13323eec9SMimi Zohar# IBM Integrity Measurement Architecture 23323eec9SMimi Zohar# 33323eec9SMimi Zoharconfig IMA 43323eec9SMimi Zohar bool "Integrity Measurement Architecture(IMA)" 56c21a7fbSMimi Zohar depends on SECURITY 6f381c272SMimi Zohar select INTEGRITY 73323eec9SMimi Zohar select SECURITYFS 83323eec9SMimi Zohar select CRYPTO 93323eec9SMimi Zohar select CRYPTO_HMAC 103323eec9SMimi Zohar select CRYPTO_MD5 113323eec9SMimi Zohar select CRYPTO_SHA1 12c7c8bb23SDmitry Kasatkin select CRYPTO_HASH_INFO 13f4a0391dSFabio Estevam select TCG_TPM if HAS_IOMEM && !UML 14a69f1589SRandy Dunlap select TCG_TIS if TCG_TPM && X86 1520328b56SKent Yoder select TCG_IBMVTPM if TCG_TPM && PPC64 163323eec9SMimi Zohar help 173323eec9SMimi Zohar The Trusted Computing Group(TCG) runtime Integrity 183323eec9SMimi Zohar Measurement Architecture(IMA) maintains a list of hash 193323eec9SMimi Zohar values of executables and other sensitive system files, 203323eec9SMimi Zohar as they are read or executed. If an attacker manages 213323eec9SMimi Zohar to change the contents of an important system file 223323eec9SMimi Zohar being measured, we can tell. 233323eec9SMimi Zohar 243323eec9SMimi Zohar If your system has a TPM chip, then IMA also maintains 253323eec9SMimi Zohar an aggregate integrity value over this list inside the 263323eec9SMimi Zohar TPM hardware, so that the TPM can prove to a third party 273323eec9SMimi Zohar whether or not critical system files have been modified. 283323eec9SMimi Zohar Read <http://www.usenix.org/events/sec04/tech/sailer.html> 293323eec9SMimi Zohar to learn more about IMA. 303323eec9SMimi Zohar If unsure, say N. 313323eec9SMimi Zohar 323323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX 333323eec9SMimi Zohar int 343323eec9SMimi Zohar depends on IMA 353323eec9SMimi Zohar range 8 14 363323eec9SMimi Zohar default 10 373323eec9SMimi Zohar help 383323eec9SMimi Zohar IMA_MEASURE_PCR_IDX determines the TPM PCR register index 393323eec9SMimi Zohar that IMA uses to maintain the integrity aggregate of the 403323eec9SMimi Zohar measurement list. If unsure, use the default 10. 413323eec9SMimi Zohar 424af4662fSMimi Zoharconfig IMA_LSM_RULES 434af4662fSMimi Zohar bool 44b53fab9dSRandy Dunlap depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 454af4662fSMimi Zohar default y 464af4662fSMimi Zohar help 47b53fab9dSRandy Dunlap Disabling this option will disregard LSM based policy rules. 482fe5d6deSMimi Zohar 494286587dSMimi Zoharchoice 504286587dSMimi Zohar prompt "Default template" 514286587dSMimi Zohar default IMA_NG_TEMPLATE 524286587dSMimi Zohar depends on IMA 534286587dSMimi Zohar help 544286587dSMimi Zohar Select the default IMA measurement template. 554286587dSMimi Zohar 564286587dSMimi Zohar The original 'ima' measurement list template contains a 574286587dSMimi Zohar hash, defined as 20 bytes, and a null terminated pathname, 584286587dSMimi Zohar limited to 255 characters. The 'ima-ng' measurement list 594286587dSMimi Zohar template permits both larger hash digests and longer 604286587dSMimi Zohar pathnames. 614286587dSMimi Zohar 624286587dSMimi Zohar config IMA_TEMPLATE 634286587dSMimi Zohar bool "ima" 644286587dSMimi Zohar config IMA_NG_TEMPLATE 654286587dSMimi Zohar bool "ima-ng (default)" 66bcbc9b0cSMimi Zohar config IMA_SIG_TEMPLATE 67bcbc9b0cSMimi Zohar bool "ima-sig" 684286587dSMimi Zoharendchoice 694286587dSMimi Zohar 704286587dSMimi Zoharconfig IMA_DEFAULT_TEMPLATE 714286587dSMimi Zohar string 724286587dSMimi Zohar depends on IMA 734286587dSMimi Zohar default "ima" if IMA_TEMPLATE 744286587dSMimi Zohar default "ima-ng" if IMA_NG_TEMPLATE 75bcbc9b0cSMimi Zohar default "ima-sig" if IMA_SIG_TEMPLATE 764286587dSMimi Zohar 77e7a2ad7eSMimi Zoharchoice 78e7a2ad7eSMimi Zohar prompt "Default integrity hash algorithm" 79e7a2ad7eSMimi Zohar default IMA_DEFAULT_HASH_SHA1 80e7a2ad7eSMimi Zohar depends on IMA 81e7a2ad7eSMimi Zohar help 82e7a2ad7eSMimi Zohar Select the default hash algorithm used for the measurement 83e7a2ad7eSMimi Zohar list, integrity appraisal and audit log. The compiled default 84e7a2ad7eSMimi Zohar hash algorithm can be overwritten using the kernel command 85e7a2ad7eSMimi Zohar line 'ima_hash=' option. 86e7a2ad7eSMimi Zohar 87e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA1 88e7a2ad7eSMimi Zohar bool "SHA1 (default)" 89e7a2ad7eSMimi Zohar depends on CRYPTO_SHA1 90e7a2ad7eSMimi Zohar 91e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA256 92e7a2ad7eSMimi Zohar bool "SHA256" 93e7a2ad7eSMimi Zohar depends on CRYPTO_SHA256 && !IMA_TEMPLATE 94e7a2ad7eSMimi Zohar 95e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA512 96e7a2ad7eSMimi Zohar bool "SHA512" 97e7a2ad7eSMimi Zohar depends on CRYPTO_SHA512 && !IMA_TEMPLATE 98e7a2ad7eSMimi Zohar 99e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_WP512 100e7a2ad7eSMimi Zohar bool "WP512" 101e7a2ad7eSMimi Zohar depends on CRYPTO_WP512 && !IMA_TEMPLATE 102e7a2ad7eSMimi Zoharendchoice 103e7a2ad7eSMimi Zohar 104e7a2ad7eSMimi Zoharconfig IMA_DEFAULT_HASH 105e7a2ad7eSMimi Zohar string 106e7a2ad7eSMimi Zohar depends on IMA 107e7a2ad7eSMimi Zohar default "sha1" if IMA_DEFAULT_HASH_SHA1 108e7a2ad7eSMimi Zohar default "sha256" if IMA_DEFAULT_HASH_SHA256 109e7a2ad7eSMimi Zohar default "sha512" if IMA_DEFAULT_HASH_SHA512 110e7a2ad7eSMimi Zohar default "wp512" if IMA_DEFAULT_HASH_WP512 111e7a2ad7eSMimi Zohar 1122fe5d6deSMimi Zoharconfig IMA_APPRAISE 1132fe5d6deSMimi Zohar bool "Appraise integrity measurements" 1142fe5d6deSMimi Zohar depends on IMA 1152fe5d6deSMimi Zohar default n 1162fe5d6deSMimi Zohar help 1172fe5d6deSMimi Zohar This option enables local measurement integrity appraisal. 1182fe5d6deSMimi Zohar It requires the system to be labeled with a security extended 1192fe5d6deSMimi Zohar attribute containing the file hash measurement. To protect 1202fe5d6deSMimi Zohar the security extended attributes from offline attack, enable 1212fe5d6deSMimi Zohar and configure EVM. 1222fe5d6deSMimi Zohar 1232fe5d6deSMimi Zohar For more information on integrity appraisal refer to: 1242fe5d6deSMimi Zohar <http://linux-ima.sourceforge.net> 1252fe5d6deSMimi Zohar If unsure, say N. 126*7d2ce232SMimi Zohar 127*7d2ce232SMimi Zoharconfig IMA_TRUSTED_KEYRING 128*7d2ce232SMimi Zohar bool "Require all keys on the .ima keyring be signed" 129*7d2ce232SMimi Zohar depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 130*7d2ce232SMimi Zohar depends on INTEGRITY_ASYMMETRIC_KEYS 131*7d2ce232SMimi Zohar select KEYS_DEBUG_PROC_KEYS 132*7d2ce232SMimi Zohar default y 133*7d2ce232SMimi Zohar help 134*7d2ce232SMimi Zohar This option requires that all keys added to the .ima 135*7d2ce232SMimi Zohar keyring be signed by a key on the system trusted keyring. 136