1# IBM Integrity Measurement Architecture 2# 3config IMA 4 bool "Integrity Measurement Architecture(IMA)" 5 depends on SECURITY 6 select INTEGRITY 7 select SECURITYFS 8 select CRYPTO 9 select CRYPTO_HMAC 10 select CRYPTO_MD5 11 select CRYPTO_SHA1 12 select TCG_TPM if HAS_IOMEM && !UML 13 select TCG_TIS if TCG_TPM && X86 14 help 15 The Trusted Computing Group(TCG) runtime Integrity 16 Measurement Architecture(IMA) maintains a list of hash 17 values of executables and other sensitive system files, 18 as they are read or executed. If an attacker manages 19 to change the contents of an important system file 20 being measured, we can tell. 21 22 If your system has a TPM chip, then IMA also maintains 23 an aggregate integrity value over this list inside the 24 TPM hardware, so that the TPM can prove to a third party 25 whether or not critical system files have been modified. 26 Read <http://www.usenix.org/events/sec04/tech/sailer.html> 27 to learn more about IMA. 28 If unsure, say N. 29 30config IMA_MEASURE_PCR_IDX 31 int 32 depends on IMA 33 range 8 14 34 default 10 35 help 36 IMA_MEASURE_PCR_IDX determines the TPM PCR register index 37 that IMA uses to maintain the integrity aggregate of the 38 measurement list. If unsure, use the default 10. 39 40config IMA_AUDIT 41 bool 42 depends on IMA 43 default y 44 help 45 This option adds a kernel parameter 'ima_audit', which 46 allows informational auditing messages to be enabled 47 at boot. If this option is selected, informational integrity 48 auditing messages can be enabled with 'ima_audit=1' on 49 the kernel command line. 50 51config IMA_LSM_RULES 52 bool 53 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 54 default y 55 help 56 Disabling this option will disregard LSM based policy rules. 57