]>
Commit | Line | Data |
---|---|---|
3323eec9 MZ |
1 | # IBM Integrity Measurement Architecture |
2 | # | |
3 | config IMA | |
4 | bool "Integrity Measurement Architecture(IMA)" | |
3323eec9 MZ |
5 | select SECURITYFS |
6 | select CRYPTO | |
7 | select CRYPTO_HMAC | |
8 | select CRYPTO_MD5 | |
9 | select CRYPTO_SHA1 | |
c7c8bb23 | 10 | select CRYPTO_HASH_INFO |
f4a0391d | 11 | select TCG_TPM if HAS_IOMEM && !UML |
a69f1589 | 12 | select TCG_TIS if TCG_TPM && X86 |
63a0eb78 | 13 | select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES |
3323eec9 MZ |
14 | help |
15 | The Trusted Computing Group(TCG) runtime Integrity | |
16 | Measurement Architecture(IMA) maintains a list of hash | |
17 | values of executables and other sensitive system files, | |
18 | as they are read or executed. If an attacker manages | |
19 | to change the contents of an important system file | |
20 | being measured, we can tell. | |
21 | ||
22 | If your system has a TPM chip, then IMA also maintains | |
23 | an aggregate integrity value over this list inside the | |
24 | TPM hardware, so that the TPM can prove to a third party | |
25 | whether or not critical system files have been modified. | |
26 | Read <http://www.usenix.org/events/sec04/tech/sailer.html> | |
27 | to learn more about IMA. | |
28 | If unsure, say N. | |
29 | ||
d158847a MZ |
30 | config IMA_KEXEC |
31 | bool "Enable carrying the IMA measurement list across a soft boot" | |
32 | depends on IMA && TCG_TPM && HAVE_IMA_KEXEC | |
33 | default n | |
34 | help | |
35 | TPM PCRs are only reset on a hard reboot. In order to validate | |
36 | a TPM's quote after a soft boot, the IMA measurement list of the | |
37 | running kernel must be saved and restored on boot. | |
38 | ||
39 | Depending on the IMA policy, the measurement list can grow to | |
40 | be very large. | |
41 | ||
3323eec9 MZ |
42 | config IMA_MEASURE_PCR_IDX |
43 | int | |
44 | depends on IMA | |
45 | range 8 14 | |
46 | default 10 | |
47 | help | |
48 | IMA_MEASURE_PCR_IDX determines the TPM PCR register index | |
49 | that IMA uses to maintain the integrity aggregate of the | |
50 | measurement list. If unsure, use the default 10. | |
51 | ||
4af4662f MZ |
52 | config IMA_LSM_RULES |
53 | bool | |
b53fab9d | 54 | depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) |
4af4662f MZ |
55 | default y |
56 | help | |
b53fab9d | 57 | Disabling this option will disregard LSM based policy rules. |
2fe5d6de | 58 | |
4286587d MZ |
59 | choice |
60 | prompt "Default template" | |
61 | default IMA_NG_TEMPLATE | |
62 | depends on IMA | |
63 | help | |
64 | Select the default IMA measurement template. | |
65 | ||
66 | The original 'ima' measurement list template contains a | |
67 | hash, defined as 20 bytes, and a null terminated pathname, | |
68 | limited to 255 characters. The 'ima-ng' measurement list | |
69 | template permits both larger hash digests and longer | |
70 | pathnames. | |
71 | ||
72 | config IMA_TEMPLATE | |
73 | bool "ima" | |
74 | config IMA_NG_TEMPLATE | |
75 | bool "ima-ng (default)" | |
bcbc9b0c MZ |
76 | config IMA_SIG_TEMPLATE |
77 | bool "ima-sig" | |
4286587d MZ |
78 | endchoice |
79 | ||
80 | config IMA_DEFAULT_TEMPLATE | |
81 | string | |
82 | depends on IMA | |
83 | default "ima" if IMA_TEMPLATE | |
84 | default "ima-ng" if IMA_NG_TEMPLATE | |
bcbc9b0c | 85 | default "ima-sig" if IMA_SIG_TEMPLATE |
4286587d | 86 | |
e7a2ad7e MZ |
87 | choice |
88 | prompt "Default integrity hash algorithm" | |
89 | default IMA_DEFAULT_HASH_SHA1 | |
90 | depends on IMA | |
91 | help | |
92 | Select the default hash algorithm used for the measurement | |
93 | list, integrity appraisal and audit log. The compiled default | |
94 | hash algorithm can be overwritten using the kernel command | |
95 | line 'ima_hash=' option. | |
96 | ||
97 | config IMA_DEFAULT_HASH_SHA1 | |
98 | bool "SHA1 (default)" | |
99 | depends on CRYPTO_SHA1 | |
100 | ||
101 | config IMA_DEFAULT_HASH_SHA256 | |
102 | bool "SHA256" | |
103 | depends on CRYPTO_SHA256 && !IMA_TEMPLATE | |
104 | ||
105 | config IMA_DEFAULT_HASH_SHA512 | |
106 | bool "SHA512" | |
107 | depends on CRYPTO_SHA512 && !IMA_TEMPLATE | |
108 | ||
109 | config IMA_DEFAULT_HASH_WP512 | |
110 | bool "WP512" | |
111 | depends on CRYPTO_WP512 && !IMA_TEMPLATE | |
112 | endchoice | |
113 | ||
114 | config IMA_DEFAULT_HASH | |
115 | string | |
116 | depends on IMA | |
117 | default "sha1" if IMA_DEFAULT_HASH_SHA1 | |
118 | default "sha256" if IMA_DEFAULT_HASH_SHA256 | |
119 | default "sha512" if IMA_DEFAULT_HASH_SHA512 | |
120 | default "wp512" if IMA_DEFAULT_HASH_WP512 | |
121 | ||
38d859f9 PM |
122 | config IMA_WRITE_POLICY |
123 | bool "Enable multiple writes to the IMA policy" | |
124 | depends on IMA | |
125 | default n | |
126 | help | |
127 | IMA policy can now be updated multiple times. The new rules get | |
128 | appended to the original policy. Have in mind that the rules are | |
129 | scanned in FIFO order so be careful when you design and add new ones. | |
130 | ||
131 | If unsure, say N. | |
132 | ||
80eae209 PM |
133 | config IMA_READ_POLICY |
134 | bool "Enable reading back the current IMA policy" | |
135 | depends on IMA | |
136 | default y if IMA_WRITE_POLICY | |
137 | default n if !IMA_WRITE_POLICY | |
138 | help | |
139 | It is often useful to be able to read back the IMA policy. It is | |
140 | even more important after introducing CONFIG_IMA_WRITE_POLICY. | |
141 | This option allows the root user to see the current policy rules. | |
142 | ||
2fe5d6de MZ |
143 | config IMA_APPRAISE |
144 | bool "Appraise integrity measurements" | |
145 | depends on IMA | |
146 | default n | |
147 | help | |
148 | This option enables local measurement integrity appraisal. | |
149 | It requires the system to be labeled with a security extended | |
150 | attribute containing the file hash measurement. To protect | |
151 | the security extended attributes from offline attack, enable | |
152 | and configure EVM. | |
153 | ||
154 | For more information on integrity appraisal refer to: | |
155 | <http://linux-ima.sourceforge.net> | |
156 | If unsure, say N. | |
7d2ce232 | 157 | |
e1f5e01f MZ |
158 | config IMA_APPRAISE_BOOTPARAM |
159 | bool "ima_appraise boot parameter" | |
160 | depends on IMA_APPRAISE | |
161 | default y | |
162 | help | |
163 | This option enables the different "ima_appraise=" modes | |
164 | (eg. fix, log) from the boot command line. | |
165 | ||
7d2ce232 | 166 | config IMA_TRUSTED_KEYRING |
f4dc3778 | 167 | bool "Require all keys on the .ima keyring be signed (deprecated)" |
7d2ce232 MZ |
168 | depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING |
169 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
f4dc3778 | 170 | select INTEGRITY_TRUSTED_KEYRING |
7d2ce232 MZ |
171 | default y |
172 | help | |
173 | This option requires that all keys added to the .ima | |
174 | keyring be signed by a key on the system trusted keyring. | |
fd5f4e90 | 175 | |
f4dc3778 DK |
176 | This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING |
177 | ||
56104cf2 DH |
178 | config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY |
179 | bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" | |
180 | depends on SYSTEM_TRUSTED_KEYRING | |
181 | depends on SECONDARY_TRUSTED_KEYRING | |
182 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
183 | select INTEGRITY_TRUSTED_KEYRING | |
184 | default n | |
185 | help | |
186 | Keys may be added to the IMA or IMA blacklist keyrings, if the | |
187 | key is validly signed by a CA cert in the system built-in or | |
188 | secondary trusted keyrings. | |
189 | ||
190 | Intermediate keys between those the kernel has compiled in and the | |
191 | IMA keys to be added may be added to the system secondary keyring, | |
192 | provided they are validly signed by a key already resident in the | |
193 | built-in or secondary trusted keyrings. | |
194 | ||
195 | config IMA_BLACKLIST_KEYRING | |
196 | bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" | |
41c89b64 PM |
197 | depends on SYSTEM_TRUSTED_KEYRING |
198 | depends on IMA_TRUSTED_KEYRING | |
199 | default n | |
200 | help | |
56104cf2 DH |
201 | This option creates an IMA blacklist keyring, which contains all |
202 | revoked IMA keys. It is consulted before any other keyring. If | |
203 | the search is successful the requested operation is rejected and | |
204 | an error is returned to the caller. | |
41c89b64 | 205 | |
fd5f4e90 DK |
206 | config IMA_LOAD_X509 |
207 | bool "Load X509 certificate onto the '.ima' trusted keyring" | |
208 | depends on IMA_TRUSTED_KEYRING | |
209 | default n | |
210 | help | |
211 | File signature verification is based on the public keys | |
212 | loaded on the .ima trusted keyring. These public keys are | |
213 | X509 certificates signed by a trusted key on the | |
214 | .system keyring. This option enables X509 certificate | |
215 | loading from the kernel onto the '.ima' trusted keyring. | |
216 | ||
217 | config IMA_X509_PATH | |
218 | string "IMA X509 certificate path" | |
219 | depends on IMA_LOAD_X509 | |
220 | default "/etc/keys/x509_ima.der" | |
221 | help | |
222 | This option defines IMA X509 certificate path. | |
c57782c1 DK |
223 | |
224 | config IMA_APPRAISE_SIGNED_INIT | |
225 | bool "Require signed user-space initialization" | |
226 | depends on IMA_LOAD_X509 | |
227 | default n | |
228 | help | |
229 | This option requires user-space init to be signed. |