xref: /openbmc/linux/security/integrity/ima/Kconfig (revision a8f54d94)
1# SPDX-License-Identifier: GPL-2.0-only
2# IBM Integrity Measurement Architecture
3#
4config IMA
5	bool "Integrity Measurement Architecture(IMA)"
6	select SECURITYFS
7	select CRYPTO
8	select CRYPTO_HMAC
9	select CRYPTO_SHA1
10	select CRYPTO_HASH_INFO
11	select TCG_TPM if HAS_IOMEM && !UML
12	select TCG_TIS if TCG_TPM && X86
13	select TCG_CRB if TCG_TPM && ACPI
14	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
15	select INTEGRITY_AUDIT if AUDIT
16	help
17	  The Trusted Computing Group(TCG) runtime Integrity
18	  Measurement Architecture(IMA) maintains a list of hash
19	  values of executables and other sensitive system files,
20	  as they are read or executed. If an attacker manages
21	  to change the contents of an important system file
22	  being measured, we can tell.
23
24	  If your system has a TPM chip, then IMA also maintains
25	  an aggregate integrity value over this list inside the
26	  TPM hardware, so that the TPM can prove to a third party
27	  whether or not critical system files have been modified.
28	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
29	  to learn more about IMA.
30	  If unsure, say N.
31
32config IMA_KEXEC
33	bool "Enable carrying the IMA measurement list across a soft boot"
34	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
35	default n
36	help
37	   TPM PCRs are only reset on a hard reboot.  In order to validate
38	   a TPM's quote after a soft boot, the IMA measurement list of the
39	   running kernel must be saved and restored on boot.
40
41	   Depending on the IMA policy, the measurement list can grow to
42	   be very large.
43
44config IMA_MEASURE_PCR_IDX
45	int
46	depends on IMA
47	range 8 14
48	default 10
49	help
50	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
51	  that IMA uses to maintain the integrity aggregate of the
52	  measurement list.  If unsure, use the default 10.
53
54config IMA_LSM_RULES
55	bool
56	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
57	default y
58	help
59	  Disabling this option will disregard LSM based policy rules.
60
61choice
62	prompt "Default template"
63	default IMA_NG_TEMPLATE
64	depends on IMA
65	help
66	  Select the default IMA measurement template.
67
68	  The original 'ima' measurement list template contains a
69	  hash, defined as 20 bytes, and a null terminated pathname,
70	  limited to 255 characters.  The 'ima-ng' measurement list
71	  template permits both larger hash digests and longer
72	  pathnames. The configured default template can be replaced
73	  by specifying "ima_template=" on the boot command line.
74
75	config IMA_NG_TEMPLATE
76		bool "ima-ng (default)"
77	config IMA_SIG_TEMPLATE
78		bool "ima-sig"
79endchoice
80
81config IMA_DEFAULT_TEMPLATE
82	string
83	depends on IMA
84	default "ima-ng" if IMA_NG_TEMPLATE
85	default "ima-sig" if IMA_SIG_TEMPLATE
86
87choice
88	prompt "Default integrity hash algorithm"
89	default IMA_DEFAULT_HASH_SHA1
90	depends on IMA
91	help
92	   Select the default hash algorithm used for the measurement
93	   list, integrity appraisal and audit log.  The compiled default
94	   hash algorithm can be overwritten using the kernel command
95	   line 'ima_hash=' option.
96
97	config IMA_DEFAULT_HASH_SHA1
98		bool "SHA1 (default)"
99		depends on CRYPTO_SHA1=y
100
101	config IMA_DEFAULT_HASH_SHA256
102		bool "SHA256"
103		depends on CRYPTO_SHA256=y
104
105	config IMA_DEFAULT_HASH_SHA512
106		bool "SHA512"
107		depends on CRYPTO_SHA512=y
108
109	config IMA_DEFAULT_HASH_WP512
110		bool "WP512"
111		depends on CRYPTO_WP512=y
112
113	config IMA_DEFAULT_HASH_SM3
114		bool "SM3"
115		depends on CRYPTO_SM3_GENERIC=y
116endchoice
117
118config IMA_DEFAULT_HASH
119	string
120	depends on IMA
121	default "sha1" if IMA_DEFAULT_HASH_SHA1
122	default "sha256" if IMA_DEFAULT_HASH_SHA256
123	default "sha512" if IMA_DEFAULT_HASH_SHA512
124	default "wp512" if IMA_DEFAULT_HASH_WP512
125	default "sm3" if IMA_DEFAULT_HASH_SM3
126
127config IMA_WRITE_POLICY
128	bool "Enable multiple writes to the IMA policy"
129	depends on IMA
130	default n
131	help
132	  IMA policy can now be updated multiple times.  The new rules get
133	  appended to the original policy.  Have in mind that the rules are
134	  scanned in FIFO order so be careful when you design and add new ones.
135
136	  If unsure, say N.
137
138config IMA_READ_POLICY
139	bool "Enable reading back the current IMA policy"
140	depends on IMA
141	default y if IMA_WRITE_POLICY
142	default n if !IMA_WRITE_POLICY
143	help
144	   It is often useful to be able to read back the IMA policy.  It is
145	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
146	   This option allows the root user to see the current policy rules.
147
148config IMA_APPRAISE
149	bool "Appraise integrity measurements"
150	depends on IMA
151	default n
152	help
153	  This option enables local measurement integrity appraisal.
154	  It requires the system to be labeled with a security extended
155	  attribute containing the file hash measurement.  To protect
156	  the security extended attributes from offline attack, enable
157	  and configure EVM.
158
159	  For more information on integrity appraisal refer to:
160	  <http://linux-ima.sourceforge.net>
161	  If unsure, say N.
162
163config IMA_ARCH_POLICY
164        bool "Enable loading an IMA architecture specific policy"
165        depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
166		   && INTEGRITY_ASYMMETRIC_KEYS
167        default n
168        help
169          This option enables loading an IMA architecture specific policy
170          based on run time secure boot flags.
171
172config IMA_APPRAISE_BUILD_POLICY
173	bool "IMA build time configured policy rules"
174	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
175	default n
176	help
177	  This option defines an IMA appraisal policy at build time, which
178	  is enforced at run time without having to specify a builtin
179	  policy name on the boot command line.  The build time appraisal
180	  policy rules persist after loading a custom policy.
181
182	  Depending on the rules configured, this policy may require kernel
183	  modules, firmware, the kexec kernel image, and/or the IMA policy
184	  to be signed.  Unsigned files might prevent the system from
185	  booting or applications from working properly.
186
187config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
188	bool "Appraise firmware signatures"
189	depends on IMA_APPRAISE_BUILD_POLICY
190	default n
191	help
192	  This option defines a policy requiring all firmware to be signed,
193	  including the regulatory.db.  If both this option and
194	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
195	  verification methods are necessary.
196
197config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
198	bool "Appraise kexec kernel image signatures"
199	depends on IMA_APPRAISE_BUILD_POLICY
200	default n
201	help
202	  Enabling this rule will require all kexec'ed kernel images to
203	  be signed and verified by a public key on the trusted IMA
204	  keyring.
205
206	  Kernel image signatures can not be verified by the original
207	  kexec_load syscall.  Enabling this rule will prevent its
208	  usage.
209
210config IMA_APPRAISE_REQUIRE_MODULE_SIGS
211	bool "Appraise kernel modules signatures"
212	depends on IMA_APPRAISE_BUILD_POLICY
213	default n
214	help
215	  Enabling this rule will require all kernel modules to be signed
216	  and verified by a public key on the trusted IMA keyring.
217
218	  Kernel module signatures can only be verified by IMA-appraisal,
219	  via the finit_module syscall. Enabling this rule will prevent
220	  the usage of the init_module syscall.
221
222config IMA_APPRAISE_REQUIRE_POLICY_SIGS
223	bool "Appraise IMA policy signature"
224	depends on IMA_APPRAISE_BUILD_POLICY
225	default n
226	help
227	  Enabling this rule will require the IMA policy to be signed and
228	  and verified by a key on the trusted IMA keyring.
229
230config IMA_APPRAISE_BOOTPARAM
231	bool "ima_appraise boot parameter"
232	depends on IMA_APPRAISE
233	default y
234	help
235	  This option enables the different "ima_appraise=" modes
236	  (eg. fix, log) from the boot command line.
237
238config IMA_APPRAISE_MODSIG
239	bool "Support module-style signatures for appraisal"
240	depends on IMA_APPRAISE
241	depends on INTEGRITY_ASYMMETRIC_KEYS
242	select PKCS7_MESSAGE_PARSER
243	select MODULE_SIG_FORMAT
244	default n
245	help
246	   Adds support for signatures appended to files. The format of the
247	   appended signature is the same used for signed kernel modules.
248	   The modsig keyword can be used in the IMA policy to allow a hook
249	   to accept such signatures.
250
251config IMA_TRUSTED_KEYRING
252	bool "Require all keys on the .ima keyring be signed (deprecated)"
253	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
254	depends on INTEGRITY_ASYMMETRIC_KEYS
255	select INTEGRITY_TRUSTED_KEYRING
256	default y
257	help
258	   This option requires that all keys added to the .ima
259	   keyring be signed by a key on the system trusted keyring.
260
261	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
262
263config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
264	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
265	depends on SYSTEM_TRUSTED_KEYRING
266	depends on SECONDARY_TRUSTED_KEYRING
267	depends on INTEGRITY_ASYMMETRIC_KEYS
268	select INTEGRITY_TRUSTED_KEYRING
269	default n
270	help
271	  Keys may be added to the IMA or IMA blacklist keyrings, if the
272	  key is validly signed by a CA cert in the system built-in or
273	  secondary trusted keyrings.
274
275	  Intermediate keys between those the kernel has compiled in and the
276	  IMA keys to be added may be added to the system secondary keyring,
277	  provided they are validly signed by a key already resident in the
278	  built-in or secondary trusted keyrings.
279
280config IMA_BLACKLIST_KEYRING
281	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
282	depends on SYSTEM_TRUSTED_KEYRING
283	depends on IMA_TRUSTED_KEYRING
284	default n
285	help
286	   This option creates an IMA blacklist keyring, which contains all
287	   revoked IMA keys.  It is consulted before any other keyring.  If
288	   the search is successful the requested operation is rejected and
289	   an error is returned to the caller.
290
291config IMA_LOAD_X509
292	bool "Load X509 certificate onto the '.ima' trusted keyring"
293	depends on IMA_TRUSTED_KEYRING
294	default n
295	help
296	   File signature verification is based on the public keys
297	   loaded on the .ima trusted keyring. These public keys are
298	   X509 certificates signed by a trusted key on the
299	   .system keyring.  This option enables X509 certificate
300	   loading from the kernel onto the '.ima' trusted keyring.
301
302config IMA_X509_PATH
303	string "IMA X509 certificate path"
304	depends on IMA_LOAD_X509
305	default "/etc/keys/x509_ima.der"
306	help
307	   This option defines IMA X509 certificate path.
308
309config IMA_APPRAISE_SIGNED_INIT
310	bool "Require signed user-space initialization"
311	depends on IMA_LOAD_X509
312	default n
313	help
314	   This option requires user-space init to be signed.
315
316config IMA_MEASURE_ASYMMETRIC_KEYS
317	bool
318	depends on IMA
319	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
320	default y
321
322config IMA_QUEUE_EARLY_BOOT_KEYS
323	bool
324	depends on IMA_MEASURE_ASYMMETRIC_KEYS
325	depends on SYSTEM_TRUSTED_KEYRING
326	default y
327
328config IMA_SECURE_AND_OR_TRUSTED_BOOT
329       bool
330       depends on IMA_ARCH_POLICY
331       help
332          This option is selected by architectures to enable secure and/or
333          trusted boot based on IMA runtime policies.
334
335config IMA_DISABLE_HTABLE
336	bool "Disable htable to allow measurement of duplicate records"
337	depends on IMA
338	default n
339	help
340	   This option disables htable to allow measurement of duplicate records.
341