13323eec9SMimi Zohar# IBM Integrity Measurement Architecture 23323eec9SMimi Zohar# 33323eec9SMimi Zoharconfig IMA 43323eec9SMimi Zohar bool "Integrity Measurement Architecture(IMA)" 53323eec9SMimi Zohar depends on ACPI 6*6c21a7fbSMimi Zohar depends on SECURITY 73323eec9SMimi Zohar select SECURITYFS 83323eec9SMimi Zohar select CRYPTO 93323eec9SMimi Zohar select CRYPTO_HMAC 103323eec9SMimi Zohar select CRYPTO_MD5 113323eec9SMimi Zohar select CRYPTO_SHA1 123323eec9SMimi Zohar select TCG_TPM 133323eec9SMimi Zohar select TCG_TIS 143323eec9SMimi Zohar help 153323eec9SMimi Zohar The Trusted Computing Group(TCG) runtime Integrity 163323eec9SMimi Zohar Measurement Architecture(IMA) maintains a list of hash 173323eec9SMimi Zohar values of executables and other sensitive system files, 183323eec9SMimi Zohar as they are read or executed. If an attacker manages 193323eec9SMimi Zohar to change the contents of an important system file 203323eec9SMimi Zohar being measured, we can tell. 213323eec9SMimi Zohar 223323eec9SMimi Zohar If your system has a TPM chip, then IMA also maintains 233323eec9SMimi Zohar an aggregate integrity value over this list inside the 243323eec9SMimi Zohar TPM hardware, so that the TPM can prove to a third party 253323eec9SMimi Zohar whether or not critical system files have been modified. 263323eec9SMimi Zohar Read <http://www.usenix.org/events/sec04/tech/sailer.html> 273323eec9SMimi Zohar to learn more about IMA. 283323eec9SMimi Zohar If unsure, say N. 293323eec9SMimi Zohar 303323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX 313323eec9SMimi Zohar int 323323eec9SMimi Zohar depends on IMA 333323eec9SMimi Zohar range 8 14 343323eec9SMimi Zohar default 10 353323eec9SMimi Zohar help 363323eec9SMimi Zohar IMA_MEASURE_PCR_IDX determines the TPM PCR register index 373323eec9SMimi Zohar that IMA uses to maintain the integrity aggregate of the 383323eec9SMimi Zohar measurement list. If unsure, use the default 10. 393323eec9SMimi Zohar 403323eec9SMimi Zoharconfig IMA_AUDIT 413323eec9SMimi Zohar bool 423323eec9SMimi Zohar depends on IMA 433323eec9SMimi Zohar default y 443323eec9SMimi Zohar help 453323eec9SMimi Zohar This option adds a kernel parameter 'ima_audit', which 463323eec9SMimi Zohar allows informational auditing messages to be enabled 473323eec9SMimi Zohar at boot. If this option is selected, informational integrity 483323eec9SMimi Zohar auditing messages can be enabled with 'ima_audit=1' on 493323eec9SMimi Zohar the kernel command line. 503323eec9SMimi Zohar 514af4662fSMimi Zoharconfig IMA_LSM_RULES 524af4662fSMimi Zohar bool 53b53fab9dSRandy Dunlap depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 544af4662fSMimi Zohar default y 554af4662fSMimi Zohar help 56b53fab9dSRandy Dunlap Disabling this option will disregard LSM based policy rules. 57