mimi)
- add INTEGRITY Kconfig help description

Changes v3:
- dependency to INTEGRITY removed when behind 'if INTEGRITY'

Changes v2:
- previous patch moved integrity out of the 'security' menu.
  This version keeps integrity as a security option (Mimi).

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>

diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index f79d853..b76235a 100644 (file)
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -1,11 +1,23 @@
 #
 config INTEGRITY
-       def_bool y
-       depends on IMA || EVM
+       bool "Integrity subsystem"
+       depends on SECURITY
+       default y
+       help
+         This option enables the integrity subsystem, which is comprised
+         of a number of different components including the Integrity
+         Measurement Architecture (IMA), Extended Verification Module
+         (EVM), IMA-appraisal extension, digital signature verification
+         extension and audit measurement log support.
+
+         Each of these components can be enabled/disabled separately.
+         Refer to the individual components for additional details.
+
+if INTEGRITY
 
 config INTEGRITY_SIGNATURE
        boolean "Digital signature verification using multiple keyrings"
-       depends on INTEGRITY && KEYS
+       depends on KEYS
        default n
        select SIGNATURE
        help
@@ -31,7 +43,7 @@ config INTEGRITY_ASYMMETRIC_KEYS
 
 config INTEGRITY_AUDIT
        bool "Enables integrity auditing support "
-       depends on INTEGRITY && AUDIT
+       depends on AUDIT
        default y
        help
          In addition to enabling integrity auditing support, this
@@ -46,3 +58,5 @@ config INTEGRITY_AUDIT
 
 source security/integrity/ima/Kconfig
 source security/integrity/evm/Kconfig
+
+endif   # if INTEGRITY

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index d606f3d..df586fa 100644 (file)
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -1,6 +1,5 @@
 config EVM
        boolean "EVM support"
-       depends on SECURITY
        select KEYS
        select ENCRYPTED_KEYS
        select CRYPTO_HMAC
@@ -12,10 +11,6 @@ config EVM
 
          If you are unsure how to answer this question, answer N.
 
-if EVM
-
-menu "EVM options"
-
 config EVM_ATTR_FSUUID
        bool "FSUUID (version 2)"
        default y
@@ -47,6 +42,3 @@ config EVM_EXTRA_SMACK_XATTRS
          additional info to the calculation, requires existing EVM
          labeled file systems to be relabeled.
 
-endmenu
-
-endif

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 08758fb..e099875 100644 (file)
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -2,8 +2,6 @@
 #
 config IMA
        bool "Integrity Measurement Architecture(IMA)"
-       depends on SECURITY
-       select INTEGRITY
        select SECURITYFS
        select CRYPTO
        select CRYPTO_HMAC