1# IBM Integrity Measurement Architecture 2# 3config IMA 4 bool "Integrity Measurement Architecture(IMA)" 5 select SECURITYFS 6 select CRYPTO 7 select CRYPTO_HMAC 8 select CRYPTO_MD5 9 select CRYPTO_SHA1 10 select CRYPTO_HASH_INFO 11 select TCG_TPM if HAS_IOMEM && !UML 12 select TCG_TIS if TCG_TPM && X86 13 select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES 14 help 15 The Trusted Computing Group(TCG) runtime Integrity 16 Measurement Architecture(IMA) maintains a list of hash 17 values of executables and other sensitive system files, 18 as they are read or executed. If an attacker manages 19 to change the contents of an important system file 20 being measured, we can tell. 21 22 If your system has a TPM chip, then IMA also maintains 23 an aggregate integrity value over this list inside the 24 TPM hardware, so that the TPM can prove to a third party 25 whether or not critical system files have been modified. 26 Read <http://www.usenix.org/events/sec04/tech/sailer.html> 27 to learn more about IMA. 28 If unsure, say N. 29 30config IMA_KEXEC 31 bool "Enable carrying the IMA measurement list across a soft boot" 32 depends on IMA && TCG_TPM && HAVE_IMA_KEXEC 33 default n 34 help 35 TPM PCRs are only reset on a hard reboot. In order to validate 36 a TPM's quote after a soft boot, the IMA measurement list of the 37 running kernel must be saved and restored on boot. 38 39 Depending on the IMA policy, the measurement list can grow to 40 be very large. 41 42config IMA_MEASURE_PCR_IDX 43 int 44 depends on IMA 45 range 8 14 46 default 10 47 help 48 IMA_MEASURE_PCR_IDX determines the TPM PCR register index 49 that IMA uses to maintain the integrity aggregate of the 50 measurement list. If unsure, use the default 10. 51 52config IMA_LSM_RULES 53 bool 54 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 55 default y 56 help 57 Disabling this option will disregard LSM based policy rules. 58 59choice 60 prompt "Default template" 61 default IMA_NG_TEMPLATE 62 depends on IMA 63 help 64 Select the default IMA measurement template. 65 66 The original 'ima' measurement list template contains a 67 hash, defined as 20 bytes, and a null terminated pathname, 68 limited to 255 characters. The 'ima-ng' measurement list 69 template permits both larger hash digests and longer 70 pathnames. 71 72 config IMA_TEMPLATE 73 bool "ima" 74 config IMA_NG_TEMPLATE 75 bool "ima-ng (default)" 76 config IMA_SIG_TEMPLATE 77 bool "ima-sig" 78endchoice 79 80config IMA_DEFAULT_TEMPLATE 81 string 82 depends on IMA 83 default "ima" if IMA_TEMPLATE 84 default "ima-ng" if IMA_NG_TEMPLATE 85 default "ima-sig" if IMA_SIG_TEMPLATE 86 87choice 88 prompt "Default integrity hash algorithm" 89 default IMA_DEFAULT_HASH_SHA1 90 depends on IMA 91 help 92 Select the default hash algorithm used for the measurement 93 list, integrity appraisal and audit log. The compiled default 94 hash algorithm can be overwritten using the kernel command 95 line 'ima_hash=' option. 96 97 config IMA_DEFAULT_HASH_SHA1 98 bool "SHA1 (default)" 99 depends on CRYPTO_SHA1 100 101 config IMA_DEFAULT_HASH_SHA256 102 bool "SHA256" 103 depends on CRYPTO_SHA256 && !IMA_TEMPLATE 104 105 config IMA_DEFAULT_HASH_SHA512 106 bool "SHA512" 107 depends on CRYPTO_SHA512 && !IMA_TEMPLATE 108 109 config IMA_DEFAULT_HASH_WP512 110 bool "WP512" 111 depends on CRYPTO_WP512 && !IMA_TEMPLATE 112endchoice 113 114config IMA_DEFAULT_HASH 115 string 116 depends on IMA 117 default "sha1" if IMA_DEFAULT_HASH_SHA1 118 default "sha256" if IMA_DEFAULT_HASH_SHA256 119 default "sha512" if IMA_DEFAULT_HASH_SHA512 120 default "wp512" if IMA_DEFAULT_HASH_WP512 121 122config IMA_WRITE_POLICY 123 bool "Enable multiple writes to the IMA policy" 124 depends on IMA 125 default n 126 help 127 IMA policy can now be updated multiple times. The new rules get 128 appended to the original policy. Have in mind that the rules are 129 scanned in FIFO order so be careful when you design and add new ones. 130 131 If unsure, say N. 132 133config IMA_READ_POLICY 134 bool "Enable reading back the current IMA policy" 135 depends on IMA 136 default y if IMA_WRITE_POLICY 137 default n if !IMA_WRITE_POLICY 138 help 139 It is often useful to be able to read back the IMA policy. It is 140 even more important after introducing CONFIG_IMA_WRITE_POLICY. 141 This option allows the root user to see the current policy rules. 142 143config IMA_APPRAISE 144 bool "Appraise integrity measurements" 145 depends on IMA 146 default n 147 help 148 This option enables local measurement integrity appraisal. 149 It requires the system to be labeled with a security extended 150 attribute containing the file hash measurement. To protect 151 the security extended attributes from offline attack, enable 152 and configure EVM. 153 154 For more information on integrity appraisal refer to: 155 <http://linux-ima.sourceforge.net> 156 If unsure, say N. 157 158config IMA_TRUSTED_KEYRING 159 bool "Require all keys on the .ima keyring be signed (deprecated)" 160 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 161 depends on INTEGRITY_ASYMMETRIC_KEYS 162 select INTEGRITY_TRUSTED_KEYRING 163 default y 164 help 165 This option requires that all keys added to the .ima 166 keyring be signed by a key on the system trusted keyring. 167 168 This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING 169 170config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 171 bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" 172 depends on SYSTEM_TRUSTED_KEYRING 173 depends on SECONDARY_TRUSTED_KEYRING 174 depends on INTEGRITY_ASYMMETRIC_KEYS 175 select INTEGRITY_TRUSTED_KEYRING 176 default n 177 help 178 Keys may be added to the IMA or IMA blacklist keyrings, if the 179 key is validly signed by a CA cert in the system built-in or 180 secondary trusted keyrings. 181 182 Intermediate keys between those the kernel has compiled in and the 183 IMA keys to be added may be added to the system secondary keyring, 184 provided they are validly signed by a key already resident in the 185 built-in or secondary trusted keyrings. 186 187config IMA_BLACKLIST_KEYRING 188 bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" 189 depends on SYSTEM_TRUSTED_KEYRING 190 depends on IMA_TRUSTED_KEYRING 191 default n 192 help 193 This option creates an IMA blacklist keyring, which contains all 194 revoked IMA keys. It is consulted before any other keyring. If 195 the search is successful the requested operation is rejected and 196 an error is returned to the caller. 197 198config IMA_LOAD_X509 199 bool "Load X509 certificate onto the '.ima' trusted keyring" 200 depends on IMA_TRUSTED_KEYRING 201 default n 202 help 203 File signature verification is based on the public keys 204 loaded on the .ima trusted keyring. These public keys are 205 X509 certificates signed by a trusted key on the 206 .system keyring. This option enables X509 certificate 207 loading from the kernel onto the '.ima' trusted keyring. 208 209config IMA_X509_PATH 210 string "IMA X509 certificate path" 211 depends on IMA_LOAD_X509 212 default "/etc/keys/x509_ima.der" 213 help 214 This option defines IMA X509 certificate path. 215 216config IMA_APPRAISE_SIGNED_INIT 217 bool "Require signed user-space initialization" 218 depends on IMA_LOAD_X509 219 default n 220 help 221 This option requires user-space init to be signed. 222