1*3323eec9SMimi Zohar# IBM Integrity Measurement Architecture 2*3323eec9SMimi Zohar# 3*3323eec9SMimi Zoharconfig IMA 4*3323eec9SMimi Zohar bool "Integrity Measurement Architecture(IMA)" 5*3323eec9SMimi Zohar depends on ACPI 6*3323eec9SMimi Zohar select SECURITYFS 7*3323eec9SMimi Zohar select CRYPTO 8*3323eec9SMimi Zohar select CRYPTO_HMAC 9*3323eec9SMimi Zohar select CRYPTO_MD5 10*3323eec9SMimi Zohar select CRYPTO_SHA1 11*3323eec9SMimi Zohar select TCG_TPM 12*3323eec9SMimi Zohar select TCG_TIS 13*3323eec9SMimi Zohar help 14*3323eec9SMimi Zohar The Trusted Computing Group(TCG) runtime Integrity 15*3323eec9SMimi Zohar Measurement Architecture(IMA) maintains a list of hash 16*3323eec9SMimi Zohar values of executables and other sensitive system files, 17*3323eec9SMimi Zohar as they are read or executed. If an attacker manages 18*3323eec9SMimi Zohar to change the contents of an important system file 19*3323eec9SMimi Zohar being measured, we can tell. 20*3323eec9SMimi Zohar 21*3323eec9SMimi Zohar If your system has a TPM chip, then IMA also maintains 22*3323eec9SMimi Zohar an aggregate integrity value over this list inside the 23*3323eec9SMimi Zohar TPM hardware, so that the TPM can prove to a third party 24*3323eec9SMimi Zohar whether or not critical system files have been modified. 25*3323eec9SMimi Zohar Read <http://www.usenix.org/events/sec04/tech/sailer.html> 26*3323eec9SMimi Zohar to learn more about IMA. 27*3323eec9SMimi Zohar If unsure, say N. 28*3323eec9SMimi Zohar 29*3323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX 30*3323eec9SMimi Zohar int 31*3323eec9SMimi Zohar depends on IMA 32*3323eec9SMimi Zohar range 8 14 33*3323eec9SMimi Zohar default 10 34*3323eec9SMimi Zohar help 35*3323eec9SMimi Zohar IMA_MEASURE_PCR_IDX determines the TPM PCR register index 36*3323eec9SMimi Zohar that IMA uses to maintain the integrity aggregate of the 37*3323eec9SMimi Zohar measurement list. If unsure, use the default 10. 38*3323eec9SMimi Zohar 39*3323eec9SMimi Zoharconfig IMA_AUDIT 40*3323eec9SMimi Zohar bool 41*3323eec9SMimi Zohar depends on IMA 42*3323eec9SMimi Zohar default y 43*3323eec9SMimi Zohar help 44*3323eec9SMimi Zohar This option adds a kernel parameter 'ima_audit', which 45*3323eec9SMimi Zohar allows informational auditing messages to be enabled 46*3323eec9SMimi Zohar at boot. If this option is selected, informational integrity 47*3323eec9SMimi Zohar auditing messages can be enabled with 'ima_audit=1' on 48*3323eec9SMimi Zohar the kernel command line. 49*3323eec9SMimi Zohar 50