Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar...

[mirror_ubuntu-jammy-kernel.git] / security / integrity / ima / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
# IBM Integrity Measurement Architecture
#
config IMA
        bool "Integrity Measurement Architecture(IMA)"
        select SECURITYFS
        select CRYPTO
        select CRYPTO_HMAC
        select CRYPTO_MD5
        select CRYPTO_SHA1
        select CRYPTO_HASH_INFO
        select TCG_TPM if HAS_IOMEM && !UML
        select TCG_TIS if TCG_TPM && X86
        select TCG_CRB if TCG_TPM && ACPI
        select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
        select INTEGRITY_AUDIT if AUDIT
        help
          The Trusted Computing Group(TCG) runtime Integrity
          Measurement Architecture(IMA) maintains a list of hash
          values of executables and other sensitive system files,
          as they are read or executed. If an attacker manages
          to change the contents of an important system file
          being measured, we can tell.

          If your system has a TPM chip, then IMA also maintains
          an aggregate integrity value over this list inside the
          TPM hardware, so that the TPM can prove to a third party
          whether or not critical system files have been modified.
          Read <http://www.usenix.org/events/sec04/tech/sailer.html>
          to learn more about IMA.
          If unsure, say N.

config IMA_KEXEC
        bool "Enable carrying the IMA measurement list across a soft boot"
        depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
        default n
        help
           TPM PCRs are only reset on a hard reboot.  In order to validate
           a TPM's quote after a soft boot, the IMA measurement list of the
           running kernel must be saved and restored on boot.

           Depending on the IMA policy, the measurement list can grow to
           be very large.

config IMA_MEASURE_PCR_IDX
        int
        depends on IMA
        range 8 14
        default 10
        help
          IMA_MEASURE_PCR_IDX determines the TPM PCR register index
          that IMA uses to maintain the integrity aggregate of the
          measurement list.  If unsure, use the default 10.

config IMA_LSM_RULES
        bool
        depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
        default y
        help
          Disabling this option will disregard LSM based policy rules.

choice
        prompt "Default template"
        default IMA_NG_TEMPLATE
        depends on IMA
        help
          Select the default IMA measurement template.

          The original 'ima' measurement list template contains a
          hash, defined as 20 bytes, and a null terminated pathname,
          limited to 255 characters.  The 'ima-ng' measurement list
          template permits both larger hash digests and longer
          pathnames.

        config IMA_TEMPLATE
                bool "ima"
        config IMA_NG_TEMPLATE
                bool "ima-ng (default)"
        config IMA_SIG_TEMPLATE
                bool "ima-sig"
endchoice

config IMA_DEFAULT_TEMPLATE
        string
        depends on IMA
        default "ima" if IMA_TEMPLATE
        default "ima-ng" if IMA_NG_TEMPLATE
        default "ima-sig" if IMA_SIG_TEMPLATE

choice
        prompt "Default integrity hash algorithm"
        default IMA_DEFAULT_HASH_SHA1
        depends on IMA
        help
           Select the default hash algorithm used for the measurement
           list, integrity appraisal and audit log.  The compiled default
           hash algorithm can be overwritten using the kernel command
           line 'ima_hash=' option.

        config IMA_DEFAULT_HASH_SHA1
                bool "SHA1 (default)"
                depends on CRYPTO_SHA1=y

        config IMA_DEFAULT_HASH_SHA256
                bool "SHA256"
                depends on CRYPTO_SHA256=y && !IMA_TEMPLATE

        config IMA_DEFAULT_HASH_SHA512
                bool "SHA512"
                depends on CRYPTO_SHA512=y && !IMA_TEMPLATE

        config IMA_DEFAULT_HASH_WP512
                bool "WP512"
                depends on CRYPTO_WP512=y && !IMA_TEMPLATE
endchoice

config IMA_DEFAULT_HASH
        string
        depends on IMA
        default "sha1" if IMA_DEFAULT_HASH_SHA1
        default "sha256" if IMA_DEFAULT_HASH_SHA256
        default "sha512" if IMA_DEFAULT_HASH_SHA512
        default "wp512" if IMA_DEFAULT_HASH_WP512

config IMA_WRITE_POLICY
        bool "Enable multiple writes to the IMA policy"
        depends on IMA
        default n
        help
          IMA policy can now be updated multiple times.  The new rules get
          appended to the original policy.  Have in mind that the rules are
          scanned in FIFO order so be careful when you design and add new ones.

          If unsure, say N.

config IMA_READ_POLICY
        bool "Enable reading back the current IMA policy"
        depends on IMA
        default y if IMA_WRITE_POLICY
        default n if !IMA_WRITE_POLICY
        help
           It is often useful to be able to read back the IMA policy.  It is
           even more important after introducing CONFIG_IMA_WRITE_POLICY.
           This option allows the root user to see the current policy rules.

config IMA_APPRAISE
        bool "Appraise integrity measurements"
        depends on IMA
        default n
        help
          This option enables local measurement integrity appraisal.
          It requires the system to be labeled with a security extended
          attribute containing the file hash measurement.  To protect
          the security extended attributes from offline attack, enable
          and configure EVM.

          For more information on integrity appraisal refer to:
          <http://linux-ima.sourceforge.net>
          If unsure, say N.

config IMA_ARCH_POLICY
        bool "Enable loading an IMA architecture specific policy"
        depends on (KEXEC_VERIFY_SIG && IMA) || IMA_APPRAISE \
                   && INTEGRITY_ASYMMETRIC_KEYS
        default n
        help
          This option enables loading an IMA architecture specific policy
          based on run time secure boot flags.

config IMA_APPRAISE_BUILD_POLICY
        bool "IMA build time configured policy rules"
        depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
        default n
        help
          This option defines an IMA appraisal policy at build time, which
          is enforced at run time without having to specify a builtin
          policy name on the boot command line.  The build time appraisal
          policy rules persist after loading a custom policy.

          Depending on the rules configured, this policy may require kernel
          modules, firmware, the kexec kernel image, and/or the IMA policy
          to be signed.  Unsigned files might prevent the system from
          booting or applications from working properly.

config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
        bool "Appraise firmware signatures"
        depends on IMA_APPRAISE_BUILD_POLICY
        default n
        help
          This option defines a policy requiring all firmware to be signed,
          including the regulatory.db.  If both this option and
          CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
          verification methods are necessary.

config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
        bool "Appraise kexec kernel image signatures"
        depends on IMA_APPRAISE_BUILD_POLICY
        default n
        help
          Enabling this rule will require all kexec'ed kernel images to
          be signed and verified by a public key on the trusted IMA
          keyring.

          Kernel image signatures can not be verified by the original
          kexec_load syscall.  Enabling this rule will prevent its
          usage.

config IMA_APPRAISE_REQUIRE_MODULE_SIGS
        bool "Appraise kernel modules signatures"
        depends on IMA_APPRAISE_BUILD_POLICY
        default n
        help
          Enabling this rule will require all kernel modules to be signed
          and verified by a public key on the trusted IMA keyring.

          Kernel module signatures can only be verified by IMA-appraisal,
          via the finit_module syscall. Enabling this rule will prevent
          the usage of the init_module syscall.

config IMA_APPRAISE_REQUIRE_POLICY_SIGS
        bool "Appraise IMA policy signature"
        depends on IMA_APPRAISE_BUILD_POLICY
        default n
        help
          Enabling this rule will require the IMA policy to be signed and
          and verified by a key on the trusted IMA keyring.

config IMA_APPRAISE_BOOTPARAM
        bool "ima_appraise boot parameter"
        depends on IMA_APPRAISE && !IMA_ARCH_POLICY
        default y
        help
          This option enables the different "ima_appraise=" modes
          (eg. fix, log) from the boot command line.

config IMA_TRUSTED_KEYRING
        bool "Require all keys on the .ima keyring be signed (deprecated)"
        depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
        depends on INTEGRITY_ASYMMETRIC_KEYS
        select INTEGRITY_TRUSTED_KEYRING
        default y
        help
           This option requires that all keys added to the .ima
           keyring be signed by a key on the system trusted keyring.

           This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
        bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
        depends on SYSTEM_TRUSTED_KEYRING
        depends on SECONDARY_TRUSTED_KEYRING
        depends on INTEGRITY_ASYMMETRIC_KEYS
        select INTEGRITY_TRUSTED_KEYRING
        default n
        help
          Keys may be added to the IMA or IMA blacklist keyrings, if the
          key is validly signed by a CA cert in the system built-in or
          secondary trusted keyrings.

          Intermediate keys between those the kernel has compiled in and the
          IMA keys to be added may be added to the system secondary keyring,
          provided they are validly signed by a key already resident in the
          built-in or secondary trusted keyrings.

config IMA_BLACKLIST_KEYRING
        bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
        depends on SYSTEM_TRUSTED_KEYRING
        depends on IMA_TRUSTED_KEYRING
        default n
        help
           This option creates an IMA blacklist keyring, which contains all
           revoked IMA keys.  It is consulted before any other keyring.  If
           the search is successful the requested operation is rejected and
           an error is returned to the caller.

config IMA_LOAD_X509
        bool "Load X509 certificate onto the '.ima' trusted keyring"
        depends on IMA_TRUSTED_KEYRING
        default n
        help
           File signature verification is based on the public keys
           loaded on the .ima trusted keyring. These public keys are
           X509 certificates signed by a trusted key on the
           .system keyring.  This option enables X509 certificate
           loading from the kernel onto the '.ima' trusted keyring.

config IMA_X509_PATH
        string "IMA X509 certificate path"
        depends on IMA_LOAD_X509
        default "/etc/keys/x509_ima.der"
        help
           This option defines IMA X509 certificate path.

config IMA_APPRAISE_SIGNED_INIT
        bool "Require signed user-space initialization"
        depends on IMA_LOAD_X509
        default n
        help
           This option requires user-space init to be signed.