xref: /openbmc/linux/security/integrity/ima/Kconfig (revision 803f6914)
1# IBM Integrity Measurement Architecture
2#
3config IMA
4	bool "Integrity Measurement Architecture(IMA)"
5	depends on SECURITY
6	select INTEGRITY
7	select SECURITYFS
8	select CRYPTO
9	select CRYPTO_HMAC
10	select CRYPTO_MD5
11	select CRYPTO_SHA1
12	select TCG_TPM if HAS_IOMEM && !UML
13	select TCG_TIS if TCG_TPM && X86
14	help
15	  The Trusted Computing Group(TCG) runtime Integrity
16	  Measurement Architecture(IMA) maintains a list of hash
17	  values of executables and other sensitive system files,
18	  as they are read or executed. If an attacker manages
19	  to change the contents of an important system file
20	  being measured, we can tell.
21
22	  If your system has a TPM chip, then IMA also maintains
23	  an aggregate integrity value over this list inside the
24	  TPM hardware, so that the TPM can prove to a third party
25	  whether or not critical system files have been modified.
26	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
27	  to learn more about IMA.
28	  If unsure, say N.
29
30config IMA_MEASURE_PCR_IDX
31	int
32	depends on IMA
33	range 8 14
34	default 10
35	help
36	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
37	  that IMA uses to maintain the integrity aggregate of the
38	  measurement list.  If unsure, use the default 10.
39
40config IMA_AUDIT
41	bool
42	depends on IMA
43	default y
44	help
45	  This option adds a kernel parameter 'ima_audit', which
46	  allows informational auditing messages to be enabled
47	  at boot.  If this option is selected, informational integrity
48	  auditing messages can be enabled with 'ima_audit=1' on
49	  the kernel command line.
50
51config IMA_LSM_RULES
52	bool
53	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
54	default y
55	help
56	  Disabling this option will disregard LSM based policy rules.
57