| Kconfig (be210c6d3597faf330cb9af33b9f1591d7b2a983) | Kconfig (91e326563ee34509c35267808a4b1b3ea3db62a8) |
|---|---|
| 1# SPDX-License-Identifier: GPL-2.0-only 2# IBM Integrity Measurement Architecture 3# 4config IMA 5 bool "Integrity Measurement Architecture(IMA)" 6 select SECURITYFS 7 select CRYPTO 8 select CRYPTO_HMAC --- 15 unchanged lines hidden (view full) --- 24 If your system has a TPM chip, then IMA also maintains 25 an aggregate integrity value over this list inside the 26 TPM hardware, so that the TPM can prove to a third party 27 whether or not critical system files have been modified. 28 Read <https://www.usenix.org/events/sec04/tech/sailer.html> 29 to learn more about IMA. 30 If unsure, say N. 31 | 1# SPDX-License-Identifier: GPL-2.0-only 2# IBM Integrity Measurement Architecture 3# 4config IMA 5 bool "Integrity Measurement Architecture(IMA)" 6 select SECURITYFS 7 select CRYPTO 8 select CRYPTO_HMAC --- 15 unchanged lines hidden (view full) --- 24 If your system has a TPM chip, then IMA also maintains 25 an aggregate integrity value over this list inside the 26 TPM hardware, so that the TPM can prove to a third party 27 whether or not critical system files have been modified. 28 Read <https://www.usenix.org/events/sec04/tech/sailer.html> 29 to learn more about IMA. 30 If unsure, say N. 31 |
| 32if IMA 33 |
|
| 32config IMA_KEXEC 33 bool "Enable carrying the IMA measurement list across a soft boot" | 34config IMA_KEXEC 35 bool "Enable carrying the IMA measurement list across a soft boot" |
| 34 depends on IMA && TCG_TPM && HAVE_IMA_KEXEC | 36 depends on TCG_TPM && HAVE_IMA_KEXEC |
| 35 default n 36 help 37 TPM PCRs are only reset on a hard reboot. In order to validate 38 a TPM's quote after a soft boot, the IMA measurement list of the 39 running kernel must be saved and restored on boot. 40 41 Depending on the IMA policy, the measurement list can grow to 42 be very large. 43 44config IMA_MEASURE_PCR_IDX 45 int | 37 default n 38 help 39 TPM PCRs are only reset on a hard reboot. In order to validate 40 a TPM's quote after a soft boot, the IMA measurement list of the 41 running kernel must be saved and restored on boot. 42 43 Depending on the IMA policy, the measurement list can grow to 44 be very large. 45 46config IMA_MEASURE_PCR_IDX 47 int |
| 46 depends on IMA | |
| 47 range 8 14 48 default 10 49 help 50 IMA_MEASURE_PCR_IDX determines the TPM PCR register index 51 that IMA uses to maintain the integrity aggregate of the 52 measurement list. If unsure, use the default 10. 53 54config IMA_LSM_RULES 55 bool | 48 range 8 14 49 default 10 50 help 51 IMA_MEASURE_PCR_IDX determines the TPM PCR register index 52 that IMA uses to maintain the integrity aggregate of the 53 measurement list. If unsure, use the default 10. 54 55config IMA_LSM_RULES 56 bool |
| 56 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) | 57 depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) |
| 57 default y 58 help 59 Disabling this option will disregard LSM based policy rules. 60 61choice 62 prompt "Default template" 63 default IMA_NG_TEMPLATE | 58 default y 59 help 60 Disabling this option will disregard LSM based policy rules. 61 62choice 63 prompt "Default template" 64 default IMA_NG_TEMPLATE |
| 64 depends on IMA | |
| 65 help 66 Select the default IMA measurement template. 67 68 The original 'ima' measurement list template contains a 69 hash, defined as 20 bytes, and a null terminated pathname, 70 limited to 255 characters. The 'ima-ng' measurement list 71 template permits both larger hash digests and longer 72 pathnames. The configured default template can be replaced 73 by specifying "ima_template=" on the boot command line. 74 75 config IMA_NG_TEMPLATE 76 bool "ima-ng (default)" 77 config IMA_SIG_TEMPLATE 78 bool "ima-sig" 79endchoice 80 81config IMA_DEFAULT_TEMPLATE 82 string | 65 help 66 Select the default IMA measurement template. 67 68 The original 'ima' measurement list template contains a 69 hash, defined as 20 bytes, and a null terminated pathname, 70 limited to 255 characters. The 'ima-ng' measurement list 71 template permits both larger hash digests and longer 72 pathnames. The configured default template can be replaced 73 by specifying "ima_template=" on the boot command line. 74 75 config IMA_NG_TEMPLATE 76 bool "ima-ng (default)" 77 config IMA_SIG_TEMPLATE 78 bool "ima-sig" 79endchoice 80 81config IMA_DEFAULT_TEMPLATE 82 string |
| 83 depends on IMA | |
| 84 default "ima-ng" if IMA_NG_TEMPLATE 85 default "ima-sig" if IMA_SIG_TEMPLATE 86 87choice 88 prompt "Default integrity hash algorithm" 89 default IMA_DEFAULT_HASH_SHA1 | 83 default "ima-ng" if IMA_NG_TEMPLATE 84 default "ima-sig" if IMA_SIG_TEMPLATE 85 86choice 87 prompt "Default integrity hash algorithm" 88 default IMA_DEFAULT_HASH_SHA1 |
| 90 depends on IMA | |
| 91 help 92 Select the default hash algorithm used for the measurement 93 list, integrity appraisal and audit log. The compiled default 94 hash algorithm can be overwritten using the kernel command 95 line 'ima_hash=' option. 96 97 config IMA_DEFAULT_HASH_SHA1 98 bool "SHA1 (default)" --- 13 unchanged lines hidden (view full) --- 112 113 config IMA_DEFAULT_HASH_SM3 114 bool "SM3" 115 depends on CRYPTO_SM3_GENERIC=y 116endchoice 117 118config IMA_DEFAULT_HASH 119 string | 89 help 90 Select the default hash algorithm used for the measurement 91 list, integrity appraisal and audit log. The compiled default 92 hash algorithm can be overwritten using the kernel command 93 line 'ima_hash=' option. 94 95 config IMA_DEFAULT_HASH_SHA1 96 bool "SHA1 (default)" --- 13 unchanged lines hidden (view full) --- 110 111 config IMA_DEFAULT_HASH_SM3 112 bool "SM3" 113 depends on CRYPTO_SM3_GENERIC=y 114endchoice 115 116config IMA_DEFAULT_HASH 117 string |
| 120 depends on IMA | |
| 121 default "sha1" if IMA_DEFAULT_HASH_SHA1 122 default "sha256" if IMA_DEFAULT_HASH_SHA256 123 default "sha512" if IMA_DEFAULT_HASH_SHA512 124 default "wp512" if IMA_DEFAULT_HASH_WP512 125 default "sm3" if IMA_DEFAULT_HASH_SM3 126 127config IMA_WRITE_POLICY 128 bool "Enable multiple writes to the IMA policy" | 118 default "sha1" if IMA_DEFAULT_HASH_SHA1 119 default "sha256" if IMA_DEFAULT_HASH_SHA256 120 default "sha512" if IMA_DEFAULT_HASH_SHA512 121 default "wp512" if IMA_DEFAULT_HASH_WP512 122 default "sm3" if IMA_DEFAULT_HASH_SM3 123 124config IMA_WRITE_POLICY 125 bool "Enable multiple writes to the IMA policy" |
| 129 depends on IMA | |
| 130 default n 131 help 132 IMA policy can now be updated multiple times. The new rules get 133 appended to the original policy. Have in mind that the rules are 134 scanned in FIFO order so be careful when you design and add new ones. 135 136 If unsure, say N. 137 138config IMA_READ_POLICY 139 bool "Enable reading back the current IMA policy" | 126 default n 127 help 128 IMA policy can now be updated multiple times. The new rules get 129 appended to the original policy. Have in mind that the rules are 130 scanned in FIFO order so be careful when you design and add new ones. 131 132 If unsure, say N. 133 134config IMA_READ_POLICY 135 bool "Enable reading back the current IMA policy" |
| 140 depends on IMA | |
| 141 default y if IMA_WRITE_POLICY 142 default n if !IMA_WRITE_POLICY 143 help 144 It is often useful to be able to read back the IMA policy. It is 145 even more important after introducing CONFIG_IMA_WRITE_POLICY. 146 This option allows the root user to see the current policy rules. 147 148config IMA_APPRAISE 149 bool "Appraise integrity measurements" | 136 default y if IMA_WRITE_POLICY 137 default n if !IMA_WRITE_POLICY 138 help 139 It is often useful to be able to read back the IMA policy. It is 140 even more important after introducing CONFIG_IMA_WRITE_POLICY. 141 This option allows the root user to see the current policy rules. 142 143config IMA_APPRAISE 144 bool "Appraise integrity measurements" |
| 150 depends on IMA | |
| 151 default n 152 help 153 This option enables local measurement integrity appraisal. 154 It requires the system to be labeled with a security extended 155 attribute containing the file hash measurement. To protect 156 the security extended attributes from offline attack, enable 157 and configure EVM. 158 --- 140 unchanged lines hidden (view full) --- 299 bool "Require signed user-space initialization" 300 depends on IMA_LOAD_X509 301 default n 302 help 303 This option requires user-space init to be signed. 304 305config IMA_MEASURE_ASYMMETRIC_KEYS 306 bool | 145 default n 146 help 147 This option enables local measurement integrity appraisal. 148 It requires the system to be labeled with a security extended 149 attribute containing the file hash measurement. To protect 150 the security extended attributes from offline attack, enable 151 and configure EVM. 152 --- 140 unchanged lines hidden (view full) --- 293 bool "Require signed user-space initialization" 294 depends on IMA_LOAD_X509 295 default n 296 help 297 This option requires user-space init to be signed. 298 299config IMA_MEASURE_ASYMMETRIC_KEYS 300 bool |
| 307 depends on IMA | |
| 308 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y 309 default y 310 311config IMA_QUEUE_EARLY_BOOT_KEYS 312 bool 313 depends on IMA_MEASURE_ASYMMETRIC_KEYS 314 depends on SYSTEM_TRUSTED_KEYRING 315 default y 316 317config IMA_SECURE_AND_OR_TRUSTED_BOOT 318 bool 319 depends on IMA_ARCH_POLICY 320 help 321 This option is selected by architectures to enable secure and/or 322 trusted boot based on IMA runtime policies. 323 324config IMA_DISABLE_HTABLE 325 bool "Disable htable to allow measurement of duplicate records" | 301 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y 302 default y 303 304config IMA_QUEUE_EARLY_BOOT_KEYS 305 bool 306 depends on IMA_MEASURE_ASYMMETRIC_KEYS 307 depends on SYSTEM_TRUSTED_KEYRING 308 default y 309 310config IMA_SECURE_AND_OR_TRUSTED_BOOT 311 bool 312 depends on IMA_ARCH_POLICY 313 help 314 This option is selected by architectures to enable secure and/or 315 trusted boot based on IMA runtime policies. 316 317config IMA_DISABLE_HTABLE 318 bool "Disable htable to allow measurement of duplicate records" |
| 326 depends on IMA | |
| 327 default n 328 help 329 This option disables htable to allow measurement of duplicate records. | 319 default n 320 help 321 This option disables htable to allow measurement of duplicate records. |
| 322 323endif |
|