xref: /linux/security/integrity/ima/Kconfig (revision 38d192684e8b1811c352c208447d565f8f0a309f)
13323eec9SMimi Zohar# IBM Integrity Measurement Architecture
23323eec9SMimi Zohar#
33323eec9SMimi Zoharconfig IMA
43323eec9SMimi Zohar	bool "Integrity Measurement Architecture(IMA)"
53323eec9SMimi Zohar	select SECURITYFS
63323eec9SMimi Zohar	select CRYPTO
73323eec9SMimi Zohar	select CRYPTO_HMAC
83323eec9SMimi Zohar	select CRYPTO_MD5
93323eec9SMimi Zohar	select CRYPTO_SHA1
10c7c8bb23SDmitry Kasatkin	select CRYPTO_HASH_INFO
11f4a0391dSFabio Estevam	select TCG_TPM if HAS_IOMEM && !UML
12a69f1589SRandy Dunlap	select TCG_TIS if TCG_TPM && X86
1363a0eb78SMichael Ellerman	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
143323eec9SMimi Zohar	help
153323eec9SMimi Zohar	  The Trusted Computing Group(TCG) runtime Integrity
163323eec9SMimi Zohar	  Measurement Architecture(IMA) maintains a list of hash
173323eec9SMimi Zohar	  values of executables and other sensitive system files,
183323eec9SMimi Zohar	  as they are read or executed. If an attacker manages
193323eec9SMimi Zohar	  to change the contents of an important system file
203323eec9SMimi Zohar	  being measured, we can tell.
213323eec9SMimi Zohar
223323eec9SMimi Zohar	  If your system has a TPM chip, then IMA also maintains
233323eec9SMimi Zohar	  an aggregate integrity value over this list inside the
243323eec9SMimi Zohar	  TPM hardware, so that the TPM can prove to a third party
253323eec9SMimi Zohar	  whether or not critical system files have been modified.
263323eec9SMimi Zohar	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
273323eec9SMimi Zohar	  to learn more about IMA.
283323eec9SMimi Zohar	  If unsure, say N.
293323eec9SMimi Zohar
30d158847aSMimi Zoharconfig IMA_KEXEC
31d158847aSMimi Zohar	bool "Enable carrying the IMA measurement list across a soft boot"
32d158847aSMimi Zohar	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
33d158847aSMimi Zohar	default n
34d158847aSMimi Zohar	help
35d158847aSMimi Zohar	   TPM PCRs are only reset on a hard reboot.  In order to validate
36d158847aSMimi Zohar	   a TPM's quote after a soft boot, the IMA measurement list of the
37d158847aSMimi Zohar	   running kernel must be saved and restored on boot.
38d158847aSMimi Zohar
39d158847aSMimi Zohar	   Depending on the IMA policy, the measurement list can grow to
40d158847aSMimi Zohar	   be very large.
41d158847aSMimi Zohar
423323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX
433323eec9SMimi Zohar	int
443323eec9SMimi Zohar	depends on IMA
453323eec9SMimi Zohar	range 8 14
463323eec9SMimi Zohar	default 10
473323eec9SMimi Zohar	help
483323eec9SMimi Zohar	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
493323eec9SMimi Zohar	  that IMA uses to maintain the integrity aggregate of the
503323eec9SMimi Zohar	  measurement list.  If unsure, use the default 10.
513323eec9SMimi Zohar
524af4662fSMimi Zoharconfig IMA_LSM_RULES
534af4662fSMimi Zohar	bool
54b53fab9dSRandy Dunlap	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
554af4662fSMimi Zohar	default y
564af4662fSMimi Zohar	help
57b53fab9dSRandy Dunlap	  Disabling this option will disregard LSM based policy rules.
582fe5d6deSMimi Zohar
594286587dSMimi Zoharchoice
604286587dSMimi Zohar	prompt "Default template"
614286587dSMimi Zohar	default IMA_NG_TEMPLATE
624286587dSMimi Zohar	depends on IMA
634286587dSMimi Zohar	help
644286587dSMimi Zohar	  Select the default IMA measurement template.
654286587dSMimi Zohar
664286587dSMimi Zohar	  The original 'ima' measurement list template contains a
674286587dSMimi Zohar	  hash, defined as 20 bytes, and a null terminated pathname,
684286587dSMimi Zohar	  limited to 255 characters.  The 'ima-ng' measurement list
694286587dSMimi Zohar	  template permits both larger hash digests and longer
704286587dSMimi Zohar	  pathnames.
714286587dSMimi Zohar
724286587dSMimi Zohar	config IMA_TEMPLATE
734286587dSMimi Zohar		bool "ima"
744286587dSMimi Zohar	config IMA_NG_TEMPLATE
754286587dSMimi Zohar		bool "ima-ng (default)"
76bcbc9b0cSMimi Zohar	config IMA_SIG_TEMPLATE
77bcbc9b0cSMimi Zohar		bool "ima-sig"
784286587dSMimi Zoharendchoice
794286587dSMimi Zohar
804286587dSMimi Zoharconfig IMA_DEFAULT_TEMPLATE
814286587dSMimi Zohar	string
824286587dSMimi Zohar	depends on IMA
834286587dSMimi Zohar	default "ima" if IMA_TEMPLATE
844286587dSMimi Zohar	default "ima-ng" if IMA_NG_TEMPLATE
85bcbc9b0cSMimi Zohar	default "ima-sig" if IMA_SIG_TEMPLATE
864286587dSMimi Zohar
87e7a2ad7eSMimi Zoharchoice
88e7a2ad7eSMimi Zohar	prompt "Default integrity hash algorithm"
89e7a2ad7eSMimi Zohar	default IMA_DEFAULT_HASH_SHA1
90e7a2ad7eSMimi Zohar	depends on IMA
91e7a2ad7eSMimi Zohar	help
92e7a2ad7eSMimi Zohar	   Select the default hash algorithm used for the measurement
93e7a2ad7eSMimi Zohar	   list, integrity appraisal and audit log.  The compiled default
94e7a2ad7eSMimi Zohar	   hash algorithm can be overwritten using the kernel command
95e7a2ad7eSMimi Zohar	   line 'ima_hash=' option.
96e7a2ad7eSMimi Zohar
97e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA1
98e7a2ad7eSMimi Zohar		bool "SHA1 (default)"
99*38d19268SBen Hutchings		depends on CRYPTO_SHA1=y
100e7a2ad7eSMimi Zohar
101e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA256
102e7a2ad7eSMimi Zohar		bool "SHA256"
103*38d19268SBen Hutchings		depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
104e7a2ad7eSMimi Zohar
105e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA512
106e7a2ad7eSMimi Zohar		bool "SHA512"
107*38d19268SBen Hutchings		depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
108e7a2ad7eSMimi Zohar
109e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_WP512
110e7a2ad7eSMimi Zohar		bool "WP512"
111*38d19268SBen Hutchings		depends on CRYPTO_WP512=y && !IMA_TEMPLATE
112e7a2ad7eSMimi Zoharendchoice
113e7a2ad7eSMimi Zohar
114e7a2ad7eSMimi Zoharconfig IMA_DEFAULT_HASH
115e7a2ad7eSMimi Zohar	string
116e7a2ad7eSMimi Zohar	depends on IMA
117e7a2ad7eSMimi Zohar	default "sha1" if IMA_DEFAULT_HASH_SHA1
118e7a2ad7eSMimi Zohar	default "sha256" if IMA_DEFAULT_HASH_SHA256
119e7a2ad7eSMimi Zohar	default "sha512" if IMA_DEFAULT_HASH_SHA512
120e7a2ad7eSMimi Zohar	default "wp512" if IMA_DEFAULT_HASH_WP512
121e7a2ad7eSMimi Zohar
12238d859f9SPetko Manolovconfig IMA_WRITE_POLICY
12338d859f9SPetko Manolov	bool "Enable multiple writes to the IMA policy"
12438d859f9SPetko Manolov	depends on IMA
12538d859f9SPetko Manolov	default n
12638d859f9SPetko Manolov	help
12738d859f9SPetko Manolov	  IMA policy can now be updated multiple times.  The new rules get
12838d859f9SPetko Manolov	  appended to the original policy.  Have in mind that the rules are
12938d859f9SPetko Manolov	  scanned in FIFO order so be careful when you design and add new ones.
13038d859f9SPetko Manolov
13138d859f9SPetko Manolov	  If unsure, say N.
13238d859f9SPetko Manolov
13380eae209SPetko Manolovconfig IMA_READ_POLICY
13480eae209SPetko Manolov	bool "Enable reading back the current IMA policy"
13580eae209SPetko Manolov	depends on IMA
13680eae209SPetko Manolov	default y if IMA_WRITE_POLICY
13780eae209SPetko Manolov	default n if !IMA_WRITE_POLICY
13880eae209SPetko Manolov	help
13980eae209SPetko Manolov	   It is often useful to be able to read back the IMA policy.  It is
14080eae209SPetko Manolov	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
14180eae209SPetko Manolov	   This option allows the root user to see the current policy rules.
14280eae209SPetko Manolov
1432fe5d6deSMimi Zoharconfig IMA_APPRAISE
1442fe5d6deSMimi Zohar	bool "Appraise integrity measurements"
1452fe5d6deSMimi Zohar	depends on IMA
1462fe5d6deSMimi Zohar	default n
1472fe5d6deSMimi Zohar	help
1482fe5d6deSMimi Zohar	  This option enables local measurement integrity appraisal.
1492fe5d6deSMimi Zohar	  It requires the system to be labeled with a security extended
1502fe5d6deSMimi Zohar	  attribute containing the file hash measurement.  To protect
1512fe5d6deSMimi Zohar	  the security extended attributes from offline attack, enable
1522fe5d6deSMimi Zohar	  and configure EVM.
1532fe5d6deSMimi Zohar
1542fe5d6deSMimi Zohar	  For more information on integrity appraisal refer to:
1552fe5d6deSMimi Zohar	  <http://linux-ima.sourceforge.net>
1562fe5d6deSMimi Zohar	  If unsure, say N.
1577d2ce232SMimi Zohar
158e1f5e01fSMimi Zoharconfig IMA_APPRAISE_BOOTPARAM
159e1f5e01fSMimi Zohar	bool "ima_appraise boot parameter"
160e1f5e01fSMimi Zohar	depends on IMA_APPRAISE
161e1f5e01fSMimi Zohar	default y
162e1f5e01fSMimi Zohar	help
163e1f5e01fSMimi Zohar	  This option enables the different "ima_appraise=" modes
164e1f5e01fSMimi Zohar	  (eg. fix, log) from the boot command line.
165e1f5e01fSMimi Zohar
1667d2ce232SMimi Zoharconfig IMA_TRUSTED_KEYRING
167f4dc3778SDmitry Kasatkin	bool "Require all keys on the .ima keyring be signed (deprecated)"
1687d2ce232SMimi Zohar	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
1697d2ce232SMimi Zohar	depends on INTEGRITY_ASYMMETRIC_KEYS
170f4dc3778SDmitry Kasatkin	select INTEGRITY_TRUSTED_KEYRING
1717d2ce232SMimi Zohar	default y
1727d2ce232SMimi Zohar	help
1737d2ce232SMimi Zohar	   This option requires that all keys added to the .ima
1747d2ce232SMimi Zohar	   keyring be signed by a key on the system trusted keyring.
175fd5f4e90SDmitry Kasatkin
176f4dc3778SDmitry Kasatkin	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
177f4dc3778SDmitry Kasatkin
17856104cf2SDavid Howellsconfig IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
17956104cf2SDavid Howells	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
18056104cf2SDavid Howells	depends on SYSTEM_TRUSTED_KEYRING
18156104cf2SDavid Howells	depends on SECONDARY_TRUSTED_KEYRING
18256104cf2SDavid Howells	depends on INTEGRITY_ASYMMETRIC_KEYS
18356104cf2SDavid Howells	select INTEGRITY_TRUSTED_KEYRING
18456104cf2SDavid Howells	default n
18556104cf2SDavid Howells	help
18656104cf2SDavid Howells	  Keys may be added to the IMA or IMA blacklist keyrings, if the
18756104cf2SDavid Howells	  key is validly signed by a CA cert in the system built-in or
18856104cf2SDavid Howells	  secondary trusted keyrings.
18956104cf2SDavid Howells
19056104cf2SDavid Howells	  Intermediate keys between those the kernel has compiled in and the
19156104cf2SDavid Howells	  IMA keys to be added may be added to the system secondary keyring,
19256104cf2SDavid Howells	  provided they are validly signed by a key already resident in the
19356104cf2SDavid Howells	  built-in or secondary trusted keyrings.
19456104cf2SDavid Howells
19556104cf2SDavid Howellsconfig IMA_BLACKLIST_KEYRING
19656104cf2SDavid Howells	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
19741c89b64SPetko Manolov	depends on SYSTEM_TRUSTED_KEYRING
19841c89b64SPetko Manolov	depends on IMA_TRUSTED_KEYRING
19941c89b64SPetko Manolov	default n
20041c89b64SPetko Manolov	help
20156104cf2SDavid Howells	   This option creates an IMA blacklist keyring, which contains all
20256104cf2SDavid Howells	   revoked IMA keys.  It is consulted before any other keyring.  If
20356104cf2SDavid Howells	   the search is successful the requested operation is rejected and
20456104cf2SDavid Howells	   an error is returned to the caller.
20541c89b64SPetko Manolov
206fd5f4e90SDmitry Kasatkinconfig IMA_LOAD_X509
207fd5f4e90SDmitry Kasatkin	bool "Load X509 certificate onto the '.ima' trusted keyring"
208fd5f4e90SDmitry Kasatkin	depends on IMA_TRUSTED_KEYRING
209fd5f4e90SDmitry Kasatkin	default n
210fd5f4e90SDmitry Kasatkin	help
211fd5f4e90SDmitry Kasatkin	   File signature verification is based on the public keys
212fd5f4e90SDmitry Kasatkin	   loaded on the .ima trusted keyring. These public keys are
213fd5f4e90SDmitry Kasatkin	   X509 certificates signed by a trusted key on the
214fd5f4e90SDmitry Kasatkin	   .system keyring.  This option enables X509 certificate
215fd5f4e90SDmitry Kasatkin	   loading from the kernel onto the '.ima' trusted keyring.
216fd5f4e90SDmitry Kasatkin
217fd5f4e90SDmitry Kasatkinconfig IMA_X509_PATH
218fd5f4e90SDmitry Kasatkin	string "IMA X509 certificate path"
219fd5f4e90SDmitry Kasatkin	depends on IMA_LOAD_X509
220fd5f4e90SDmitry Kasatkin	default "/etc/keys/x509_ima.der"
221fd5f4e90SDmitry Kasatkin	help
222fd5f4e90SDmitry Kasatkin	   This option defines IMA X509 certificate path.
223c57782c1SDmitry Kasatkin
224c57782c1SDmitry Kasatkinconfig IMA_APPRAISE_SIGNED_INIT
225c57782c1SDmitry Kasatkin	bool "Require signed user-space initialization"
226c57782c1SDmitry Kasatkin	depends on IMA_LOAD_X509
227c57782c1SDmitry Kasatkin	default n
228c57782c1SDmitry Kasatkin	help
229c57782c1SDmitry Kasatkin	   This option requires user-space init to be signed.
230