1 # SPDX-License-Identifier: GPL-2.0-only
2 # IBM Integrity Measurement Architecture
5 bool "Integrity Measurement Architecture(IMA)"
11 select CRYPTO_HASH_INFO
12 select TCG_TPM if HAS_IOMEM && !UML
13 select TCG_TIS if TCG_TPM && X86
14 select TCG_CRB if TCG_TPM && ACPI
15 select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
16 select INTEGRITY_AUDIT if AUDIT
18 The Trusted Computing Group(TCG) runtime Integrity
19 Measurement Architecture(IMA) maintains a list of hash
20 values of executables and other sensitive system files,
21 as they are read or executed. If an attacker manages
22 to change the contents of an important system file
23 being measured, we can tell.
25 If your system has a TPM chip, then IMA also maintains
26 an aggregate integrity value over this list inside the
27 TPM hardware, so that the TPM can prove to a third party
28 whether or not critical system files have been modified.
29 Read <http://www.usenix.org/events/sec04/tech/sailer.html>
30 to learn more about IMA.
34 bool "Enable carrying the IMA measurement list across a soft boot"
35 depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
38 TPM PCRs are only reset on a hard reboot. In order to validate
39 a TPM's quote after a soft boot, the IMA measurement list of the
40 running kernel must be saved and restored on boot.
42 Depending on the IMA policy, the measurement list can grow to
45 config IMA_MEASURE_PCR_IDX
51 IMA_MEASURE_PCR_IDX determines the TPM PCR register index
52 that IMA uses to maintain the integrity aggregate of the
53 measurement list. If unsure, use the default 10.
57 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
60 Disabling this option will disregard LSM based policy rules.
63 prompt "Default template"
64 default IMA_NG_TEMPLATE
67 Select the default IMA measurement template.
69 The original 'ima' measurement list template contains a
70 hash, defined as 20 bytes, and a null terminated pathname,
71 limited to 255 characters. The 'ima-ng' measurement list
72 template permits both larger hash digests and longer
77 config IMA_NG_TEMPLATE
78 bool "ima-ng (default)"
79 config IMA_SIG_TEMPLATE
83 config IMA_DEFAULT_TEMPLATE
86 default "ima" if IMA_TEMPLATE
87 default "ima-ng" if IMA_NG_TEMPLATE
88 default "ima-sig" if IMA_SIG_TEMPLATE
91 prompt "Default integrity hash algorithm"
92 default IMA_DEFAULT_HASH_SHA1
95 Select the default hash algorithm used for the measurement
96 list, integrity appraisal and audit log. The compiled default
97 hash algorithm can be overwritten using the kernel command
98 line 'ima_hash=' option.
100 config IMA_DEFAULT_HASH_SHA1
101 bool "SHA1 (default)"
102 depends on CRYPTO_SHA1=y
104 config IMA_DEFAULT_HASH_SHA256
106 depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
108 config IMA_DEFAULT_HASH_SHA512
110 depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
112 config IMA_DEFAULT_HASH_WP512
114 depends on CRYPTO_WP512=y && !IMA_TEMPLATE
117 config IMA_DEFAULT_HASH
120 default "sha1" if IMA_DEFAULT_HASH_SHA1
121 default "sha256" if IMA_DEFAULT_HASH_SHA256
122 default "sha512" if IMA_DEFAULT_HASH_SHA512
123 default "wp512" if IMA_DEFAULT_HASH_WP512
125 config IMA_WRITE_POLICY
126 bool "Enable multiple writes to the IMA policy"
130 IMA policy can now be updated multiple times. The new rules get
131 appended to the original policy. Have in mind that the rules are
132 scanned in FIFO order so be careful when you design and add new ones.
136 config IMA_READ_POLICY
137 bool "Enable reading back the current IMA policy"
139 default y if IMA_WRITE_POLICY
140 default n if !IMA_WRITE_POLICY
142 It is often useful to be able to read back the IMA policy. It is
143 even more important after introducing CONFIG_IMA_WRITE_POLICY.
144 This option allows the root user to see the current policy rules.
147 bool "Appraise integrity measurements"
151 This option enables local measurement integrity appraisal.
152 It requires the system to be labeled with a security extended
153 attribute containing the file hash measurement. To protect
154 the security extended attributes from offline attack, enable
157 For more information on integrity appraisal refer to:
158 <http://linux-ima.sourceforge.net>
161 config IMA_ARCH_POLICY
162 bool "Enable loading an IMA architecture specific policy"
163 depends on (KEXEC_VERIFY_SIG && IMA) || IMA_APPRAISE \
164 && INTEGRITY_ASYMMETRIC_KEYS
167 This option enables loading an IMA architecture specific policy
168 based on run time secure boot flags.
170 config IMA_APPRAISE_BUILD_POLICY
171 bool "IMA build time configured policy rules"
172 depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
175 This option defines an IMA appraisal policy at build time, which
176 is enforced at run time without having to specify a builtin
177 policy name on the boot command line. The build time appraisal
178 policy rules persist after loading a custom policy.
180 Depending on the rules configured, this policy may require kernel
181 modules, firmware, the kexec kernel image, and/or the IMA policy
182 to be signed. Unsigned files might prevent the system from
183 booting or applications from working properly.
185 config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
186 bool "Appraise firmware signatures"
187 depends on IMA_APPRAISE_BUILD_POLICY
190 This option defines a policy requiring all firmware to be signed,
191 including the regulatory.db. If both this option and
192 CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
193 verification methods are necessary.
195 config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
196 bool "Appraise kexec kernel image signatures"
197 depends on IMA_APPRAISE_BUILD_POLICY
200 Enabling this rule will require all kexec'ed kernel images to
201 be signed and verified by a public key on the trusted IMA
204 Kernel image signatures can not be verified by the original
205 kexec_load syscall. Enabling this rule will prevent its
208 config IMA_APPRAISE_REQUIRE_MODULE_SIGS
209 bool "Appraise kernel modules signatures"
210 depends on IMA_APPRAISE_BUILD_POLICY
213 Enabling this rule will require all kernel modules to be signed
214 and verified by a public key on the trusted IMA keyring.
216 Kernel module signatures can only be verified by IMA-appraisal,
217 via the finit_module syscall. Enabling this rule will prevent
218 the usage of the init_module syscall.
220 config IMA_APPRAISE_REQUIRE_POLICY_SIGS
221 bool "Appraise IMA policy signature"
222 depends on IMA_APPRAISE_BUILD_POLICY
225 Enabling this rule will require the IMA policy to be signed and
226 and verified by a key on the trusted IMA keyring.
228 config IMA_APPRAISE_BOOTPARAM
229 bool "ima_appraise boot parameter"
230 depends on IMA_APPRAISE && !IMA_ARCH_POLICY
233 This option enables the different "ima_appraise=" modes
234 (eg. fix, log) from the boot command line.
236 config IMA_TRUSTED_KEYRING
237 bool "Require all keys on the .ima keyring be signed (deprecated)"
238 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
239 depends on INTEGRITY_ASYMMETRIC_KEYS
240 select INTEGRITY_TRUSTED_KEYRING
243 This option requires that all keys added to the .ima
244 keyring be signed by a key on the system trusted keyring.
246 This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
248 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
249 bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
250 depends on SYSTEM_TRUSTED_KEYRING
251 depends on SECONDARY_TRUSTED_KEYRING
252 depends on INTEGRITY_ASYMMETRIC_KEYS
253 select INTEGRITY_TRUSTED_KEYRING
256 Keys may be added to the IMA or IMA blacklist keyrings, if the
257 key is validly signed by a CA cert in the system built-in or
258 secondary trusted keyrings.
260 Intermediate keys between those the kernel has compiled in and the
261 IMA keys to be added may be added to the system secondary keyring,
262 provided they are validly signed by a key already resident in the
263 built-in or secondary trusted keyrings.
265 config IMA_BLACKLIST_KEYRING
266 bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
267 depends on SYSTEM_TRUSTED_KEYRING
268 depends on IMA_TRUSTED_KEYRING
271 This option creates an IMA blacklist keyring, which contains all
272 revoked IMA keys. It is consulted before any other keyring. If
273 the search is successful the requested operation is rejected and
274 an error is returned to the caller.
277 bool "Load X509 certificate onto the '.ima' trusted keyring"
278 depends on IMA_TRUSTED_KEYRING
281 File signature verification is based on the public keys
282 loaded on the .ima trusted keyring. These public keys are
283 X509 certificates signed by a trusted key on the
284 .system keyring. This option enables X509 certificate
285 loading from the kernel onto the '.ima' trusted keyring.
288 string "IMA X509 certificate path"
289 depends on IMA_LOAD_X509
290 default "/etc/keys/x509_ima.der"
292 This option defines IMA X509 certificate path.
294 config IMA_APPRAISE_SIGNED_INIT
295 bool "Require signed user-space initialization"
296 depends on IMA_LOAD_X509
299 This option requires user-space init to be signed.