1# IBM Integrity Measurement Architecture 2# 3config IMA 4 bool "Integrity Measurement Architecture(IMA)" 5 depends on SECURITY 6 select INTEGRITY 7 select SECURITYFS 8 select CRYPTO 9 select CRYPTO_HMAC 10 select CRYPTO_MD5 11 select CRYPTO_SHA1 12 select TCG_TPM if HAS_IOMEM && !UML 13 select TCG_TIS if TCG_TPM && X86 14 select TCG_IBMVTPM if TCG_TPM && PPC64 15 help 16 The Trusted Computing Group(TCG) runtime Integrity 17 Measurement Architecture(IMA) maintains a list of hash 18 values of executables and other sensitive system files, 19 as they are read or executed. If an attacker manages 20 to change the contents of an important system file 21 being measured, we can tell. 22 23 If your system has a TPM chip, then IMA also maintains 24 an aggregate integrity value over this list inside the 25 TPM hardware, so that the TPM can prove to a third party 26 whether or not critical system files have been modified. 27 Read <http://www.usenix.org/events/sec04/tech/sailer.html> 28 to learn more about IMA. 29 If unsure, say N. 30 31config IMA_MEASURE_PCR_IDX 32 int 33 depends on IMA 34 range 8 14 35 default 10 36 help 37 IMA_MEASURE_PCR_IDX determines the TPM PCR register index 38 that IMA uses to maintain the integrity aggregate of the 39 measurement list. If unsure, use the default 10. 40 41config IMA_LSM_RULES 42 bool 43 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 44 default y 45 help 46 Disabling this option will disregard LSM based policy rules. 47 48config IMA_APPRAISE 49 bool "Appraise integrity measurements" 50 depends on IMA 51 default n 52 help 53 This option enables local measurement integrity appraisal. 54 It requires the system to be labeled with a security extended 55 attribute containing the file hash measurement. To protect 56 the security extended attributes from offline attack, enable 57 and configure EVM. 58 59 For more information on integrity appraisal refer to: 60 <http://linux-ima.sourceforge.net> 61 If unsure, say N. 62