]>
Commit | Line | Data |
---|---|---|
3323eec9 MZ |
1 | # IBM Integrity Measurement Architecture |
2 | # | |
3 | config IMA | |
4 | bool "Integrity Measurement Architecture(IMA)" | |
6c21a7fb | 5 | depends on SECURITY |
f381c272 | 6 | select INTEGRITY |
3323eec9 MZ |
7 | select SECURITYFS |
8 | select CRYPTO | |
9 | select CRYPTO_HMAC | |
10 | select CRYPTO_MD5 | |
11 | select CRYPTO_SHA1 | |
c7c8bb23 | 12 | select CRYPTO_HASH_INFO |
f4a0391d | 13 | select TCG_TPM if HAS_IOMEM && !UML |
a69f1589 | 14 | select TCG_TIS if TCG_TPM && X86 |
20328b56 | 15 | select TCG_IBMVTPM if TCG_TPM && PPC64 |
3323eec9 MZ |
16 | help |
17 | The Trusted Computing Group(TCG) runtime Integrity | |
18 | Measurement Architecture(IMA) maintains a list of hash | |
19 | values of executables and other sensitive system files, | |
20 | as they are read or executed. If an attacker manages | |
21 | to change the contents of an important system file | |
22 | being measured, we can tell. | |
23 | ||
24 | If your system has a TPM chip, then IMA also maintains | |
25 | an aggregate integrity value over this list inside the | |
26 | TPM hardware, so that the TPM can prove to a third party | |
27 | whether or not critical system files have been modified. | |
28 | Read <http://www.usenix.org/events/sec04/tech/sailer.html> | |
29 | to learn more about IMA. | |
30 | If unsure, say N. | |
31 | ||
32 | config IMA_MEASURE_PCR_IDX | |
33 | int | |
34 | depends on IMA | |
35 | range 8 14 | |
36 | default 10 | |
37 | help | |
38 | IMA_MEASURE_PCR_IDX determines the TPM PCR register index | |
39 | that IMA uses to maintain the integrity aggregate of the | |
40 | measurement list. If unsure, use the default 10. | |
41 | ||
4af4662f MZ |
42 | config IMA_LSM_RULES |
43 | bool | |
b53fab9d | 44 | depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) |
4af4662f MZ |
45 | default y |
46 | help | |
b53fab9d | 47 | Disabling this option will disregard LSM based policy rules. |
2fe5d6de | 48 | |
4286587d MZ |
49 | choice |
50 | prompt "Default template" | |
51 | default IMA_NG_TEMPLATE | |
52 | depends on IMA | |
53 | help | |
54 | Select the default IMA measurement template. | |
55 | ||
56 | The original 'ima' measurement list template contains a | |
57 | hash, defined as 20 bytes, and a null terminated pathname, | |
58 | limited to 255 characters. The 'ima-ng' measurement list | |
59 | template permits both larger hash digests and longer | |
60 | pathnames. | |
61 | ||
62 | config IMA_TEMPLATE | |
63 | bool "ima" | |
64 | config IMA_NG_TEMPLATE | |
65 | bool "ima-ng (default)" | |
bcbc9b0c MZ |
66 | config IMA_SIG_TEMPLATE |
67 | bool "ima-sig" | |
4286587d MZ |
68 | endchoice |
69 | ||
70 | config IMA_DEFAULT_TEMPLATE | |
71 | string | |
72 | depends on IMA | |
73 | default "ima" if IMA_TEMPLATE | |
74 | default "ima-ng" if IMA_NG_TEMPLATE | |
bcbc9b0c | 75 | default "ima-sig" if IMA_SIG_TEMPLATE |
4286587d | 76 | |
e7a2ad7e MZ |
77 | choice |
78 | prompt "Default integrity hash algorithm" | |
79 | default IMA_DEFAULT_HASH_SHA1 | |
80 | depends on IMA | |
81 | help | |
82 | Select the default hash algorithm used for the measurement | |
83 | list, integrity appraisal and audit log. The compiled default | |
84 | hash algorithm can be overwritten using the kernel command | |
85 | line 'ima_hash=' option. | |
86 | ||
87 | config IMA_DEFAULT_HASH_SHA1 | |
88 | bool "SHA1 (default)" | |
89 | depends on CRYPTO_SHA1 | |
90 | ||
91 | config IMA_DEFAULT_HASH_SHA256 | |
92 | bool "SHA256" | |
93 | depends on CRYPTO_SHA256 && !IMA_TEMPLATE | |
94 | ||
95 | config IMA_DEFAULT_HASH_SHA512 | |
96 | bool "SHA512" | |
97 | depends on CRYPTO_SHA512 && !IMA_TEMPLATE | |
98 | ||
99 | config IMA_DEFAULT_HASH_WP512 | |
100 | bool "WP512" | |
101 | depends on CRYPTO_WP512 && !IMA_TEMPLATE | |
102 | endchoice | |
103 | ||
104 | config IMA_DEFAULT_HASH | |
105 | string | |
106 | depends on IMA | |
107 | default "sha1" if IMA_DEFAULT_HASH_SHA1 | |
108 | default "sha256" if IMA_DEFAULT_HASH_SHA256 | |
109 | default "sha512" if IMA_DEFAULT_HASH_SHA512 | |
110 | default "wp512" if IMA_DEFAULT_HASH_WP512 | |
111 | ||
2fe5d6de MZ |
112 | config IMA_APPRAISE |
113 | bool "Appraise integrity measurements" | |
114 | depends on IMA | |
115 | default n | |
116 | help | |
117 | This option enables local measurement integrity appraisal. | |
118 | It requires the system to be labeled with a security extended | |
119 | attribute containing the file hash measurement. To protect | |
120 | the security extended attributes from offline attack, enable | |
121 | and configure EVM. | |
122 | ||
123 | For more information on integrity appraisal refer to: | |
124 | <http://linux-ima.sourceforge.net> | |
125 | If unsure, say N. |