[mirror_ubuntu-artful-kernel.git] / security / integrity / ima / Kconfig

# IBM Integrity Measurement Architecture
#
config IMA
	bool "Integrity Measurement Architecture(IMA)"
	select SECURITYFS
	select CRYPTO
	select CRYPTO_HMAC
	select CRYPTO_MD5
	select CRYPTO_SHA1
	select CRYPTO_HASH_INFO
	select TCG_TPM if HAS_IOMEM && !UML
	select TCG_TIS if TCG_TPM && X86
	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
	help
	  The Trusted Computing Group(TCG) runtime Integrity
	  Measurement Architecture(IMA) maintains a list of hash
	  values of executables and other sensitive system files,
	  as they are read or executed. If an attacker manages
	  to change the contents of an important system file
	  being measured, we can tell.

	  If your system has a TPM chip, then IMA also maintains
	  an aggregate integrity value over this list inside the
	  TPM hardware, so that the TPM can prove to a third party
	  whether or not critical system files have been modified.
	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
	  to learn more about IMA.
	  If unsure, say N.

config IMA_KEXEC
	bool "Enable carrying the IMA measurement list across a soft boot"
	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
	default n
	help
	   TPM PCRs are only reset on a hard reboot.  In order to validate
	   a TPM's quote after a soft boot, the IMA measurement list of the
	   running kernel must be saved and restored on boot.

	   Depending on the IMA policy, the measurement list can grow to
	   be very large.

config IMA_MEASURE_PCR_IDX
	int
	depends on IMA
	range 8 14
	default 10
	help
	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
	  that IMA uses to maintain the integrity aggregate of the
	  measurement list.  If unsure, use the default 10.

config IMA_LSM_RULES
	bool
	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
	default y
	help
	  Disabling this option will disregard LSM based policy rules.

choice
	prompt "Default template"
	default IMA_NG_TEMPLATE
	depends on IMA
	help
	  Select the default IMA measurement template.

	  The original 'ima' measurement list template contains a
	  hash, defined as 20 bytes, and a null terminated pathname,
	  limited to 255 characters.  The 'ima-ng' measurement list
	  template permits both larger hash digests and longer
	  pathnames.

	config IMA_TEMPLATE
		bool "ima"
	config IMA_NG_TEMPLATE
		bool "ima-ng (default)"
	config IMA_SIG_TEMPLATE
		bool "ima-sig"
endchoice

config IMA_DEFAULT_TEMPLATE
	string
	depends on IMA
	default "ima" if IMA_TEMPLATE
	default "ima-ng" if IMA_NG_TEMPLATE
	default "ima-sig" if IMA_SIG_TEMPLATE

choice
	prompt "Default integrity hash algorithm"
	default IMA_DEFAULT_HASH_SHA1
	depends on IMA
	help
	   Select the default hash algorithm used for the measurement
	   list, integrity appraisal and audit log.  The compiled default
	   hash algorithm can be overwritten using the kernel command
	   line 'ima_hash=' option.

	config IMA_DEFAULT_HASH_SHA1
		bool "SHA1 (default)"
		depends on CRYPTO_SHA1=y

	config IMA_DEFAULT_HASH_SHA256
		bool "SHA256"
		depends on CRYPTO_SHA256=y && !IMA_TEMPLATE

	config IMA_DEFAULT_HASH_SHA512
		bool "SHA512"
		depends on CRYPTO_SHA512=y && !IMA_TEMPLATE

	config IMA_DEFAULT_HASH_WP512
		bool "WP512"
		depends on CRYPTO_WP512=y && !IMA_TEMPLATE
endchoice

config IMA_DEFAULT_HASH
	string
	depends on IMA
	default "sha1" if IMA_DEFAULT_HASH_SHA1
	default "sha256" if IMA_DEFAULT_HASH_SHA256
	default "sha512" if IMA_DEFAULT_HASH_SHA512
	default "wp512" if IMA_DEFAULT_HASH_WP512

config IMA_WRITE_POLICY
	bool "Enable multiple writes to the IMA policy"
	depends on IMA
	default n
	help
	  IMA policy can now be updated multiple times.  The new rules get
	  appended to the original policy.  Have in mind that the rules are
	  scanned in FIFO order so be careful when you design and add new ones.

	  If unsure, say N.

config IMA_READ_POLICY
	bool "Enable reading back the current IMA policy"
	depends on IMA
	default y if IMA_WRITE_POLICY
	default n if !IMA_WRITE_POLICY
	help
	   It is often useful to be able to read back the IMA policy.  It is
	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
	   This option allows the root user to see the current policy rules.

config IMA_APPRAISE
	bool "Appraise integrity measurements"
	depends on IMA
	default n
	help
	  This option enables local measurement integrity appraisal.
	  It requires the system to be labeled with a security extended
	  attribute containing the file hash measurement.  To protect
	  the security extended attributes from offline attack, enable
	  and configure EVM.

	  For more information on integrity appraisal refer to:
	  <http://linux-ima.sourceforge.net>
	  If unsure, say N.

config IMA_APPRAISE_BOOTPARAM
	bool "ima_appraise boot parameter"
	depends on IMA_APPRAISE
	default y
	help
	  This option enables the different "ima_appraise=" modes
	  (eg. fix, log) from the boot command line.

config IMA_TRUSTED_KEYRING
	bool "Require all keys on the .ima keyring be signed (deprecated)"
	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	select INTEGRITY_TRUSTED_KEYRING
	default y
	help
	   This option requires that all keys added to the .ima
	   keyring be signed by a key on the system trusted keyring.

	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on SECONDARY_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	select INTEGRITY_TRUSTED_KEYRING
	default n
	help
	  Keys may be added to the IMA or IMA blacklist keyrings, if the
	  key is validly signed by a CA cert in the system built-in or
	  secondary trusted keyrings.

	  Intermediate keys between those the kernel has compiled in and the
	  IMA keys to be added may be added to the system secondary keyring,
	  provided they are validly signed by a key already resident in the
	  built-in or secondary trusted keyrings.

config IMA_BLACKLIST_KEYRING
	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on IMA_TRUSTED_KEYRING
	default n
	help
	   This option creates an IMA blacklist keyring, which contains all
	   revoked IMA keys.  It is consulted before any other keyring.  If
	   the search is successful the requested operation is rejected and
	   an error is returned to the caller.

config IMA_LOAD_X509
	bool "Load X509 certificate onto the '.ima' trusted keyring"
	depends on IMA_TRUSTED_KEYRING
	default n
	help
	   File signature verification is based on the public keys
	   loaded on the .ima trusted keyring. These public keys are
	   X509 certificates signed by a trusted key on the
	   .system keyring.  This option enables X509 certificate
	   loading from the kernel onto the '.ima' trusted keyring.

config IMA_X509_PATH
	string "IMA X509 certificate path"
	depends on IMA_LOAD_X509
	default "/etc/keys/x509_ima.der"
	help
	   This option defines IMA X509 certificate path.

config IMA_APPRAISE_SIGNED_INIT
	bool "Require signed user-space initialization"
	depends on IMA_LOAD_X509
	default n
	help
	   This option requires user-space init to be signed.
Commit	Line	Data
3323eec9 MZ	1	# IBM Integrity Measurement Architecture
	2	#
	3	config IMA
	4	bool "Integrity Measurement Architecture(IMA)"
3323eec9 MZ	5	select SECURITYFS
	6	select CRYPTO
	7	select CRYPTO_HMAC
	8	select CRYPTO_MD5
	9	select CRYPTO_SHA1
c7c8bb23	10	select CRYPTO_HASH_INFO
f4a0391d	11	select TCG_TPM if HAS_IOMEM && !UML
a69f1589	12	select TCG_TIS if TCG_TPM && X86
63a0eb78	13	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
3323eec9 MZ	14	help
	15	The Trusted Computing Group(TCG) runtime Integrity
	16	Measurement Architecture(IMA) maintains a list of hash
	17	values of executables and other sensitive system files,
	18	as they are read or executed. If an attacker manages
	19	to change the contents of an important system file
	20	being measured, we can tell.
	21
	22	If your system has a TPM chip, then IMA also maintains
	23	an aggregate integrity value over this list inside the
	24	TPM hardware, so that the TPM can prove to a third party
	25	whether or not critical system files have been modified.
	26	Read <http://www.usenix.org/events/sec04/tech/sailer.html>
	27	to learn more about IMA.
	28	If unsure, say N.
	29
d158847a MZ	30	config IMA_KEXEC
	31	bool "Enable carrying the IMA measurement list across a soft boot"
	32	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
	33	default n
	34	help
	35	TPM PCRs are only reset on a hard reboot. In order to validate
	36	a TPM's quote after a soft boot, the IMA measurement list of the
	37	running kernel must be saved and restored on boot.
	38
	39	Depending on the IMA policy, the measurement list can grow to
	40	be very large.
	41
3323eec9 MZ	42	config IMA_MEASURE_PCR_IDX
	43	int
	44	depends on IMA
	45	range 8 14
	46	default 10
	47	help
	48	IMA_MEASURE_PCR_IDX determines the TPM PCR register index
	49	that IMA uses to maintain the integrity aggregate of the
	50	measurement list. If unsure, use the default 10.
	51
4af4662f MZ	52	config IMA_LSM_RULES
4af4662f MZ	53	bool
b53fab9d	54	depends on IMA && AUDIT && (SECURITY_SELINUX \|\| SECURITY_SMACK)
4af4662f MZ	55	default y
4af4662f MZ	56	help
b53fab9d	57	Disabling this option will disregard LSM based policy rules.
2fe5d6de	58
4286587d MZ	59	choice
	60	prompt "Default template"
	61	default IMA_NG_TEMPLATE
	62	depends on IMA
	63	help
	64	Select the default IMA measurement template.
	65
	66	The original 'ima' measurement list template contains a
	67	hash, defined as 20 bytes, and a null terminated pathname,
	68	limited to 255 characters. The 'ima-ng' measurement list
	69	template permits both larger hash digests and longer
	70	pathnames.
	71
	72	config IMA_TEMPLATE
	73	bool "ima"
	74	config IMA_NG_TEMPLATE
	75	bool "ima-ng (default)"
bcbc9b0c MZ	76	config IMA_SIG_TEMPLATE
bcbc9b0c MZ	77	bool "ima-sig"
4286587d MZ	78	endchoice
	79
	80	config IMA_DEFAULT_TEMPLATE
	81	string
	82	depends on IMA
	83	default "ima" if IMA_TEMPLATE
	84	default "ima-ng" if IMA_NG_TEMPLATE
bcbc9b0c	85	default "ima-sig" if IMA_SIG_TEMPLATE
4286587d	86
e7a2ad7e MZ	87	choice
	88	prompt "Default integrity hash algorithm"
	89	default IMA_DEFAULT_HASH_SHA1
	90	depends on IMA
	91	help
	92	Select the default hash algorithm used for the measurement
	93	list, integrity appraisal and audit log. The compiled default
	94	hash algorithm can be overwritten using the kernel command
	95	line 'ima_hash=' option.
	96
	97	config IMA_DEFAULT_HASH_SHA1
	98	bool "SHA1 (default)"
38d19268	99	depends on CRYPTO_SHA1=y
e7a2ad7e MZ	100
	101	config IMA_DEFAULT_HASH_SHA256
	102	bool "SHA256"
38d19268	103	depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
e7a2ad7e MZ	104
	105	config IMA_DEFAULT_HASH_SHA512
	106	bool "SHA512"
38d19268	107	depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
e7a2ad7e MZ	108
	109	config IMA_DEFAULT_HASH_WP512
	110	bool "WP512"
38d19268	111	depends on CRYPTO_WP512=y && !IMA_TEMPLATE
e7a2ad7e MZ	112	endchoice
	113
	114	config IMA_DEFAULT_HASH
	115	string
	116	depends on IMA
	117	default "sha1" if IMA_DEFAULT_HASH_SHA1
	118	default "sha256" if IMA_DEFAULT_HASH_SHA256
	119	default "sha512" if IMA_DEFAULT_HASH_SHA512
	120	default "wp512" if IMA_DEFAULT_HASH_WP512
	121
38d859f9 PM	122	config IMA_WRITE_POLICY
	123	bool "Enable multiple writes to the IMA policy"
	124	depends on IMA
	125	default n
	126	help
	127	IMA policy can now be updated multiple times. The new rules get
	128	appended to the original policy. Have in mind that the rules are
	129	scanned in FIFO order so be careful when you design and add new ones.
	130
	131	If unsure, say N.
	132
80eae209 PM	133	config IMA_READ_POLICY
	134	bool "Enable reading back the current IMA policy"
	135	depends on IMA
	136	default y if IMA_WRITE_POLICY
	137	default n if !IMA_WRITE_POLICY
	138	help
	139	It is often useful to be able to read back the IMA policy. It is
	140	even more important after introducing CONFIG_IMA_WRITE_POLICY.
	141	This option allows the root user to see the current policy rules.
	142
2fe5d6de MZ	143	config IMA_APPRAISE
	144	bool "Appraise integrity measurements"
	145	depends on IMA
	146	default n
	147	help
	148	This option enables local measurement integrity appraisal.
	149	It requires the system to be labeled with a security extended
	150	attribute containing the file hash measurement. To protect
	151	the security extended attributes from offline attack, enable
	152	and configure EVM.
	153
	154	For more information on integrity appraisal refer to:
	155	<http://linux-ima.sourceforge.net>
	156	If unsure, say N.
7d2ce232	157
e1f5e01f MZ	158	config IMA_APPRAISE_BOOTPARAM
	159	bool "ima_appraise boot parameter"
	160	depends on IMA_APPRAISE
	161	default y
	162	help
	163	This option enables the different "ima_appraise=" modes
	164	(eg. fix, log) from the boot command line.
	165
7d2ce232	166	config IMA_TRUSTED_KEYRING
f4dc3778	167	bool "Require all keys on the .ima keyring be signed (deprecated)"
7d2ce232 MZ	168	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
7d2ce232 MZ	169	depends on INTEGRITY_ASYMMETRIC_KEYS
f4dc3778	170	select INTEGRITY_TRUSTED_KEYRING
7d2ce232 MZ	171	default y
	172	help
	173	This option requires that all keys added to the .ima
	174	keyring be signed by a key on the system trusted keyring.
fd5f4e90	175
f4dc3778 DK	176	This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
f4dc3778 DK	177
56104cf2 DH	178	config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
	179	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
	180	depends on SYSTEM_TRUSTED_KEYRING
	181	depends on SECONDARY_TRUSTED_KEYRING
	182	depends on INTEGRITY_ASYMMETRIC_KEYS
	183	select INTEGRITY_TRUSTED_KEYRING
	184	default n
	185	help
	186	Keys may be added to the IMA or IMA blacklist keyrings, if the
	187	key is validly signed by a CA cert in the system built-in or
	188	secondary trusted keyrings.
	189
	190	Intermediate keys between those the kernel has compiled in and the
	191	IMA keys to be added may be added to the system secondary keyring,
	192	provided they are validly signed by a key already resident in the
	193	built-in or secondary trusted keyrings.
	194
	195	config IMA_BLACKLIST_KEYRING
	196	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
41c89b64 PM	197	depends on SYSTEM_TRUSTED_KEYRING
	198	depends on IMA_TRUSTED_KEYRING
	199	default n
	200	help
56104cf2 DH	201	This option creates an IMA blacklist keyring, which contains all
	202	revoked IMA keys. It is consulted before any other keyring. If
	203	the search is successful the requested operation is rejected and
	204	an error is returned to the caller.
41c89b64	205
fd5f4e90 DK	206	config IMA_LOAD_X509
	207	bool "Load X509 certificate onto the '.ima' trusted keyring"
	208	depends on IMA_TRUSTED_KEYRING
	209	default n
	210	help
	211	File signature verification is based on the public keys
	212	loaded on the .ima trusted keyring. These public keys are
	213	X509 certificates signed by a trusted key on the
	214	.system keyring. This option enables X509 certificate
	215	loading from the kernel onto the '.ima' trusted keyring.
	216
	217	config IMA_X509_PATH
	218	string "IMA X509 certificate path"
	219	depends on IMA_LOAD_X509
	220	default "/etc/keys/x509_ima.der"
	221	help
	222	This option defines IMA X509 certificate path.
c57782c1 DK	223
	224	config IMA_APPRAISE_SIGNED_INIT
	225	bool "Require signed user-space initialization"
	226	depends on IMA_LOAD_X509
	227	default n
	228	help
	229	This option requires user-space init to be signed.