xref: /openbmc/linux/security/integrity/ima/Kconfig (revision f97cee494dc92395a668445bcd24d34c89f4ff8c)
1# SPDX-License-Identifier: GPL-2.0-only
2# IBM Integrity Measurement Architecture
3#
4config IMA
5	bool "Integrity Measurement Architecture(IMA)"
6	select SECURITYFS
7	select CRYPTO
8	select CRYPTO_HMAC
9	select CRYPTO_MD5
10	select CRYPTO_SHA1
11	select CRYPTO_HASH_INFO
12	select TCG_TPM if HAS_IOMEM && !UML
13	select TCG_TIS if TCG_TPM && X86
14	select TCG_CRB if TCG_TPM && ACPI
15	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
16	select INTEGRITY_AUDIT if AUDIT
17	help
18	  The Trusted Computing Group(TCG) runtime Integrity
19	  Measurement Architecture(IMA) maintains a list of hash
20	  values of executables and other sensitive system files,
21	  as they are read or executed. If an attacker manages
22	  to change the contents of an important system file
23	  being measured, we can tell.
24
25	  If your system has a TPM chip, then IMA also maintains
26	  an aggregate integrity value over this list inside the
27	  TPM hardware, so that the TPM can prove to a third party
28	  whether or not critical system files have been modified.
29	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
30	  to learn more about IMA.
31	  If unsure, say N.
32
33config IMA_KEXEC
34	bool "Enable carrying the IMA measurement list across a soft boot"
35	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
36	default n
37	help
38	   TPM PCRs are only reset on a hard reboot.  In order to validate
39	   a TPM's quote after a soft boot, the IMA measurement list of the
40	   running kernel must be saved and restored on boot.
41
42	   Depending on the IMA policy, the measurement list can grow to
43	   be very large.
44
45config IMA_MEASURE_PCR_IDX
46	int
47	depends on IMA
48	range 8 14
49	default 10
50	help
51	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
52	  that IMA uses to maintain the integrity aggregate of the
53	  measurement list.  If unsure, use the default 10.
54
55config IMA_LSM_RULES
56	bool
57	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
58	default y
59	help
60	  Disabling this option will disregard LSM based policy rules.
61
62choice
63	prompt "Default template"
64	default IMA_NG_TEMPLATE
65	depends on IMA
66	help
67	  Select the default IMA measurement template.
68
69	  The original 'ima' measurement list template contains a
70	  hash, defined as 20 bytes, and a null terminated pathname,
71	  limited to 255 characters.  The 'ima-ng' measurement list
72	  template permits both larger hash digests and longer
73	  pathnames.
74
75	config IMA_TEMPLATE
76		bool "ima"
77	config IMA_NG_TEMPLATE
78		bool "ima-ng (default)"
79	config IMA_SIG_TEMPLATE
80		bool "ima-sig"
81endchoice
82
83config IMA_DEFAULT_TEMPLATE
84	string
85	depends on IMA
86	default "ima" if IMA_TEMPLATE
87	default "ima-ng" if IMA_NG_TEMPLATE
88	default "ima-sig" if IMA_SIG_TEMPLATE
89
90choice
91	prompt "Default integrity hash algorithm"
92	default IMA_DEFAULT_HASH_SHA1
93	depends on IMA
94	help
95	   Select the default hash algorithm used for the measurement
96	   list, integrity appraisal and audit log.  The compiled default
97	   hash algorithm can be overwritten using the kernel command
98	   line 'ima_hash=' option.
99
100	config IMA_DEFAULT_HASH_SHA1
101		bool "SHA1 (default)"
102		depends on CRYPTO_SHA1=y
103
104	config IMA_DEFAULT_HASH_SHA256
105		bool "SHA256"
106		depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
107
108	config IMA_DEFAULT_HASH_SHA512
109		bool "SHA512"
110		depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
111
112	config IMA_DEFAULT_HASH_WP512
113		bool "WP512"
114		depends on CRYPTO_WP512=y && !IMA_TEMPLATE
115
116	config IMA_DEFAULT_HASH_SM3
117		bool "SM3"
118		depends on CRYPTO_SM3=y && !IMA_TEMPLATE
119endchoice
120
121config IMA_DEFAULT_HASH
122	string
123	depends on IMA
124	default "sha1" if IMA_DEFAULT_HASH_SHA1
125	default "sha256" if IMA_DEFAULT_HASH_SHA256
126	default "sha512" if IMA_DEFAULT_HASH_SHA512
127	default "wp512" if IMA_DEFAULT_HASH_WP512
128	default "sm3" if IMA_DEFAULT_HASH_SM3
129
130config IMA_WRITE_POLICY
131	bool "Enable multiple writes to the IMA policy"
132	depends on IMA
133	default n
134	help
135	  IMA policy can now be updated multiple times.  The new rules get
136	  appended to the original policy.  Have in mind that the rules are
137	  scanned in FIFO order so be careful when you design and add new ones.
138
139	  If unsure, say N.
140
141config IMA_READ_POLICY
142	bool "Enable reading back the current IMA policy"
143	depends on IMA
144	default y if IMA_WRITE_POLICY
145	default n if !IMA_WRITE_POLICY
146	help
147	   It is often useful to be able to read back the IMA policy.  It is
148	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
149	   This option allows the root user to see the current policy rules.
150
151config IMA_APPRAISE
152	bool "Appraise integrity measurements"
153	depends on IMA
154	default n
155	help
156	  This option enables local measurement integrity appraisal.
157	  It requires the system to be labeled with a security extended
158	  attribute containing the file hash measurement.  To protect
159	  the security extended attributes from offline attack, enable
160	  and configure EVM.
161
162	  For more information on integrity appraisal refer to:
163	  <http://linux-ima.sourceforge.net>
164	  If unsure, say N.
165
166config IMA_ARCH_POLICY
167        bool "Enable loading an IMA architecture specific policy"
168        depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
169		   && INTEGRITY_ASYMMETRIC_KEYS
170        default n
171        help
172          This option enables loading an IMA architecture specific policy
173          based on run time secure boot flags.
174
175config IMA_APPRAISE_BUILD_POLICY
176	bool "IMA build time configured policy rules"
177	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
178	default n
179	help
180	  This option defines an IMA appraisal policy at build time, which
181	  is enforced at run time without having to specify a builtin
182	  policy name on the boot command line.  The build time appraisal
183	  policy rules persist after loading a custom policy.
184
185	  Depending on the rules configured, this policy may require kernel
186	  modules, firmware, the kexec kernel image, and/or the IMA policy
187	  to be signed.  Unsigned files might prevent the system from
188	  booting or applications from working properly.
189
190config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
191	bool "Appraise firmware signatures"
192	depends on IMA_APPRAISE_BUILD_POLICY
193	default n
194	help
195	  This option defines a policy requiring all firmware to be signed,
196	  including the regulatory.db.  If both this option and
197	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
198	  verification methods are necessary.
199
200config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
201	bool "Appraise kexec kernel image signatures"
202	depends on IMA_APPRAISE_BUILD_POLICY
203	default n
204	help
205	  Enabling this rule will require all kexec'ed kernel images to
206	  be signed and verified by a public key on the trusted IMA
207	  keyring.
208
209	  Kernel image signatures can not be verified by the original
210	  kexec_load syscall.  Enabling this rule will prevent its
211	  usage.
212
213config IMA_APPRAISE_REQUIRE_MODULE_SIGS
214	bool "Appraise kernel modules signatures"
215	depends on IMA_APPRAISE_BUILD_POLICY
216	default n
217	help
218	  Enabling this rule will require all kernel modules to be signed
219	  and verified by a public key on the trusted IMA keyring.
220
221	  Kernel module signatures can only be verified by IMA-appraisal,
222	  via the finit_module syscall. Enabling this rule will prevent
223	  the usage of the init_module syscall.
224
225config IMA_APPRAISE_REQUIRE_POLICY_SIGS
226	bool "Appraise IMA policy signature"
227	depends on IMA_APPRAISE_BUILD_POLICY
228	default n
229	help
230	  Enabling this rule will require the IMA policy to be signed and
231	  and verified by a key on the trusted IMA keyring.
232
233config IMA_APPRAISE_BOOTPARAM
234	bool "ima_appraise boot parameter"
235	depends on IMA_APPRAISE
236	default y
237	help
238	  This option enables the different "ima_appraise=" modes
239	  (eg. fix, log) from the boot command line.
240
241config IMA_APPRAISE_MODSIG
242	bool "Support module-style signatures for appraisal"
243	depends on IMA_APPRAISE
244	depends on INTEGRITY_ASYMMETRIC_KEYS
245	select PKCS7_MESSAGE_PARSER
246	select MODULE_SIG_FORMAT
247	default n
248	help
249	   Adds support for signatures appended to files. The format of the
250	   appended signature is the same used for signed kernel modules.
251	   The modsig keyword can be used in the IMA policy to allow a hook
252	   to accept such signatures.
253
254config IMA_TRUSTED_KEYRING
255	bool "Require all keys on the .ima keyring be signed (deprecated)"
256	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
257	depends on INTEGRITY_ASYMMETRIC_KEYS
258	select INTEGRITY_TRUSTED_KEYRING
259	default y
260	help
261	   This option requires that all keys added to the .ima
262	   keyring be signed by a key on the system trusted keyring.
263
264	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
265
266config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
267	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
268	depends on SYSTEM_TRUSTED_KEYRING
269	depends on SECONDARY_TRUSTED_KEYRING
270	depends on INTEGRITY_ASYMMETRIC_KEYS
271	select INTEGRITY_TRUSTED_KEYRING
272	default n
273	help
274	  Keys may be added to the IMA or IMA blacklist keyrings, if the
275	  key is validly signed by a CA cert in the system built-in or
276	  secondary trusted keyrings.
277
278	  Intermediate keys between those the kernel has compiled in and the
279	  IMA keys to be added may be added to the system secondary keyring,
280	  provided they are validly signed by a key already resident in the
281	  built-in or secondary trusted keyrings.
282
283config IMA_BLACKLIST_KEYRING
284	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
285	depends on SYSTEM_TRUSTED_KEYRING
286	depends on IMA_TRUSTED_KEYRING
287	default n
288	help
289	   This option creates an IMA blacklist keyring, which contains all
290	   revoked IMA keys.  It is consulted before any other keyring.  If
291	   the search is successful the requested operation is rejected and
292	   an error is returned to the caller.
293
294config IMA_LOAD_X509
295	bool "Load X509 certificate onto the '.ima' trusted keyring"
296	depends on IMA_TRUSTED_KEYRING
297	default n
298	help
299	   File signature verification is based on the public keys
300	   loaded on the .ima trusted keyring. These public keys are
301	   X509 certificates signed by a trusted key on the
302	   .system keyring.  This option enables X509 certificate
303	   loading from the kernel onto the '.ima' trusted keyring.
304
305config IMA_X509_PATH
306	string "IMA X509 certificate path"
307	depends on IMA_LOAD_X509
308	default "/etc/keys/x509_ima.der"
309	help
310	   This option defines IMA X509 certificate path.
311
312config IMA_APPRAISE_SIGNED_INIT
313	bool "Require signed user-space initialization"
314	depends on IMA_LOAD_X509
315	default n
316	help
317	   This option requires user-space init to be signed.
318
319config IMA_MEASURE_ASYMMETRIC_KEYS
320	bool
321	depends on IMA
322	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
323	default y
324
325config IMA_QUEUE_EARLY_BOOT_KEYS
326	bool
327	depends on IMA_MEASURE_ASYMMETRIC_KEYS
328	depends on SYSTEM_TRUSTED_KEYRING
329	default y
330
331config IMA_SECURE_AND_OR_TRUSTED_BOOT
332       bool
333       depends on IMA_ARCH_POLICY
334       help
335          This option is selected by architectures to enable secure and/or
336          trusted boot based on IMA runtime policies.
337