]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/integrity/ima/Kconfig
Merge branch 'picoxcell-fixes' of git://github.com/jamieiles/linux-2.6-ji into fixes
[mirror_ubuntu-bionic-kernel.git] / security / integrity / ima / Kconfig
CommitLineData
3323eec9
MZ
1# IBM Integrity Measurement Architecture
2#
3config IMA
4 bool "Integrity Measurement Architecture(IMA)"
6c21a7fb 5 depends on SECURITY
f381c272 6 select INTEGRITY
3323eec9
MZ
7 select SECURITYFS
8 select CRYPTO
9 select CRYPTO_HMAC
10 select CRYPTO_MD5
11 select CRYPTO_SHA1
3369465e 12 select TCG_TPM if !S390 && !UML
ba0c1709 13 select TCG_TIS if TCG_TPM
3323eec9
MZ
14 help
15 The Trusted Computing Group(TCG) runtime Integrity
16 Measurement Architecture(IMA) maintains a list of hash
17 values of executables and other sensitive system files,
18 as they are read or executed. If an attacker manages
19 to change the contents of an important system file
20 being measured, we can tell.
21
22 If your system has a TPM chip, then IMA also maintains
23 an aggregate integrity value over this list inside the
24 TPM hardware, so that the TPM can prove to a third party
25 whether or not critical system files have been modified.
26 Read <http://www.usenix.org/events/sec04/tech/sailer.html>
27 to learn more about IMA.
28 If unsure, say N.
29
30config IMA_MEASURE_PCR_IDX
31 int
32 depends on IMA
33 range 8 14
34 default 10
35 help
36 IMA_MEASURE_PCR_IDX determines the TPM PCR register index
37 that IMA uses to maintain the integrity aggregate of the
38 measurement list. If unsure, use the default 10.
39
40config IMA_AUDIT
41 bool
42 depends on IMA
43 default y
44 help
45 This option adds a kernel parameter 'ima_audit', which
46 allows informational auditing messages to be enabled
47 at boot. If this option is selected, informational integrity
48 auditing messages can be enabled with 'ima_audit=1' on
49 the kernel command line.
50
4af4662f
MZ
51config IMA_LSM_RULES
52 bool
b53fab9d 53 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
4af4662f
MZ
54 default y
55 help
b53fab9d 56 Disabling this option will disregard LSM based policy rules.