[mirror_ubuntu-hirsute-kernel.git] / security / integrity / ima / Kconfig

# IBM Integrity Measurement Architecture
#
config IMA
	bool "Integrity Measurement Architecture(IMA)"
	select SECURITYFS
	select CRYPTO
	select CRYPTO_HMAC
	select CRYPTO_MD5
	select CRYPTO_SHA1
	select CRYPTO_HASH_INFO
	select TCG_TPM if HAS_IOMEM && !UML
	select TCG_TIS if TCG_TPM && X86
	select TCG_CRB if TCG_TPM && ACPI
	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
	help
	  The Trusted Computing Group(TCG) runtime Integrity
	  Measurement Architecture(IMA) maintains a list of hash
	  values of executables and other sensitive system files,
	  as they are read or executed. If an attacker manages
	  to change the contents of an important system file
	  being measured, we can tell.

	  If your system has a TPM chip, then IMA also maintains
	  an aggregate integrity value over this list inside the
	  TPM hardware, so that the TPM can prove to a third party
	  whether or not critical system files have been modified.
	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
	  to learn more about IMA.
	  If unsure, say N.

config IMA_KEXEC
	bool "Enable carrying the IMA measurement list across a soft boot"
	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
	default n
	help
	   TPM PCRs are only reset on a hard reboot.  In order to validate
	   a TPM's quote after a soft boot, the IMA measurement list of the
	   running kernel must be saved and restored on boot.

	   Depending on the IMA policy, the measurement list can grow to
	   be very large.

config IMA_MEASURE_PCR_IDX
	int
	depends on IMA
	range 8 14
	default 10
	help
	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
	  that IMA uses to maintain the integrity aggregate of the
	  measurement list.  If unsure, use the default 10.

config IMA_LSM_RULES
	bool
	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
	default y
	help
	  Disabling this option will disregard LSM based policy rules.

choice
	prompt "Default template"
	default IMA_NG_TEMPLATE
	depends on IMA
	help
	  Select the default IMA measurement template.

	  The original 'ima' measurement list template contains a
	  hash, defined as 20 bytes, and a null terminated pathname,
	  limited to 255 characters.  The 'ima-ng' measurement list
	  template permits both larger hash digests and longer
	  pathnames.

	config IMA_TEMPLATE
		bool "ima"
	config IMA_NG_TEMPLATE
		bool "ima-ng (default)"
	config IMA_SIG_TEMPLATE
		bool "ima-sig"
endchoice

config IMA_DEFAULT_TEMPLATE
	string
	depends on IMA
	default "ima" if IMA_TEMPLATE
	default "ima-ng" if IMA_NG_TEMPLATE
	default "ima-sig" if IMA_SIG_TEMPLATE

choice
	prompt "Default integrity hash algorithm"
	default IMA_DEFAULT_HASH_SHA1
	depends on IMA
	help
	   Select the default hash algorithm used for the measurement
	   list, integrity appraisal and audit log.  The compiled default
	   hash algorithm can be overwritten using the kernel command
	   line 'ima_hash=' option.

	config IMA_DEFAULT_HASH_SHA1
		bool "SHA1 (default)"
		depends on CRYPTO_SHA1=y

	config IMA_DEFAULT_HASH_SHA256
		bool "SHA256"
		depends on CRYPTO_SHA256=y && !IMA_TEMPLATE

	config IMA_DEFAULT_HASH_SHA512
		bool "SHA512"
		depends on CRYPTO_SHA512=y && !IMA_TEMPLATE

	config IMA_DEFAULT_HASH_WP512
		bool "WP512"
		depends on CRYPTO_WP512=y && !IMA_TEMPLATE
endchoice

config IMA_DEFAULT_HASH
	string
	depends on IMA
	default "sha1" if IMA_DEFAULT_HASH_SHA1
	default "sha256" if IMA_DEFAULT_HASH_SHA256
	default "sha512" if IMA_DEFAULT_HASH_SHA512
	default "wp512" if IMA_DEFAULT_HASH_WP512

config IMA_WRITE_POLICY
	bool "Enable multiple writes to the IMA policy"
	depends on IMA
	default n
	help
	  IMA policy can now be updated multiple times.  The new rules get
	  appended to the original policy.  Have in mind that the rules are
	  scanned in FIFO order so be careful when you design and add new ones.

	  If unsure, say N.

config IMA_READ_POLICY
	bool "Enable reading back the current IMA policy"
	depends on IMA
	default y if IMA_WRITE_POLICY
	default n if !IMA_WRITE_POLICY
	help
	   It is often useful to be able to read back the IMA policy.  It is
	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
	   This option allows the root user to see the current policy rules.

config IMA_APPRAISE
	bool "Appraise integrity measurements"
	depends on IMA
	default n
	help
	  This option enables local measurement integrity appraisal.
	  It requires the system to be labeled with a security extended
	  attribute containing the file hash measurement.  To protect
	  the security extended attributes from offline attack, enable
	  and configure EVM.

	  For more information on integrity appraisal refer to:
	  <http://linux-ima.sourceforge.net>
	  If unsure, say N.

config IMA_APPRAISE_BOOTPARAM
	bool "ima_appraise boot parameter"
	depends on IMA_APPRAISE
	default y
	help
	  This option enables the different "ima_appraise=" modes
	  (eg. fix, log) from the boot command line.

config IMA_TRUSTED_KEYRING
	bool "Require all keys on the .ima keyring be signed (deprecated)"
	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	select INTEGRITY_TRUSTED_KEYRING
	default y
	help
	   This option requires that all keys added to the .ima
	   keyring be signed by a key on the system trusted keyring.

	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on SECONDARY_TRUSTED_KEYRING
	depends on INTEGRITY_ASYMMETRIC_KEYS
	select INTEGRITY_TRUSTED_KEYRING
	default n
	help
	  Keys may be added to the IMA or IMA blacklist keyrings, if the
	  key is validly signed by a CA cert in the system built-in or
	  secondary trusted keyrings.

	  Intermediate keys between those the kernel has compiled in and the
	  IMA keys to be added may be added to the system secondary keyring,
	  provided they are validly signed by a key already resident in the
	  built-in or secondary trusted keyrings.

config IMA_BLACKLIST_KEYRING
	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
	depends on SYSTEM_TRUSTED_KEYRING
	depends on IMA_TRUSTED_KEYRING
	default n
	help
	   This option creates an IMA blacklist keyring, which contains all
	   revoked IMA keys.  It is consulted before any other keyring.  If
	   the search is successful the requested operation is rejected and
	   an error is returned to the caller.

config IMA_LOAD_X509
	bool "Load X509 certificate onto the '.ima' trusted keyring"
	depends on IMA_TRUSTED_KEYRING
	default n
	help
	   File signature verification is based on the public keys
	   loaded on the .ima trusted keyring. These public keys are
	   X509 certificates signed by a trusted key on the
	   .system keyring.  This option enables X509 certificate
	   loading from the kernel onto the '.ima' trusted keyring.

config IMA_X509_PATH
	string "IMA X509 certificate path"
	depends on IMA_LOAD_X509
	default "/etc/keys/x509_ima.der"
	help
	   This option defines IMA X509 certificate path.

config IMA_APPRAISE_SIGNED_INIT
	bool "Require signed user-space initialization"
	depends on IMA_LOAD_X509
	default n
	help
	   This option requires user-space init to be signed.
Commit	Line	Data
3323eec9 MZ	1	# IBM Integrity Measurement Architecture
	2	#
	3	config IMA
	4	bool "Integrity Measurement Architecture(IMA)"
3323eec9 MZ	5	select SECURITYFS
	6	select CRYPTO
	7	select CRYPTO_HMAC
	8	select CRYPTO_MD5
	9	select CRYPTO_SHA1
c7c8bb23	10	select CRYPTO_HASH_INFO
f4a0391d	11	select TCG_TPM if HAS_IOMEM && !UML
a69f1589	12	select TCG_TIS if TCG_TPM && X86
fac37c62	13	select TCG_CRB if TCG_TPM && ACPI
63a0eb78	14	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
3323eec9 MZ	15	help
	16	The Trusted Computing Group(TCG) runtime Integrity
	17	Measurement Architecture(IMA) maintains a list of hash
	18	values of executables and other sensitive system files,
	19	as they are read or executed. If an attacker manages
	20	to change the contents of an important system file
	21	being measured, we can tell.
	22
	23	If your system has a TPM chip, then IMA also maintains
	24	an aggregate integrity value over this list inside the
	25	TPM hardware, so that the TPM can prove to a third party
	26	whether or not critical system files have been modified.
	27	Read <http://www.usenix.org/events/sec04/tech/sailer.html>
	28	to learn more about IMA.
	29	If unsure, say N.
	30
d158847a MZ	31	config IMA_KEXEC
	32	bool "Enable carrying the IMA measurement list across a soft boot"
	33	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
	34	default n
	35	help
	36	TPM PCRs are only reset on a hard reboot. In order to validate
	37	a TPM's quote after a soft boot, the IMA measurement list of the
	38	running kernel must be saved and restored on boot.
	39
	40	Depending on the IMA policy, the measurement list can grow to
	41	be very large.
	42
3323eec9 MZ	43	config IMA_MEASURE_PCR_IDX
	44	int
	45	depends on IMA
	46	range 8 14
	47	default 10
	48	help
	49	IMA_MEASURE_PCR_IDX determines the TPM PCR register index
	50	that IMA uses to maintain the integrity aggregate of the
	51	measurement list. If unsure, use the default 10.
	52
4af4662f MZ	53	config IMA_LSM_RULES
4af4662f MZ	54	bool
b53fab9d	55	depends on IMA && AUDIT && (SECURITY_SELINUX \|\| SECURITY_SMACK)
4af4662f MZ	56	default y
4af4662f MZ	57	help
b53fab9d	58	Disabling this option will disregard LSM based policy rules.
2fe5d6de	59
4286587d MZ	60	choice
	61	prompt "Default template"
	62	default IMA_NG_TEMPLATE
	63	depends on IMA
	64	help
	65	Select the default IMA measurement template.
	66
	67	The original 'ima' measurement list template contains a
	68	hash, defined as 20 bytes, and a null terminated pathname,
	69	limited to 255 characters. The 'ima-ng' measurement list
	70	template permits both larger hash digests and longer
	71	pathnames.
	72
	73	config IMA_TEMPLATE
	74	bool "ima"
	75	config IMA_NG_TEMPLATE
	76	bool "ima-ng (default)"
bcbc9b0c MZ	77	config IMA_SIG_TEMPLATE
bcbc9b0c MZ	78	bool "ima-sig"
4286587d MZ	79	endchoice
	80
	81	config IMA_DEFAULT_TEMPLATE
	82	string
	83	depends on IMA
	84	default "ima" if IMA_TEMPLATE
	85	default "ima-ng" if IMA_NG_TEMPLATE
bcbc9b0c	86	default "ima-sig" if IMA_SIG_TEMPLATE
4286587d	87
e7a2ad7e MZ	88	choice
	89	prompt "Default integrity hash algorithm"
	90	default IMA_DEFAULT_HASH_SHA1
	91	depends on IMA
	92	help
	93	Select the default hash algorithm used for the measurement
	94	list, integrity appraisal and audit log. The compiled default
	95	hash algorithm can be overwritten using the kernel command
	96	line 'ima_hash=' option.
	97
	98	config IMA_DEFAULT_HASH_SHA1
	99	bool "SHA1 (default)"
38d19268	100	depends on CRYPTO_SHA1=y
e7a2ad7e MZ	101
	102	config IMA_DEFAULT_HASH_SHA256
	103	bool "SHA256"
38d19268	104	depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
e7a2ad7e MZ	105
	106	config IMA_DEFAULT_HASH_SHA512
	107	bool "SHA512"
38d19268	108	depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
e7a2ad7e MZ	109
	110	config IMA_DEFAULT_HASH_WP512
	111	bool "WP512"
38d19268	112	depends on CRYPTO_WP512=y && !IMA_TEMPLATE
e7a2ad7e MZ	113	endchoice
	114
	115	config IMA_DEFAULT_HASH
	116	string
	117	depends on IMA
	118	default "sha1" if IMA_DEFAULT_HASH_SHA1
	119	default "sha256" if IMA_DEFAULT_HASH_SHA256
	120	default "sha512" if IMA_DEFAULT_HASH_SHA512
	121	default "wp512" if IMA_DEFAULT_HASH_WP512
	122
38d859f9 PM	123	config IMA_WRITE_POLICY
	124	bool "Enable multiple writes to the IMA policy"
	125	depends on IMA
	126	default n
	127	help
	128	IMA policy can now be updated multiple times. The new rules get
	129	appended to the original policy. Have in mind that the rules are
	130	scanned in FIFO order so be careful when you design and add new ones.
	131
	132	If unsure, say N.
	133
80eae209 PM	134	config IMA_READ_POLICY
	135	bool "Enable reading back the current IMA policy"
	136	depends on IMA
	137	default y if IMA_WRITE_POLICY
	138	default n if !IMA_WRITE_POLICY
	139	help
	140	It is often useful to be able to read back the IMA policy. It is
	141	even more important after introducing CONFIG_IMA_WRITE_POLICY.
	142	This option allows the root user to see the current policy rules.
	143
2fe5d6de MZ	144	config IMA_APPRAISE
	145	bool "Appraise integrity measurements"
	146	depends on IMA
	147	default n
	148	help
	149	This option enables local measurement integrity appraisal.
	150	It requires the system to be labeled with a security extended
	151	attribute containing the file hash measurement. To protect
	152	the security extended attributes from offline attack, enable
	153	and configure EVM.
	154
	155	For more information on integrity appraisal refer to:
	156	<http://linux-ima.sourceforge.net>
	157	If unsure, say N.
7d2ce232	158
e1f5e01f MZ	159	config IMA_APPRAISE_BOOTPARAM
	160	bool "ima_appraise boot parameter"
	161	depends on IMA_APPRAISE
	162	default y
	163	help
	164	This option enables the different "ima_appraise=" modes
	165	(eg. fix, log) from the boot command line.
	166
7d2ce232	167	config IMA_TRUSTED_KEYRING
f4dc3778	168	bool "Require all keys on the .ima keyring be signed (deprecated)"
7d2ce232 MZ	169	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
7d2ce232 MZ	170	depends on INTEGRITY_ASYMMETRIC_KEYS
f4dc3778	171	select INTEGRITY_TRUSTED_KEYRING
7d2ce232 MZ	172	default y
	173	help
	174	This option requires that all keys added to the .ima
	175	keyring be signed by a key on the system trusted keyring.
fd5f4e90	176
f4dc3778 DK	177	This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
f4dc3778 DK	178
56104cf2 DH	179	config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
	180	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
	181	depends on SYSTEM_TRUSTED_KEYRING
	182	depends on SECONDARY_TRUSTED_KEYRING
	183	depends on INTEGRITY_ASYMMETRIC_KEYS
	184	select INTEGRITY_TRUSTED_KEYRING
	185	default n
	186	help
	187	Keys may be added to the IMA or IMA blacklist keyrings, if the
	188	key is validly signed by a CA cert in the system built-in or
	189	secondary trusted keyrings.
	190
	191	Intermediate keys between those the kernel has compiled in and the
	192	IMA keys to be added may be added to the system secondary keyring,
	193	provided they are validly signed by a key already resident in the
	194	built-in or secondary trusted keyrings.
	195
	196	config IMA_BLACKLIST_KEYRING
	197	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
41c89b64 PM	198	depends on SYSTEM_TRUSTED_KEYRING
	199	depends on IMA_TRUSTED_KEYRING
	200	default n
	201	help
56104cf2 DH	202	This option creates an IMA blacklist keyring, which contains all
	203	revoked IMA keys. It is consulted before any other keyring. If
	204	the search is successful the requested operation is rejected and
	205	an error is returned to the caller.
41c89b64	206
fd5f4e90 DK	207	config IMA_LOAD_X509
	208	bool "Load X509 certificate onto the '.ima' trusted keyring"
	209	depends on IMA_TRUSTED_KEYRING
	210	default n
	211	help
	212	File signature verification is based on the public keys
	213	loaded on the .ima trusted keyring. These public keys are
	214	X509 certificates signed by a trusted key on the
	215	.system keyring. This option enables X509 certificate
	216	loading from the kernel onto the '.ima' trusted keyring.
	217
	218	config IMA_X509_PATH
	219	string "IMA X509 certificate path"
	220	depends on IMA_LOAD_X509
	221	default "/etc/keys/x509_ima.der"
	222	help
	223	This option defines IMA X509 certificate path.
c57782c1 DK	224
	225	config IMA_APPRAISE_SIGNED_INIT
	226	bool "Require signed user-space initialization"
	227	depends on IMA_LOAD_X509
	228	default n
	229	help
	230	This option requires user-space init to be signed.