1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 23323eec9SMimi Zohar# IBM Integrity Measurement Architecture 33323eec9SMimi Zohar# 43323eec9SMimi Zoharconfig IMA 53323eec9SMimi Zohar bool "Integrity Measurement Architecture(IMA)" 63323eec9SMimi Zohar select SECURITYFS 73323eec9SMimi Zohar select CRYPTO 83323eec9SMimi Zohar select CRYPTO_HMAC 93323eec9SMimi Zohar select CRYPTO_MD5 103323eec9SMimi Zohar select CRYPTO_SHA1 11c7c8bb23SDmitry Kasatkin select CRYPTO_HASH_INFO 12f4a0391dSFabio Estevam select TCG_TPM if HAS_IOMEM && !UML 13a69f1589SRandy Dunlap select TCG_TIS if TCG_TPM && X86 14fac37c62SJiandi An select TCG_CRB if TCG_TPM && ACPI 1563a0eb78SMichael Ellerman select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES 162afd020aSStefan Berger select INTEGRITY_AUDIT if AUDIT 173323eec9SMimi Zohar help 183323eec9SMimi Zohar The Trusted Computing Group(TCG) runtime Integrity 193323eec9SMimi Zohar Measurement Architecture(IMA) maintains a list of hash 203323eec9SMimi Zohar values of executables and other sensitive system files, 213323eec9SMimi Zohar as they are read or executed. If an attacker manages 223323eec9SMimi Zohar to change the contents of an important system file 233323eec9SMimi Zohar being measured, we can tell. 243323eec9SMimi Zohar 253323eec9SMimi Zohar If your system has a TPM chip, then IMA also maintains 263323eec9SMimi Zohar an aggregate integrity value over this list inside the 273323eec9SMimi Zohar TPM hardware, so that the TPM can prove to a third party 283323eec9SMimi Zohar whether or not critical system files have been modified. 293323eec9SMimi Zohar Read <http://www.usenix.org/events/sec04/tech/sailer.html> 303323eec9SMimi Zohar to learn more about IMA. 313323eec9SMimi Zohar If unsure, say N. 323323eec9SMimi Zohar 33d158847aSMimi Zoharconfig IMA_KEXEC 34d158847aSMimi Zohar bool "Enable carrying the IMA measurement list across a soft boot" 35d158847aSMimi Zohar depends on IMA && TCG_TPM && HAVE_IMA_KEXEC 36d158847aSMimi Zohar default n 37d158847aSMimi Zohar help 38d158847aSMimi Zohar TPM PCRs are only reset on a hard reboot. In order to validate 39d158847aSMimi Zohar a TPM's quote after a soft boot, the IMA measurement list of the 40d158847aSMimi Zohar running kernel must be saved and restored on boot. 41d158847aSMimi Zohar 42d158847aSMimi Zohar Depending on the IMA policy, the measurement list can grow to 43d158847aSMimi Zohar be very large. 44d158847aSMimi Zohar 453323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX 463323eec9SMimi Zohar int 473323eec9SMimi Zohar depends on IMA 483323eec9SMimi Zohar range 8 14 493323eec9SMimi Zohar default 10 503323eec9SMimi Zohar help 513323eec9SMimi Zohar IMA_MEASURE_PCR_IDX determines the TPM PCR register index 523323eec9SMimi Zohar that IMA uses to maintain the integrity aggregate of the 533323eec9SMimi Zohar measurement list. If unsure, use the default 10. 543323eec9SMimi Zohar 554af4662fSMimi Zoharconfig IMA_LSM_RULES 564af4662fSMimi Zohar bool 57b53fab9dSRandy Dunlap depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 584af4662fSMimi Zohar default y 594af4662fSMimi Zohar help 60b53fab9dSRandy Dunlap Disabling this option will disregard LSM based policy rules. 612fe5d6deSMimi Zohar 624286587dSMimi Zoharchoice 634286587dSMimi Zohar prompt "Default template" 644286587dSMimi Zohar default IMA_NG_TEMPLATE 654286587dSMimi Zohar depends on IMA 664286587dSMimi Zohar help 674286587dSMimi Zohar Select the default IMA measurement template. 684286587dSMimi Zohar 694286587dSMimi Zohar The original 'ima' measurement list template contains a 704286587dSMimi Zohar hash, defined as 20 bytes, and a null terminated pathname, 714286587dSMimi Zohar limited to 255 characters. The 'ima-ng' measurement list 724286587dSMimi Zohar template permits both larger hash digests and longer 734286587dSMimi Zohar pathnames. 744286587dSMimi Zohar 754286587dSMimi Zohar config IMA_TEMPLATE 764286587dSMimi Zohar bool "ima" 774286587dSMimi Zohar config IMA_NG_TEMPLATE 784286587dSMimi Zohar bool "ima-ng (default)" 79bcbc9b0cSMimi Zohar config IMA_SIG_TEMPLATE 80bcbc9b0cSMimi Zohar bool "ima-sig" 814286587dSMimi Zoharendchoice 824286587dSMimi Zohar 834286587dSMimi Zoharconfig IMA_DEFAULT_TEMPLATE 844286587dSMimi Zohar string 854286587dSMimi Zohar depends on IMA 864286587dSMimi Zohar default "ima" if IMA_TEMPLATE 874286587dSMimi Zohar default "ima-ng" if IMA_NG_TEMPLATE 88bcbc9b0cSMimi Zohar default "ima-sig" if IMA_SIG_TEMPLATE 894286587dSMimi Zohar 90e7a2ad7eSMimi Zoharchoice 91e7a2ad7eSMimi Zohar prompt "Default integrity hash algorithm" 92e7a2ad7eSMimi Zohar default IMA_DEFAULT_HASH_SHA1 93e7a2ad7eSMimi Zohar depends on IMA 94e7a2ad7eSMimi Zohar help 95e7a2ad7eSMimi Zohar Select the default hash algorithm used for the measurement 96e7a2ad7eSMimi Zohar list, integrity appraisal and audit log. The compiled default 97e7a2ad7eSMimi Zohar hash algorithm can be overwritten using the kernel command 98e7a2ad7eSMimi Zohar line 'ima_hash=' option. 99e7a2ad7eSMimi Zohar 100e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA1 101e7a2ad7eSMimi Zohar bool "SHA1 (default)" 10238d19268SBen Hutchings depends on CRYPTO_SHA1=y 103e7a2ad7eSMimi Zohar 104e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA256 105e7a2ad7eSMimi Zohar bool "SHA256" 10638d19268SBen Hutchings depends on CRYPTO_SHA256=y && !IMA_TEMPLATE 107e7a2ad7eSMimi Zohar 108e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA512 109e7a2ad7eSMimi Zohar bool "SHA512" 11038d19268SBen Hutchings depends on CRYPTO_SHA512=y && !IMA_TEMPLATE 111e7a2ad7eSMimi Zohar 112e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_WP512 113e7a2ad7eSMimi Zohar bool "WP512" 11438d19268SBen Hutchings depends on CRYPTO_WP512=y && !IMA_TEMPLATE 115e7a2ad7eSMimi Zoharendchoice 116e7a2ad7eSMimi Zohar 117e7a2ad7eSMimi Zoharconfig IMA_DEFAULT_HASH 118e7a2ad7eSMimi Zohar string 119e7a2ad7eSMimi Zohar depends on IMA 120e7a2ad7eSMimi Zohar default "sha1" if IMA_DEFAULT_HASH_SHA1 121e7a2ad7eSMimi Zohar default "sha256" if IMA_DEFAULT_HASH_SHA256 122e7a2ad7eSMimi Zohar default "sha512" if IMA_DEFAULT_HASH_SHA512 123e7a2ad7eSMimi Zohar default "wp512" if IMA_DEFAULT_HASH_WP512 124e7a2ad7eSMimi Zohar 12538d859f9SPetko Manolovconfig IMA_WRITE_POLICY 12638d859f9SPetko Manolov bool "Enable multiple writes to the IMA policy" 12738d859f9SPetko Manolov depends on IMA 12838d859f9SPetko Manolov default n 12938d859f9SPetko Manolov help 13038d859f9SPetko Manolov IMA policy can now be updated multiple times. The new rules get 13138d859f9SPetko Manolov appended to the original policy. Have in mind that the rules are 13238d859f9SPetko Manolov scanned in FIFO order so be careful when you design and add new ones. 13338d859f9SPetko Manolov 13438d859f9SPetko Manolov If unsure, say N. 13538d859f9SPetko Manolov 13680eae209SPetko Manolovconfig IMA_READ_POLICY 13780eae209SPetko Manolov bool "Enable reading back the current IMA policy" 13880eae209SPetko Manolov depends on IMA 13980eae209SPetko Manolov default y if IMA_WRITE_POLICY 14080eae209SPetko Manolov default n if !IMA_WRITE_POLICY 14180eae209SPetko Manolov help 14280eae209SPetko Manolov It is often useful to be able to read back the IMA policy. It is 14380eae209SPetko Manolov even more important after introducing CONFIG_IMA_WRITE_POLICY. 14480eae209SPetko Manolov This option allows the root user to see the current policy rules. 14580eae209SPetko Manolov 1462fe5d6deSMimi Zoharconfig IMA_APPRAISE 1472fe5d6deSMimi Zohar bool "Appraise integrity measurements" 1482fe5d6deSMimi Zohar depends on IMA 1492fe5d6deSMimi Zohar default n 1502fe5d6deSMimi Zohar help 1512fe5d6deSMimi Zohar This option enables local measurement integrity appraisal. 1522fe5d6deSMimi Zohar It requires the system to be labeled with a security extended 1532fe5d6deSMimi Zohar attribute containing the file hash measurement. To protect 1542fe5d6deSMimi Zohar the security extended attributes from offline attack, enable 1552fe5d6deSMimi Zohar and configure EVM. 1562fe5d6deSMimi Zohar 1572fe5d6deSMimi Zohar For more information on integrity appraisal refer to: 1582fe5d6deSMimi Zohar <http://linux-ima.sourceforge.net> 1592fe5d6deSMimi Zohar If unsure, say N. 1607d2ce232SMimi Zohar 161d958083aSEric Richterconfig IMA_ARCH_POLICY 162d958083aSEric Richter bool "Enable loading an IMA architecture specific policy" 163aefcf2f4SLinus Torvalds depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \ 1649e1e5d43SNayna Jain && INTEGRITY_ASYMMETRIC_KEYS 165d958083aSEric Richter default n 166d958083aSEric Richter help 167d958083aSEric Richter This option enables loading an IMA architecture specific policy 168d958083aSEric Richter based on run time secure boot flags. 169d958083aSEric Richter 170ef96837bSMimi Zoharconfig IMA_APPRAISE_BUILD_POLICY 171ef96837bSMimi Zohar bool "IMA build time configured policy rules" 172ef96837bSMimi Zohar depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS 173ef96837bSMimi Zohar default n 174ef96837bSMimi Zohar help 175ef96837bSMimi Zohar This option defines an IMA appraisal policy at build time, which 176ef96837bSMimi Zohar is enforced at run time without having to specify a builtin 177ef96837bSMimi Zohar policy name on the boot command line. The build time appraisal 178ef96837bSMimi Zohar policy rules persist after loading a custom policy. 179ef96837bSMimi Zohar 180ef96837bSMimi Zohar Depending on the rules configured, this policy may require kernel 181ef96837bSMimi Zohar modules, firmware, the kexec kernel image, and/or the IMA policy 182ef96837bSMimi Zohar to be signed. Unsigned files might prevent the system from 183ef96837bSMimi Zohar booting or applications from working properly. 184ef96837bSMimi Zohar 185ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS 186ef96837bSMimi Zohar bool "Appraise firmware signatures" 187ef96837bSMimi Zohar depends on IMA_APPRAISE_BUILD_POLICY 188ef96837bSMimi Zohar default n 189ef96837bSMimi Zohar help 190ef96837bSMimi Zohar This option defines a policy requiring all firmware to be signed, 191ef96837bSMimi Zohar including the regulatory.db. If both this option and 192ef96837bSMimi Zohar CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature 193ef96837bSMimi Zohar verification methods are necessary. 194ef96837bSMimi Zohar 195ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_KEXEC_SIGS 196ef96837bSMimi Zohar bool "Appraise kexec kernel image signatures" 197ef96837bSMimi Zohar depends on IMA_APPRAISE_BUILD_POLICY 198ef96837bSMimi Zohar default n 199ef96837bSMimi Zohar help 200ef96837bSMimi Zohar Enabling this rule will require all kexec'ed kernel images to 201ef96837bSMimi Zohar be signed and verified by a public key on the trusted IMA 202ef96837bSMimi Zohar keyring. 203ef96837bSMimi Zohar 204ef96837bSMimi Zohar Kernel image signatures can not be verified by the original 205ef96837bSMimi Zohar kexec_load syscall. Enabling this rule will prevent its 206ef96837bSMimi Zohar usage. 207ef96837bSMimi Zohar 208ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_MODULE_SIGS 209ef96837bSMimi Zohar bool "Appraise kernel modules signatures" 210ef96837bSMimi Zohar depends on IMA_APPRAISE_BUILD_POLICY 211ef96837bSMimi Zohar default n 212ef96837bSMimi Zohar help 213ef96837bSMimi Zohar Enabling this rule will require all kernel modules to be signed 214ef96837bSMimi Zohar and verified by a public key on the trusted IMA keyring. 215ef96837bSMimi Zohar 216ef96837bSMimi Zohar Kernel module signatures can only be verified by IMA-appraisal, 217ef96837bSMimi Zohar via the finit_module syscall. Enabling this rule will prevent 218ef96837bSMimi Zohar the usage of the init_module syscall. 219ef96837bSMimi Zohar 220ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_POLICY_SIGS 221ef96837bSMimi Zohar bool "Appraise IMA policy signature" 222ef96837bSMimi Zohar depends on IMA_APPRAISE_BUILD_POLICY 223ef96837bSMimi Zohar default n 224ef96837bSMimi Zohar help 225ef96837bSMimi Zohar Enabling this rule will require the IMA policy to be signed and 226ef96837bSMimi Zohar and verified by a key on the trusted IMA keyring. 227ef96837bSMimi Zohar 228e1f5e01fSMimi Zoharconfig IMA_APPRAISE_BOOTPARAM 229e1f5e01fSMimi Zohar bool "ima_appraise boot parameter" 230d958083aSEric Richter depends on IMA_APPRAISE && !IMA_ARCH_POLICY 231e1f5e01fSMimi Zohar default y 232e1f5e01fSMimi Zohar help 233e1f5e01fSMimi Zohar This option enables the different "ima_appraise=" modes 234e1f5e01fSMimi Zohar (eg. fix, log) from the boot command line. 235e1f5e01fSMimi Zohar 2369044d627SThiago Jung Bauermannconfig IMA_APPRAISE_MODSIG 2379044d627SThiago Jung Bauermann bool "Support module-style signatures for appraisal" 2389044d627SThiago Jung Bauermann depends on IMA_APPRAISE 23939b07096SThiago Jung Bauermann depends on INTEGRITY_ASYMMETRIC_KEYS 24039b07096SThiago Jung Bauermann select PKCS7_MESSAGE_PARSER 24139b07096SThiago Jung Bauermann select MODULE_SIG_FORMAT 2429044d627SThiago Jung Bauermann default n 2439044d627SThiago Jung Bauermann help 2449044d627SThiago Jung Bauermann Adds support for signatures appended to files. The format of the 2459044d627SThiago Jung Bauermann appended signature is the same used for signed kernel modules. 2469044d627SThiago Jung Bauermann The modsig keyword can be used in the IMA policy to allow a hook 2479044d627SThiago Jung Bauermann to accept such signatures. 2489044d627SThiago Jung Bauermann 2497d2ce232SMimi Zoharconfig IMA_TRUSTED_KEYRING 250f4dc3778SDmitry Kasatkin bool "Require all keys on the .ima keyring be signed (deprecated)" 2517d2ce232SMimi Zohar depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 2527d2ce232SMimi Zohar depends on INTEGRITY_ASYMMETRIC_KEYS 253f4dc3778SDmitry Kasatkin select INTEGRITY_TRUSTED_KEYRING 2547d2ce232SMimi Zohar default y 2557d2ce232SMimi Zohar help 2567d2ce232SMimi Zohar This option requires that all keys added to the .ima 2577d2ce232SMimi Zohar keyring be signed by a key on the system trusted keyring. 258fd5f4e90SDmitry Kasatkin 259f4dc3778SDmitry Kasatkin This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING 260f4dc3778SDmitry Kasatkin 26156104cf2SDavid Howellsconfig IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY 26256104cf2SDavid Howells bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" 26356104cf2SDavid Howells depends on SYSTEM_TRUSTED_KEYRING 26456104cf2SDavid Howells depends on SECONDARY_TRUSTED_KEYRING 26556104cf2SDavid Howells depends on INTEGRITY_ASYMMETRIC_KEYS 26656104cf2SDavid Howells select INTEGRITY_TRUSTED_KEYRING 26756104cf2SDavid Howells default n 26856104cf2SDavid Howells help 26956104cf2SDavid Howells Keys may be added to the IMA or IMA blacklist keyrings, if the 27056104cf2SDavid Howells key is validly signed by a CA cert in the system built-in or 27156104cf2SDavid Howells secondary trusted keyrings. 27256104cf2SDavid Howells 27356104cf2SDavid Howells Intermediate keys between those the kernel has compiled in and the 27456104cf2SDavid Howells IMA keys to be added may be added to the system secondary keyring, 27556104cf2SDavid Howells provided they are validly signed by a key already resident in the 27656104cf2SDavid Howells built-in or secondary trusted keyrings. 27756104cf2SDavid Howells 27856104cf2SDavid Howellsconfig IMA_BLACKLIST_KEYRING 27956104cf2SDavid Howells bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" 28041c89b64SPetko Manolov depends on SYSTEM_TRUSTED_KEYRING 28141c89b64SPetko Manolov depends on IMA_TRUSTED_KEYRING 28241c89b64SPetko Manolov default n 28341c89b64SPetko Manolov help 28456104cf2SDavid Howells This option creates an IMA blacklist keyring, which contains all 28556104cf2SDavid Howells revoked IMA keys. It is consulted before any other keyring. If 28656104cf2SDavid Howells the search is successful the requested operation is rejected and 28756104cf2SDavid Howells an error is returned to the caller. 28841c89b64SPetko Manolov 289fd5f4e90SDmitry Kasatkinconfig IMA_LOAD_X509 290fd5f4e90SDmitry Kasatkin bool "Load X509 certificate onto the '.ima' trusted keyring" 291fd5f4e90SDmitry Kasatkin depends on IMA_TRUSTED_KEYRING 292fd5f4e90SDmitry Kasatkin default n 293fd5f4e90SDmitry Kasatkin help 294fd5f4e90SDmitry Kasatkin File signature verification is based on the public keys 295fd5f4e90SDmitry Kasatkin loaded on the .ima trusted keyring. These public keys are 296fd5f4e90SDmitry Kasatkin X509 certificates signed by a trusted key on the 297fd5f4e90SDmitry Kasatkin .system keyring. This option enables X509 certificate 298fd5f4e90SDmitry Kasatkin loading from the kernel onto the '.ima' trusted keyring. 299fd5f4e90SDmitry Kasatkin 300fd5f4e90SDmitry Kasatkinconfig IMA_X509_PATH 301fd5f4e90SDmitry Kasatkin string "IMA X509 certificate path" 302fd5f4e90SDmitry Kasatkin depends on IMA_LOAD_X509 303fd5f4e90SDmitry Kasatkin default "/etc/keys/x509_ima.der" 304fd5f4e90SDmitry Kasatkin help 305fd5f4e90SDmitry Kasatkin This option defines IMA X509 certificate path. 306c57782c1SDmitry Kasatkin 307c57782c1SDmitry Kasatkinconfig IMA_APPRAISE_SIGNED_INIT 308c57782c1SDmitry Kasatkin bool "Require signed user-space initialization" 309c57782c1SDmitry Kasatkin depends on IMA_LOAD_X509 310c57782c1SDmitry Kasatkin default n 311c57782c1SDmitry Kasatkin help 312c57782c1SDmitry Kasatkin This option requires user-space init to be signed. 313ea78979dSLakshmi Ramasubramanian 314ea78979dSLakshmi Ramasubramanianconfig IMA_MEASURE_ASYMMETRIC_KEYS 315ea78979dSLakshmi Ramasubramanian bool 316ea78979dSLakshmi Ramasubramanian depends on IMA 317ea78979dSLakshmi Ramasubramanian depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y 318ea78979dSLakshmi Ramasubramanian default y 319*9f81a2edSLakshmi Ramasubramanian 320*9f81a2edSLakshmi Ramasubramanianconfig IMA_QUEUE_EARLY_BOOT_KEYS 321*9f81a2edSLakshmi Ramasubramanian bool 322*9f81a2edSLakshmi Ramasubramanian depends on IMA_MEASURE_ASYMMETRIC_KEYS 323*9f81a2edSLakshmi Ramasubramanian depends on SYSTEM_TRUSTED_KEYRING 324*9f81a2edSLakshmi Ramasubramanian default y 325