1 # SPDX-License-Identifier: GPL-2.0-only
2 # IBM Integrity Measurement Architecture
3 #
4 config IMA
5 bool "Integrity Measurement Architectu
6 select SECURITYFS
7 select CRYPTO
8 select CRYPTO_HMAC
9 select CRYPTO_SHA1
10 select CRYPTO_HASH_INFO
11 select SECURITY_PATH
12 select TCG_TPM if HAS_IOMEM
13 select TCG_TIS if TCG_TPM && X86
14 select TCG_CRB if TCG_TPM && ACPI
15 select TCG_IBMVTPM if TCG_TPM && PPC_P
16 select INTEGRITY_AUDIT if AUDIT
17 help
18 The Trusted Computing Group(TCG) run
19 Measurement Architecture(IMA) mainta
20 values of executables and other sens
21 as they are read or executed. If an
22 to change the contents of an importa
23 being measured, we can tell.
24
25 If your system has a TPM chip, then
26 an aggregate integrity value over th
27 TPM hardware, so that the TPM can pr
28 whether or not critical system files
29 Read <https://www.usenix.org/events/
30 to learn more about IMA.
31 If unsure, say N.
32
33 if IMA
34
35 config IMA_KEXEC
36 bool "Enable carrying the IMA measurem
37 depends on TCG_TPM && HAVE_IMA_KEXEC
38 default n
39 help
40 TPM PCRs are only reset on a hard r
41 a TPM's quote after a soft boot, th
42 running kernel must be saved and re
43
44 Depending on the IMA policy, the me
45 be very large.
46
47 config IMA_MEASURE_PCR_IDX
48 int
49 range 8 14
50 default 10
51 help
52 IMA_MEASURE_PCR_IDX determines the T
53 that IMA uses to maintain the integr
54 measurement list. If unsure, use th
55
56 config IMA_LSM_RULES
57 bool
58 depends on AUDIT && (SECURITY_SELINUX
59 default y
60 help
61 Disabling this option will disregard
62
63 choice
64 prompt "Default template"
65 default IMA_NG_TEMPLATE
66 help
67 Select the default IMA measurement t
68
69 The original 'ima' measurement list
70 hash, defined as 20 bytes, and a nul
71 limited to 255 characters. The 'ima
72 template permits both larger hash di
73 pathnames. The configured default te
74 by specifying "ima_template=" on the
75
76 config IMA_NG_TEMPLATE
77 bool "ima-ng (default)"
78 config IMA_SIG_TEMPLATE
79 bool "ima-sig"
80 endchoice
81
82 config IMA_DEFAULT_TEMPLATE
83 string
84 default "ima-ng" if IMA_NG_TEMPLATE
85 default "ima-sig" if IMA_SIG_TEMPLATE
86
87 choice
88 prompt "Default integrity hash algorit
89 default IMA_DEFAULT_HASH_SHA1
90 help
91 Select the default hash algorithm u
92 list, integrity appraisal and audit
93 hash algorithm can be overwritten u
94 line 'ima_hash=' option.
95
96 config IMA_DEFAULT_HASH_SHA1
97 bool "SHA1 (default)"
98 depends on CRYPTO_SHA1=y
99
100 config IMA_DEFAULT_HASH_SHA256
101 bool "SHA256"
102 depends on CRYPTO_SHA256=y
103
104 config IMA_DEFAULT_HASH_SHA512
105 bool "SHA512"
106 depends on CRYPTO_SHA512=y
107
108 config IMA_DEFAULT_HASH_WP512
109 bool "WP512"
110 depends on CRYPTO_WP512=y
111
112 config IMA_DEFAULT_HASH_SM3
113 bool "SM3"
114 depends on CRYPTO_SM3_GENERIC=
115 endchoice
116
117 config IMA_DEFAULT_HASH
118 string
119 default "sha1" if IMA_DEFAULT_HASH_SHA
120 default "sha256" if IMA_DEFAULT_HASH_S
121 default "sha512" if IMA_DEFAULT_HASH_S
122 default "wp512" if IMA_DEFAULT_HASH_WP
123 default "sm3" if IMA_DEFAULT_HASH_SM3
124
125 config IMA_WRITE_POLICY
126 bool "Enable multiple writes to the IM
127 default n
128 help
129 IMA policy can now be updated multip
130 appended to the original policy. Ha
131 scanned in FIFO order so be careful
132
133 If unsure, say N.
134
135 config IMA_READ_POLICY
136 bool "Enable reading back the current
137 default y if IMA_WRITE_POLICY
138 default n if !IMA_WRITE_POLICY
139 help
140 It is often useful to be able to re
141 even more important after introduci
142 This option allows the root user to
143
144 config IMA_APPRAISE
145 bool "Appraise integrity measurements"
146 default n
147 help
148 This option enables local measuremen
149 It requires the system to be labeled
150 attribute containing the file hash m
151 the security extended attributes fro
152 and configure EVM.
153
154 For more information on integrity ap
155 <http://linux-ima.sourceforge.net>
156 If unsure, say N.
157
158 config IMA_ARCH_POLICY
159 bool "Enable loading an IMA architectu
160 depends on (KEXEC_SIG && IMA) || IMA_A
161 && INTEGRITY_ASYMMETRIC_KEY
162 default n
163 help
164 This option enables loading an IMA a
165 based on run time secure boot flags.
166
167 config IMA_APPRAISE_BUILD_POLICY
168 bool "IMA build time configured policy
169 depends on IMA_APPRAISE && INTEGRITY_A
170 default n
171 help
172 This option defines an IMA appraisal
173 is enforced at run time without havi
174 policy name on the boot command line
175 policy rules persist after loading a
176
177 Depending on the rules configured, t
178 modules, firmware, the kexec kernel
179 to be signed. Unsigned files might
180 booting or applications from working
181
182 config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
183 bool "Appraise firmware signatures"
184 depends on IMA_APPRAISE_BUILD_POLICY
185 default n
186 help
187 This option defines a policy requiri
188 including the regulatory.db. If bot
189 CFG80211_REQUIRE_SIGNED_REGDB are en
190 verification methods are necessary.
191
192 config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
193 bool "Appraise kexec kernel image sign
194 depends on IMA_APPRAISE_BUILD_POLICY
195 default n
196 help
197 Enabling this rule will require all
198 be signed and verified by a public k
199 keyring.
200
201 Kernel image signatures can not be v
202 kexec_load syscall. Enabling this r
203 usage.
204
205 config IMA_APPRAISE_REQUIRE_MODULE_SIGS
206 bool "Appraise kernel modules signatur
207 depends on IMA_APPRAISE_BUILD_POLICY
208 default n
209 help
210 Enabling this rule will require all
211 and verified by a public key on the
212
213 Kernel module signatures can only be
214 via the finit_module syscall. Enabli
215 the usage of the init_module syscall
216
217 config IMA_APPRAISE_REQUIRE_POLICY_SIGS
218 bool "Appraise IMA policy signature"
219 depends on IMA_APPRAISE_BUILD_POLICY
220 default n
221 help
222 Enabling this rule will require the
223 and verified by a key on the trusted
224
225 config IMA_APPRAISE_BOOTPARAM
226 bool "ima_appraise boot parameter"
227 depends on IMA_APPRAISE
228 default y
229 help
230 This option enables the different "i
231 (eg. fix, log) from the boot command
232
233 config IMA_APPRAISE_MODSIG
234 bool "Support module-style signatures
235 depends on IMA_APPRAISE
236 depends on INTEGRITY_ASYMMETRIC_KEYS
237 select PKCS7_MESSAGE_PARSER
238 select MODULE_SIG_FORMAT
239 default n
240 help
241 Adds support for signatures appende
242 appended signature is the same used
243 The modsig keyword can be used in t
244 to accept such signatures.
245
246 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_O
247 bool "Permit keys validly signed by a
248 depends on SYSTEM_TRUSTED_KEYRING
249 depends on SECONDARY_TRUSTED_KEYRING
250 depends on INTEGRITY_ASYMMETRIC_KEYS
251 select INTEGRITY_TRUSTED_KEYRING
252 default n
253 help
254 Keys may be added to the IMA or IMA
255 key is validly signed by a CA cert i
256 machine (if configured), or secondar
257 key must also have the digitalSignat
258
259 Intermediate keys between those the
260 IMA keys to be added may be added to
261 provided they are validly signed by
262 built-in, machine (if configured) or
263
264 config IMA_BLACKLIST_KEYRING
265 bool "Create IMA machine owner blackli
266 depends on SYSTEM_TRUSTED_KEYRING
267 depends on INTEGRITY_TRUSTED_KEYRING
268 default n
269 help
270 This option creates an IMA blacklis
271 revoked IMA keys. It is consulted
272 the search is successful the reques
273 an error is returned to the caller.
274
275 config IMA_LOAD_X509
276 bool "Load X509 certificate onto the '
277 depends on INTEGRITY_TRUSTED_KEYRING
278 default n
279 help
280 File signature verification is base
281 loaded on the .ima trusted keyring.
282 X509 certificates signed by a trust
283 .system keyring. This option enabl
284 loading from the kernel onto the '.
285
286 config IMA_X509_PATH
287 string "IMA X509 certificate path"
288 depends on IMA_LOAD_X509
289 default "/etc/keys/x509_ima.der"
290 help
291 This option defines IMA X509 certif
292
293 config IMA_APPRAISE_SIGNED_INIT
294 bool "Require signed user-space initia
295 depends on IMA_LOAD_X509
296 default n
297 help
298 This option requires user-space ini
299
300 config IMA_MEASURE_ASYMMETRIC_KEYS
301 bool
302 depends on ASYMMETRIC_PUBLIC_KEY_SUBTY
303 default y
304
305 config IMA_QUEUE_EARLY_BOOT_KEYS
306 bool
307 depends on IMA_MEASURE_ASYMMETRIC_KEYS
308 depends on SYSTEM_TRUSTED_KEYRING
309 default y
310
311 config IMA_SECURE_AND_OR_TRUSTED_BOOT
312 bool
313 depends on IMA_ARCH_POLICY
314 help
315 This option is selected by architect
316 trusted boot based on IMA runtime po
317
318 config IMA_DISABLE_HTABLE
319 bool "Disable htable to allow measurem
320 default n
321 help
322 This option disables htable to allo
323
324 endif
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.