security/integrity/ima/Kconfig

   1 # IBM Integrity Measurement Architecture
   2 #
   3 config IMA
   4         bool "Integrity Measurement Architecture(IMA)"
   5         depends on SECURITY
   6         select INTEGRITY
   7         select SECURITYFS
   8         select CRYPTO
   9         select CRYPTO_HMAC
  10         select CRYPTO_MD5
  11         select CRYPTO_SHA1
  12         select TCG_TPM if !S390 && !UML
  13         select TCG_TIS if TCG_TPM
  14         help
  15           The Trusted Computing Group(TCG) runtime Integrity
  16           Measurement Architecture(IMA) maintains a list of hash
  17           values of executables and other sensitive system files,
  18           as they are read or executed. If an attacker manages
  19           to change the contents of an important system file
  20           being measured, we can tell.
  21
  22           If your system has a TPM chip, then IMA also maintains
  23           an aggregate integrity value over this list inside the
  24           TPM hardware, so that the TPM can prove to a third party
  25           whether or not critical system files have been modified.
  26           Read <http://www.usenix.org/events/sec04/tech/sailer.html>
  27           to learn more about IMA.
  28           If unsure, say N.
  29
  30 config IMA_MEASURE_PCR_IDX
  31         int
  32         depends on IMA
  33         range 8 14
  34         default 10
  35         help
  36           IMA_MEASURE_PCR_IDX determines the TPM PCR register index
  37           that IMA uses to maintain the integrity aggregate of the
  38           measurement list.  If unsure, use the default 10.
  39
  40 config IMA_AUDIT
  41         bool
  42         depends on IMA
  43         default y
  44         help
  45           This option adds a kernel parameter 'ima_audit', which
  46           allows informational auditing messages to be enabled
  47           at boot.  If this option is selected, informational integrity
  48           auditing messages can be enabled with 'ima_audit=1' on
  49           the kernel command line.
  50
  51 config IMA_LSM_RULES
  52         bool
  53         depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
  54         default y
  55         help
  56           Disabling this option will disregard LSM based policy rules.