security/integrity/ima/Kconfig

   1 # IBM Integrity Measurement Architecture
   2 #
   3 config IMA
   4         bool "Integrity Measurement Architecture(IMA)"
   5         select SECURITYFS
   6         select CRYPTO
   7         select CRYPTO_HMAC
   8         select CRYPTO_MD5
   9         select CRYPTO_SHA1
  10         select CRYPTO_HASH_INFO
  11         select TCG_TPM if HAS_IOMEM && !UML
  12         select TCG_TIS if TCG_TPM && X86
  13         select TCG_IBMVTPM if TCG_TPM && PPC64
  14         help
  15           The Trusted Computing Group(TCG) runtime Integrity
  16           Measurement Architecture(IMA) maintains a list of hash
  17           values of executables and other sensitive system files,
  18           as they are read or executed. If an attacker manages
  19           to change the contents of an important system file
  20           being measured, we can tell.
  21
  22           If your system has a TPM chip, then IMA also maintains
  23           an aggregate integrity value over this list inside the
  24           TPM hardware, so that the TPM can prove to a third party
  25           whether or not critical system files have been modified.
  26           Read <http://www.usenix.org/events/sec04/tech/sailer.html>
  27           to learn more about IMA.
  28           If unsure, say N.
  29
  30 config IMA_MEASURE_PCR_IDX
  31         int
  32         depends on IMA
  33         range 8 14
  34         default 10
  35         help
  36           IMA_MEASURE_PCR_IDX determines the TPM PCR register index
  37           that IMA uses to maintain the integrity aggregate of the
  38           measurement list.  If unsure, use the default 10.
  39
  40 config IMA_LSM_RULES
  41         bool
  42         depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
  43         default y
  44         help
  45           Disabling this option will disregard LSM based policy rules.
  46
  47 choice
  48         prompt "Default template"
  49         default IMA_NG_TEMPLATE
  50         depends on IMA
  51         help
  52           Select the default IMA measurement template.
  53
  54           The original 'ima' measurement list template contains a
  55           hash, defined as 20 bytes, and a null terminated pathname,
  56           limited to 255 characters.  The 'ima-ng' measurement list
  57           template permits both larger hash digests and longer
  58           pathnames.
  59
  60         config IMA_TEMPLATE
  61                 bool "ima"
  62         config IMA_NG_TEMPLATE
  63                 bool "ima-ng (default)"
  64         config IMA_SIG_TEMPLATE
  65                 bool "ima-sig"
  66 endchoice
  67
  68 config IMA_DEFAULT_TEMPLATE
  69         string
  70         depends on IMA
  71         default "ima" if IMA_TEMPLATE
  72         default "ima-ng" if IMA_NG_TEMPLATE
  73         default "ima-sig" if IMA_SIG_TEMPLATE
  74
  75 choice
  76         prompt "Default integrity hash algorithm"
  77         default IMA_DEFAULT_HASH_SHA1
  78         depends on IMA
  79         help
  80            Select the default hash algorithm used for the measurement
  81            list, integrity appraisal and audit log.  The compiled default
  82            hash algorithm can be overwritten using the kernel command
  83            line 'ima_hash=' option.
  84
  85         config IMA_DEFAULT_HASH_SHA1
  86                 bool "SHA1 (default)"
  87                 depends on CRYPTO_SHA1
  88
  89         config IMA_DEFAULT_HASH_SHA256
  90                 bool "SHA256"
  91                 depends on CRYPTO_SHA256 && !IMA_TEMPLATE
  92
  93         config IMA_DEFAULT_HASH_SHA512
  94                 bool "SHA512"
  95                 depends on CRYPTO_SHA512 && !IMA_TEMPLATE
  96
  97         config IMA_DEFAULT_HASH_WP512
  98                 bool "WP512"
  99                 depends on CRYPTO_WP512 && !IMA_TEMPLATE
 100 endchoice
 101
 102 config IMA_DEFAULT_HASH
 103         string
 104         depends on IMA
 105         default "sha1" if IMA_DEFAULT_HASH_SHA1
 106         default "sha256" if IMA_DEFAULT_HASH_SHA256
 107         default "sha512" if IMA_DEFAULT_HASH_SHA512
 108         default "wp512" if IMA_DEFAULT_HASH_WP512
 109
 110 config IMA_APPRAISE
 111         bool "Appraise integrity measurements"
 112         depends on IMA
 113         default n
 114         help
 115           This option enables local measurement integrity appraisal.
 116           It requires the system to be labeled with a security extended
 117           attribute containing the file hash measurement.  To protect
 118           the security extended attributes from offline attack, enable
 119           and configure EVM.
 120
 121           For more information on integrity appraisal refer to:
 122           <http://linux-ima.sourceforge.net>
 123           If unsure, say N.
 124
 125 config IMA_TRUSTED_KEYRING
 126         bool "Require all keys on the .ima keyring be signed"
 127         depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
 128         depends on INTEGRITY_ASYMMETRIC_KEYS
 129         select KEYS_DEBUG_PROC_KEYS
 130         default y
 131         help
 132            This option requires that all keys added to the .ima
 133            keyring be signed by a key on the system trusted keyring.