[mirror_ubuntu-hirsute-kernel.git] / security / integrity / ima / Kconfig

# IBM Integrity Measurement Architecture
#
config IMA
	bool "Integrity Measurement Architecture(IMA)"
	select SECURITYFS
	select CRYPTO
	select CRYPTO_HMAC
	select CRYPTO_MD5
	select CRYPTO_SHA1
	select CRYPTO_HASH_INFO
	select TCG_TPM if HAS_IOMEM && !UML
	select TCG_TIS if TCG_TPM && X86
	select TCG_CRB if TCG_TPM && ACPI
	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
	select INTEGRITY_AUDIT if AUDIT
	help
	  The Trusted Computing Group(TCG) runtime Integrity
	  Measurement Architecture(IMA) maintains a list of hash
	  values of executables and other sensitive system files,
	  as they are read or executed. If an attacker manages
	  to change the contents of an important system file
	  being measured, we can tell.

	  If your system has a TPM chip, then IMA also maintains
	  an aggregate integrity value over this list inside the
	  TPM hardware, so that the TPM can prove to a third party
	  whether or not critical system files have been modified.
	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
	  to learn more about IMA.
	  If unsure, say N.

config IMA_KEXEC
	bool "Enable carrying the IMA measurement list across a soft boot"
	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
	default n
	help
	   TPM PCRs are only reset on a hard reboot.  In order to validate
	   a TPM's quote after a soft boot, the IMA measurement list of the
	   running kernel must be saved and restored on boot.

	   Depending on the IMA policy, the measurement list can grow to
	   be very large.

config IMA_MEASURE_PCR_IDX
	int
	depends on IMA
	range 8 14
	default 10
	help
	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
	  that IMA uses to maintain the integrity aggregate of the
	  measurement list.  If unsure, use the default 10.

config IMA_LSM_RULES
	bool
	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
	default y
	help
	  Disabling this option will disregard LSM based policy rules.

choice
	prompt "Default template"
	default IMA_NG_TEMPLATE
	depends on IMA
	help
	  Select the default IMA measurement template.

	  The original 'ima' measurement list template contains a
	  hash, defined as 20 bytes, and a null terminated pathname,
	  limited to 255 characters.  The 'ima-ng' measurement list
	  template permits both larger hash digests and longer
	  pathnames.

	config IMA_TEMPLATE
		bool "ima"
	config IMA_NG_TEMPLATE
		bool "ima-ng (default)"
	config IMA_SIG_TEMPLATE
		bool "ima-sig"
endchoice

config IMA_DEFAULT_TEMPLATE
	string
	depends on IMA
	default "ima" if IMA_TEMPLATE
	default "ima-ng" if IMA_NG_TEMPLATE
	default "ima-sig" if IMA_SIG_TEMPLATE

choice
	prompt "Default integrity hash algorithm"
	default IMA_DEFAULT_HASH_SHA1
	depends on IMA
	help
	   Select the default hash algorithm used for the measurement
	   list, integrity appraisal and audit log.  The compiled default
	   hash algorithm can be overwritten using the kernel command
	   line 'ima_hash=' option.

	config IMA_DEFAULT_HASH_SHA1
		bool "SHA1 (default)"
		depends on CRYPTO_SHA1=y

	config IMA_DEFAULT_HASH_SHA256
		bool "SHA256"
		depends on CRYPTO_SHA256=y && !IMA_TEMPLATE

	config IMA_DEFAULT_HASH_SHA512
		bool "SHA512"
		depends on CRYPTO_SHA512=y && !IMA_TEMPLATE

	config IMA_DEFAULT_HASH_WP512
		bool "WP512"
		depends on CRYPTO_WP512=y && !IMA_TEMPLATE
endchoice

config IMA_DEFAULT_HASH
	string
	depends on IMA
	default "sha1" if IMA_DEFAULT_HASH_SHA1
	default "sha256" if IMA_DEFAULT_HASH_SHA256
	default "sha512" if IMA_DEFAULT_HASH_SHA512
	default "wp512" if IMA_DEFAULT_HASH_WP512

config IMA_WRITE_POLICY
	bool "Enable multiple writes to the IMA policy"
	depends on IMA
	default n
	help
	  IMA policy can now be updated multiple times.  The new rules get
	  appended to the original policy.  Have in mind that the rules are
	  scanned in FIFO order so be careful when you design and add new ones.

	  If unsure, say N.

config IMA_READ_POLICY
	bool "Enable reading back the current IMA policy"
	depends on IMA
	default y if IMA_WRITE_POLICY
	default n if !IMA_WRITE_POLICY
	help
	   It is often useful to be able to read back the IMA policy.  It is
	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
	   This option allows the root user to see the current policy rules.

config IMA_APPRAISE
	bool "Appraise integrity measurements"
	depends on IMA
	default n
	help
	  This option enables local measurement integrity appraisal.
	  It requires the system to be labeled with a security extended
	  attribute containing the file hash measurement.  To protect
	  the security extended attributes from offline attack, enable
	  and configure EVM.

	  For more information on integrity appraisal refer to:
	  <http://linux-ima.sourceforge.net>
	  If unsure, say N.

config IMA_ARCH_POLICY
        bool "Enable loading an IMA architecture specific policy"
        depends on KEXEC_VERIFY_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
        default n
        help
          This option enables loading an IMA architecture specific policy
          based on run time secure boot flags.

config IMA_APPRAISE_BUILD_POLICY
	bool "IMA build time configured policy rules"
	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
	default n
	help
	  This option defines an IMA appraisal policy at build time, which
	  is enforced at run time without having to specify a builtin
	  policy name on the boot command line.  The build time appraisal
	  policy rules persist after loading a custom policy.

	  Depending on the rules configured, this policy may require kernel
	  modules, firmware, the kexec kernel image, and/or the IMA policy
	  to be signed.  Unsigned files might prevent the system from
	  booting or applications from working properly.

config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
	bool "Appraise firmware signatures"
	depends on IMA_APPRAISE_BUILD_POLICY
	default n
	help
	  This option defines a policy requiring all firmware to be signed,
	  including the regulatory.db.  If both this option and
	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
	  verification methods are necessary.

config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
	bool "Appraise kexec kernel image signatures"
	depends on IMA_APPRAISE_BUILD_POLICY
	default n
	help
	  Enabling this rule will require all kexec'ed kernel images to
	  be signed and verified by a public key on the trusted IMA
	  keyring.

	  Kernel image signatures can not be verified by the original
	  kexec_load syscall.  Enabling this rule will prevent its
	  usage.

config IMA_APPRAISE_REQUIRE_MODULE_SIGS
	bool "Appraise kernel modules signatures"
	depends on IMA_APPRAISE_BUILD_POLICY
	default n
	help
	  Enabling this rule will require all kernel modules to be signed
	  and verified by a public key on the trusted IMA keyring.

	  Kernel module signatures can only be verified by IMA-appraisal,
	  via the finit_module syscall. Enabling this rule will prevent
	  the usage of the init_module syscall.

config IMA_APPRAISE_REQUIRE_POLICY_SIGS
	bool "Appraise IMA policy signature"
	depends on IMA_APPRAISE_BUILD_POLICY
	default n
	help
	  Enabling this rule will require the IMA policy to be signed and
	  and verified by a key on the trusted IMA keyring.

config IMA_APPRAISE_BOOTPARAM
	bool "ima_appraise boot parameter"
	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
	default y
	help
	  This option enables the different "ima_appraise=" modes
	  (eg. fix, log) from the boot command line.

config IMA_TRUSTED_KEYRING
	bool "Require all keys on the .ima keyring be signed (deprecated)"
	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	select INTEGRITY_TRUSTED_KEYRING
	default y
	help
	   This option requires that all keys added to the .ima
	   keyring be signed by a key on the system trusted keyring.

	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on SECONDARY_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	select INTEGRITY_TRUSTED_KEYRING
	default n
	help
	  Keys may be added to the IMA or IMA blacklist keyrings, if the
	  key is validly signed by a CA cert in the system built-in or
	  secondary trusted keyrings.

	  Intermediate keys between those the kernel has compiled in and the
	  IMA keys to be added may be added to the system secondary keyring,
	  provided they are validly signed by a key already resident in the
	  built-in or secondary trusted keyrings.

config IMA_BLACKLIST_KEYRING
	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on IMA_TRUSTED_KEYRING
	default n
	help
	   This option creates an IMA blacklist keyring, which contains all
	   revoked IMA keys.  It is consulted before any other keyring.  If
	   the search is successful the requested operation is rejected and
	   an error is returned to the caller.

config IMA_LOAD_X509
	bool "Load X509 certificate onto the '.ima' trusted keyring"
	depends on IMA_TRUSTED_KEYRING
	default n
	help
	   File signature verification is based on the public keys
	   loaded on the .ima trusted keyring. These public keys are
	   X509 certificates signed by a trusted key on the
	   .system keyring.  This option enables X509 certificate
	   loading from the kernel onto the '.ima' trusted keyring.

config IMA_X509_PATH
	string "IMA X509 certificate path"
	depends on IMA_LOAD_X509
	default "/etc/keys/x509_ima.der"
	help
	   This option defines IMA X509 certificate path.

config IMA_APPRAISE_SIGNED_INIT
	bool "Require signed user-space initialization"
	depends on IMA_LOAD_X509
	default n
	help
	   This option requires user-space init to be signed.
Commit	Line	Data
3323eec9 MZ	1	# IBM Integrity Measurement Architecture
	2	#
	3	config IMA
	4	bool "Integrity Measurement Architecture(IMA)"
3323eec9 MZ	5	select SECURITYFS
	6	select CRYPTO
	7	select CRYPTO_HMAC
	8	select CRYPTO_MD5
	9	select CRYPTO_SHA1
c7c8bb23	10	select CRYPTO_HASH_INFO
f4a0391d	11	select TCG_TPM if HAS_IOMEM && !UML
a69f1589	12	select TCG_TIS if TCG_TPM && X86
fac37c62	13	select TCG_CRB if TCG_TPM && ACPI
63a0eb78	14	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
2afd020a	15	select INTEGRITY_AUDIT if AUDIT
3323eec9 MZ	16	help
	17	The Trusted Computing Group(TCG) runtime Integrity
	18	Measurement Architecture(IMA) maintains a list of hash
	19	values of executables and other sensitive system files,
	20	as they are read or executed. If an attacker manages
	21	to change the contents of an important system file
	22	being measured, we can tell.
	23
	24	If your system has a TPM chip, then IMA also maintains
	25	an aggregate integrity value over this list inside the
	26	TPM hardware, so that the TPM can prove to a third party
	27	whether or not critical system files have been modified.
	28	Read <http://www.usenix.org/events/sec04/tech/sailer.html>
	29	to learn more about IMA.
	30	If unsure, say N.
	31
d158847a MZ	32	config IMA_KEXEC
	33	bool "Enable carrying the IMA measurement list across a soft boot"
	34	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
	35	default n
	36	help
	37	TPM PCRs are only reset on a hard reboot. In order to validate
	38	a TPM's quote after a soft boot, the IMA measurement list of the
	39	running kernel must be saved and restored on boot.
	40
	41	Depending on the IMA policy, the measurement list can grow to
	42	be very large.
	43
3323eec9 MZ	44	config IMA_MEASURE_PCR_IDX
	45	int
	46	depends on IMA
	47	range 8 14
	48	default 10
	49	help
	50	IMA_MEASURE_PCR_IDX determines the TPM PCR register index
	51	that IMA uses to maintain the integrity aggregate of the
	52	measurement list. If unsure, use the default 10.
	53
4af4662f MZ	54	config IMA_LSM_RULES
4af4662f MZ	55	bool
b53fab9d	56	depends on IMA && AUDIT && (SECURITY_SELINUX \|\| SECURITY_SMACK)
4af4662f MZ	57	default y
4af4662f MZ	58	help
b53fab9d	59	Disabling this option will disregard LSM based policy rules.
2fe5d6de	60
4286587d MZ	61	choice
	62	prompt "Default template"
	63	default IMA_NG_TEMPLATE
	64	depends on IMA
	65	help
	66	Select the default IMA measurement template.
	67
	68	The original 'ima' measurement list template contains a
	69	hash, defined as 20 bytes, and a null terminated pathname,
	70	limited to 255 characters. The 'ima-ng' measurement list
	71	template permits both larger hash digests and longer
	72	pathnames.
	73
	74	config IMA_TEMPLATE
	75	bool "ima"
	76	config IMA_NG_TEMPLATE
	77	bool "ima-ng (default)"
bcbc9b0c MZ	78	config IMA_SIG_TEMPLATE
bcbc9b0c MZ	79	bool "ima-sig"
4286587d MZ	80	endchoice
	81
	82	config IMA_DEFAULT_TEMPLATE
	83	string
	84	depends on IMA
	85	default "ima" if IMA_TEMPLATE
	86	default "ima-ng" if IMA_NG_TEMPLATE
bcbc9b0c	87	default "ima-sig" if IMA_SIG_TEMPLATE
4286587d	88
e7a2ad7e MZ	89	choice
	90	prompt "Default integrity hash algorithm"
	91	default IMA_DEFAULT_HASH_SHA1
	92	depends on IMA
	93	help
	94	Select the default hash algorithm used for the measurement
	95	list, integrity appraisal and audit log. The compiled default
	96	hash algorithm can be overwritten using the kernel command
	97	line 'ima_hash=' option.
	98
	99	config IMA_DEFAULT_HASH_SHA1
	100	bool "SHA1 (default)"
38d19268	101	depends on CRYPTO_SHA1=y
e7a2ad7e MZ	102
	103	config IMA_DEFAULT_HASH_SHA256
	104	bool "SHA256"
38d19268	105	depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
e7a2ad7e MZ	106
	107	config IMA_DEFAULT_HASH_SHA512
	108	bool "SHA512"
38d19268	109	depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
e7a2ad7e MZ	110
	111	config IMA_DEFAULT_HASH_WP512
	112	bool "WP512"
38d19268	113	depends on CRYPTO_WP512=y && !IMA_TEMPLATE
e7a2ad7e MZ	114	endchoice
	115
	116	config IMA_DEFAULT_HASH
	117	string
	118	depends on IMA
	119	default "sha1" if IMA_DEFAULT_HASH_SHA1
	120	default "sha256" if IMA_DEFAULT_HASH_SHA256
	121	default "sha512" if IMA_DEFAULT_HASH_SHA512
	122	default "wp512" if IMA_DEFAULT_HASH_WP512
	123
38d859f9 PM	124	config IMA_WRITE_POLICY
	125	bool "Enable multiple writes to the IMA policy"
	126	depends on IMA
	127	default n
	128	help
	129	IMA policy can now be updated multiple times. The new rules get
	130	appended to the original policy. Have in mind that the rules are
	131	scanned in FIFO order so be careful when you design and add new ones.
	132
	133	If unsure, say N.
	134
80eae209 PM	135	config IMA_READ_POLICY
	136	bool "Enable reading back the current IMA policy"
	137	depends on IMA
	138	default y if IMA_WRITE_POLICY
	139	default n if !IMA_WRITE_POLICY
	140	help
	141	It is often useful to be able to read back the IMA policy. It is
	142	even more important after introducing CONFIG_IMA_WRITE_POLICY.
	143	This option allows the root user to see the current policy rules.
	144
2fe5d6de MZ	145	config IMA_APPRAISE
	146	bool "Appraise integrity measurements"
	147	depends on IMA
	148	default n
	149	help
	150	This option enables local measurement integrity appraisal.
	151	It requires the system to be labeled with a security extended
	152	attribute containing the file hash measurement. To protect
	153	the security extended attributes from offline attack, enable
	154	and configure EVM.
	155
	156	For more information on integrity appraisal refer to:
	157	<http://linux-ima.sourceforge.net>
	158	If unsure, say N.
7d2ce232	159
d958083a ER	160	config IMA_ARCH_POLICY
	161	bool "Enable loading an IMA architecture specific policy"
	162	depends on KEXEC_VERIFY_SIG \|\| IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
	163	default n
	164	help
	165	This option enables loading an IMA architecture specific policy
	166	based on run time secure boot flags.
	167
ef96837b MZ	168	config IMA_APPRAISE_BUILD_POLICY
	169	bool "IMA build time configured policy rules"
	170	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
	171	default n
	172	help
	173	This option defines an IMA appraisal policy at build time, which
	174	is enforced at run time without having to specify a builtin
	175	policy name on the boot command line. The build time appraisal
	176	policy rules persist after loading a custom policy.
	177
	178	Depending on the rules configured, this policy may require kernel
	179	modules, firmware, the kexec kernel image, and/or the IMA policy
	180	to be signed. Unsigned files might prevent the system from
	181	booting or applications from working properly.
	182
	183	config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
	184	bool "Appraise firmware signatures"
	185	depends on IMA_APPRAISE_BUILD_POLICY
	186	default n
	187	help
	188	This option defines a policy requiring all firmware to be signed,
	189	including the regulatory.db. If both this option and
	190	CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
	191	verification methods are necessary.
	192
	193	config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
	194	bool "Appraise kexec kernel image signatures"
	195	depends on IMA_APPRAISE_BUILD_POLICY
	196	default n
	197	help
	198	Enabling this rule will require all kexec'ed kernel images to
	199	be signed and verified by a public key on the trusted IMA
	200	keyring.
	201
	202	Kernel image signatures can not be verified by the original
	203	kexec_load syscall. Enabling this rule will prevent its
	204	usage.
	205
	206	config IMA_APPRAISE_REQUIRE_MODULE_SIGS
	207	bool "Appraise kernel modules signatures"
	208	depends on IMA_APPRAISE_BUILD_POLICY
	209	default n
	210	help
	211	Enabling this rule will require all kernel modules to be signed
	212	and verified by a public key on the trusted IMA keyring.
	213
	214	Kernel module signatures can only be verified by IMA-appraisal,
	215	via the finit_module syscall. Enabling this rule will prevent
	216	the usage of the init_module syscall.
	217
	218	config IMA_APPRAISE_REQUIRE_POLICY_SIGS
	219	bool "Appraise IMA policy signature"
	220	depends on IMA_APPRAISE_BUILD_POLICY
	221	default n
	222	help
	223	Enabling this rule will require the IMA policy to be signed and
	224	and verified by a key on the trusted IMA keyring.
	225
e1f5e01f MZ	226	config IMA_APPRAISE_BOOTPARAM
e1f5e01f MZ	227	bool "ima_appraise boot parameter"
d958083a	228	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
e1f5e01f MZ	229	default y
	230	help
	231	This option enables the different "ima_appraise=" modes
	232	(eg. fix, log) from the boot command line.
	233
7d2ce232	234	config IMA_TRUSTED_KEYRING
f4dc3778	235	bool "Require all keys on the .ima keyring be signed (deprecated)"
7d2ce232 MZ	236	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
7d2ce232 MZ	237	depends on INTEGRITY_ASYMMETRIC_KEYS
f4dc3778	238	select INTEGRITY_TRUSTED_KEYRING
7d2ce232 MZ	239	default y
	240	help
	241	This option requires that all keys added to the .ima
	242	keyring be signed by a key on the system trusted keyring.
fd5f4e90	243
f4dc3778 DK	244	This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
f4dc3778 DK	245
56104cf2 DH	246	config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
	247	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
	248	depends on SYSTEM_TRUSTED_KEYRING
	249	depends on SECONDARY_TRUSTED_KEYRING
	250	depends on INTEGRITY_ASYMMETRIC_KEYS
	251	select INTEGRITY_TRUSTED_KEYRING
	252	default n
	253	help
	254	Keys may be added to the IMA or IMA blacklist keyrings, if the
	255	key is validly signed by a CA cert in the system built-in or
	256	secondary trusted keyrings.
	257
	258	Intermediate keys between those the kernel has compiled in and the
	259	IMA keys to be added may be added to the system secondary keyring,
	260	provided they are validly signed by a key already resident in the
	261	built-in or secondary trusted keyrings.
	262
	263	config IMA_BLACKLIST_KEYRING
	264	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
41c89b64 PM	265	depends on SYSTEM_TRUSTED_KEYRING
	266	depends on IMA_TRUSTED_KEYRING
	267	default n
	268	help
56104cf2 DH	269	This option creates an IMA blacklist keyring, which contains all
	270	revoked IMA keys. It is consulted before any other keyring. If
	271	the search is successful the requested operation is rejected and
	272	an error is returned to the caller.
41c89b64	273
fd5f4e90 DK	274	config IMA_LOAD_X509
	275	bool "Load X509 certificate onto the '.ima' trusted keyring"
	276	depends on IMA_TRUSTED_KEYRING
	277	default n
	278	help
	279	File signature verification is based on the public keys
	280	loaded on the .ima trusted keyring. These public keys are
	281	X509 certificates signed by a trusted key on the
	282	.system keyring. This option enables X509 certificate
	283	loading from the kernel onto the '.ima' trusted keyring.
	284
	285	config IMA_X509_PATH
	286	string "IMA X509 certificate path"
	287	depends on IMA_LOAD_X509
	288	default "/etc/keys/x509_ima.der"
	289	help
	290	This option defines IMA X509 certificate path.
c57782c1 DK	291
	292	config IMA_APPRAISE_SIGNED_INIT
	293	bool "Require signed user-space initialization"
	294	depends on IMA_LOAD_X509
	295	default n
	296	help
	297	This option requires user-space init to be signed.