13323eec9SMimi Zohar# IBM Integrity Measurement Architecture 23323eec9SMimi Zohar# 33323eec9SMimi Zoharconfig IMA 43323eec9SMimi Zohar bool "Integrity Measurement Architecture(IMA)" 56c21a7fbSMimi Zohar depends on SECURITY 6f381c272SMimi Zohar select INTEGRITY 73323eec9SMimi Zohar select SECURITYFS 83323eec9SMimi Zohar select CRYPTO 93323eec9SMimi Zohar select CRYPTO_HMAC 103323eec9SMimi Zohar select CRYPTO_MD5 113323eec9SMimi Zohar select CRYPTO_SHA1 12*c7c8bb23SDmitry Kasatkin select CRYPTO_HASH_INFO 13f4a0391dSFabio Estevam select TCG_TPM if HAS_IOMEM && !UML 14a69f1589SRandy Dunlap select TCG_TIS if TCG_TPM && X86 1520328b56SKent Yoder select TCG_IBMVTPM if TCG_TPM && PPC64 163323eec9SMimi Zohar help 173323eec9SMimi Zohar The Trusted Computing Group(TCG) runtime Integrity 183323eec9SMimi Zohar Measurement Architecture(IMA) maintains a list of hash 193323eec9SMimi Zohar values of executables and other sensitive system files, 203323eec9SMimi Zohar as they are read or executed. If an attacker manages 213323eec9SMimi Zohar to change the contents of an important system file 223323eec9SMimi Zohar being measured, we can tell. 233323eec9SMimi Zohar 243323eec9SMimi Zohar If your system has a TPM chip, then IMA also maintains 253323eec9SMimi Zohar an aggregate integrity value over this list inside the 263323eec9SMimi Zohar TPM hardware, so that the TPM can prove to a third party 273323eec9SMimi Zohar whether or not critical system files have been modified. 283323eec9SMimi Zohar Read <http://www.usenix.org/events/sec04/tech/sailer.html> 293323eec9SMimi Zohar to learn more about IMA. 303323eec9SMimi Zohar If unsure, say N. 313323eec9SMimi Zohar 323323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX 333323eec9SMimi Zohar int 343323eec9SMimi Zohar depends on IMA 353323eec9SMimi Zohar range 8 14 363323eec9SMimi Zohar default 10 373323eec9SMimi Zohar help 383323eec9SMimi Zohar IMA_MEASURE_PCR_IDX determines the TPM PCR register index 393323eec9SMimi Zohar that IMA uses to maintain the integrity aggregate of the 403323eec9SMimi Zohar measurement list. If unsure, use the default 10. 413323eec9SMimi Zohar 424af4662fSMimi Zoharconfig IMA_LSM_RULES 434af4662fSMimi Zohar bool 44b53fab9dSRandy Dunlap depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 454af4662fSMimi Zohar default y 464af4662fSMimi Zohar help 47b53fab9dSRandy Dunlap Disabling this option will disregard LSM based policy rules. 482fe5d6deSMimi Zohar 492fe5d6deSMimi Zoharconfig IMA_APPRAISE 502fe5d6deSMimi Zohar bool "Appraise integrity measurements" 512fe5d6deSMimi Zohar depends on IMA 522fe5d6deSMimi Zohar default n 532fe5d6deSMimi Zohar help 542fe5d6deSMimi Zohar This option enables local measurement integrity appraisal. 552fe5d6deSMimi Zohar It requires the system to be labeled with a security extended 562fe5d6deSMimi Zohar attribute containing the file hash measurement. To protect 572fe5d6deSMimi Zohar the security extended attributes from offline attack, enable 582fe5d6deSMimi Zohar and configure EVM. 592fe5d6deSMimi Zohar 602fe5d6deSMimi Zohar For more information on integrity appraisal refer to: 612fe5d6deSMimi Zohar <http://linux-ima.sourceforge.net> 622fe5d6deSMimi Zohar If unsure, say N. 63