13323eec9SMimi Zohar# IBM Integrity Measurement Architecture 23323eec9SMimi Zohar# 33323eec9SMimi Zoharconfig IMA 43323eec9SMimi Zohar bool "Integrity Measurement Architecture(IMA)" 53323eec9SMimi Zohar depends on ACPI 63323eec9SMimi Zohar select SECURITYFS 73323eec9SMimi Zohar select CRYPTO 83323eec9SMimi Zohar select CRYPTO_HMAC 93323eec9SMimi Zohar select CRYPTO_MD5 103323eec9SMimi Zohar select CRYPTO_SHA1 113323eec9SMimi Zohar select TCG_TPM 123323eec9SMimi Zohar select TCG_TIS 133323eec9SMimi Zohar help 143323eec9SMimi Zohar The Trusted Computing Group(TCG) runtime Integrity 153323eec9SMimi Zohar Measurement Architecture(IMA) maintains a list of hash 163323eec9SMimi Zohar values of executables and other sensitive system files, 173323eec9SMimi Zohar as they are read or executed. If an attacker manages 183323eec9SMimi Zohar to change the contents of an important system file 193323eec9SMimi Zohar being measured, we can tell. 203323eec9SMimi Zohar 213323eec9SMimi Zohar If your system has a TPM chip, then IMA also maintains 223323eec9SMimi Zohar an aggregate integrity value over this list inside the 233323eec9SMimi Zohar TPM hardware, so that the TPM can prove to a third party 243323eec9SMimi Zohar whether or not critical system files have been modified. 253323eec9SMimi Zohar Read <http://www.usenix.org/events/sec04/tech/sailer.html> 263323eec9SMimi Zohar to learn more about IMA. 273323eec9SMimi Zohar If unsure, say N. 283323eec9SMimi Zohar 293323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX 303323eec9SMimi Zohar int 313323eec9SMimi Zohar depends on IMA 323323eec9SMimi Zohar range 8 14 333323eec9SMimi Zohar default 10 343323eec9SMimi Zohar help 353323eec9SMimi Zohar IMA_MEASURE_PCR_IDX determines the TPM PCR register index 363323eec9SMimi Zohar that IMA uses to maintain the integrity aggregate of the 373323eec9SMimi Zohar measurement list. If unsure, use the default 10. 383323eec9SMimi Zohar 393323eec9SMimi Zoharconfig IMA_AUDIT 403323eec9SMimi Zohar bool 413323eec9SMimi Zohar depends on IMA 423323eec9SMimi Zohar default y 433323eec9SMimi Zohar help 443323eec9SMimi Zohar This option adds a kernel parameter 'ima_audit', which 453323eec9SMimi Zohar allows informational auditing messages to be enabled 463323eec9SMimi Zohar at boot. If this option is selected, informational integrity 473323eec9SMimi Zohar auditing messages can be enabled with 'ima_audit=1' on 483323eec9SMimi Zohar the kernel command line. 493323eec9SMimi Zohar 50*4af4662fSMimi Zoharconfig IMA_LSM_RULES 51*4af4662fSMimi Zohar bool 52*4af4662fSMimi Zohar depends on IMA && (SECURITY_SELINUX || SECURITY_SMACK) 53*4af4662fSMimi Zohar default y 54*4af4662fSMimi Zohar help 55*4af4662fSMimi Zohar Disabling this option will disregard LSM based policy rules 56