xref: /linux/security/integrity/ima/Kconfig (revision c9fecf505a3421752a598227f8ef895e97966c4b)
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
23323eec9SMimi Zohar# IBM Integrity Measurement Architecture
33323eec9SMimi Zohar#
43323eec9SMimi Zoharconfig IMA
53323eec9SMimi Zohar	bool "Integrity Measurement Architecture(IMA)"
63323eec9SMimi Zohar	select SECURITYFS
73323eec9SMimi Zohar	select CRYPTO
83323eec9SMimi Zohar	select CRYPTO_HMAC
93323eec9SMimi Zohar	select CRYPTO_MD5
103323eec9SMimi Zohar	select CRYPTO_SHA1
11c7c8bb23SDmitry Kasatkin	select CRYPTO_HASH_INFO
12f4a0391dSFabio Estevam	select TCG_TPM if HAS_IOMEM && !UML
13a69f1589SRandy Dunlap	select TCG_TIS if TCG_TPM && X86
14fac37c62SJiandi An	select TCG_CRB if TCG_TPM && ACPI
1563a0eb78SMichael Ellerman	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
162afd020aSStefan Berger	select INTEGRITY_AUDIT if AUDIT
173323eec9SMimi Zohar	help
183323eec9SMimi Zohar	  The Trusted Computing Group(TCG) runtime Integrity
193323eec9SMimi Zohar	  Measurement Architecture(IMA) maintains a list of hash
203323eec9SMimi Zohar	  values of executables and other sensitive system files,
213323eec9SMimi Zohar	  as they are read or executed. If an attacker manages
223323eec9SMimi Zohar	  to change the contents of an important system file
233323eec9SMimi Zohar	  being measured, we can tell.
243323eec9SMimi Zohar
253323eec9SMimi Zohar	  If your system has a TPM chip, then IMA also maintains
263323eec9SMimi Zohar	  an aggregate integrity value over this list inside the
273323eec9SMimi Zohar	  TPM hardware, so that the TPM can prove to a third party
283323eec9SMimi Zohar	  whether or not critical system files have been modified.
29*c9fecf50SAlexander A. Klimov	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
303323eec9SMimi Zohar	  to learn more about IMA.
313323eec9SMimi Zohar	  If unsure, say N.
323323eec9SMimi Zohar
33d158847aSMimi Zoharconfig IMA_KEXEC
34d158847aSMimi Zohar	bool "Enable carrying the IMA measurement list across a soft boot"
35d158847aSMimi Zohar	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
36d158847aSMimi Zohar	default n
37d158847aSMimi Zohar	help
38d158847aSMimi Zohar	   TPM PCRs are only reset on a hard reboot.  In order to validate
39d158847aSMimi Zohar	   a TPM's quote after a soft boot, the IMA measurement list of the
40d158847aSMimi Zohar	   running kernel must be saved and restored on boot.
41d158847aSMimi Zohar
42d158847aSMimi Zohar	   Depending on the IMA policy, the measurement list can grow to
43d158847aSMimi Zohar	   be very large.
44d158847aSMimi Zohar
453323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX
463323eec9SMimi Zohar	int
473323eec9SMimi Zohar	depends on IMA
483323eec9SMimi Zohar	range 8 14
493323eec9SMimi Zohar	default 10
503323eec9SMimi Zohar	help
513323eec9SMimi Zohar	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
523323eec9SMimi Zohar	  that IMA uses to maintain the integrity aggregate of the
533323eec9SMimi Zohar	  measurement list.  If unsure, use the default 10.
543323eec9SMimi Zohar
554af4662fSMimi Zoharconfig IMA_LSM_RULES
564af4662fSMimi Zohar	bool
57b53fab9dSRandy Dunlap	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
584af4662fSMimi Zohar	default y
594af4662fSMimi Zohar	help
60b53fab9dSRandy Dunlap	  Disabling this option will disregard LSM based policy rules.
612fe5d6deSMimi Zohar
624286587dSMimi Zoharchoice
634286587dSMimi Zohar	prompt "Default template"
644286587dSMimi Zohar	default IMA_NG_TEMPLATE
654286587dSMimi Zohar	depends on IMA
664286587dSMimi Zohar	help
674286587dSMimi Zohar	  Select the default IMA measurement template.
684286587dSMimi Zohar
694286587dSMimi Zohar	  The original 'ima' measurement list template contains a
704286587dSMimi Zohar	  hash, defined as 20 bytes, and a null terminated pathname,
714286587dSMimi Zohar	  limited to 255 characters.  The 'ima-ng' measurement list
724286587dSMimi Zohar	  template permits both larger hash digests and longer
734286587dSMimi Zohar	  pathnames.
744286587dSMimi Zohar
754286587dSMimi Zohar	config IMA_TEMPLATE
764286587dSMimi Zohar		bool "ima"
774286587dSMimi Zohar	config IMA_NG_TEMPLATE
784286587dSMimi Zohar		bool "ima-ng (default)"
79bcbc9b0cSMimi Zohar	config IMA_SIG_TEMPLATE
80bcbc9b0cSMimi Zohar		bool "ima-sig"
814286587dSMimi Zoharendchoice
824286587dSMimi Zohar
834286587dSMimi Zoharconfig IMA_DEFAULT_TEMPLATE
844286587dSMimi Zohar	string
854286587dSMimi Zohar	depends on IMA
864286587dSMimi Zohar	default "ima" if IMA_TEMPLATE
874286587dSMimi Zohar	default "ima-ng" if IMA_NG_TEMPLATE
88bcbc9b0cSMimi Zohar	default "ima-sig" if IMA_SIG_TEMPLATE
894286587dSMimi Zohar
90e7a2ad7eSMimi Zoharchoice
91e7a2ad7eSMimi Zohar	prompt "Default integrity hash algorithm"
92e7a2ad7eSMimi Zohar	default IMA_DEFAULT_HASH_SHA1
93e7a2ad7eSMimi Zohar	depends on IMA
94e7a2ad7eSMimi Zohar	help
95e7a2ad7eSMimi Zohar	   Select the default hash algorithm used for the measurement
96e7a2ad7eSMimi Zohar	   list, integrity appraisal and audit log.  The compiled default
97e7a2ad7eSMimi Zohar	   hash algorithm can be overwritten using the kernel command
98e7a2ad7eSMimi Zohar	   line 'ima_hash=' option.
99e7a2ad7eSMimi Zohar
100e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA1
101e7a2ad7eSMimi Zohar		bool "SHA1 (default)"
10238d19268SBen Hutchings		depends on CRYPTO_SHA1=y
103e7a2ad7eSMimi Zohar
104e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA256
105e7a2ad7eSMimi Zohar		bool "SHA256"
10638d19268SBen Hutchings		depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
107e7a2ad7eSMimi Zohar
108e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA512
109e7a2ad7eSMimi Zohar		bool "SHA512"
11038d19268SBen Hutchings		depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
111e7a2ad7eSMimi Zohar
112e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_WP512
113e7a2ad7eSMimi Zohar		bool "WP512"
11438d19268SBen Hutchings		depends on CRYPTO_WP512=y && !IMA_TEMPLATE
1155780b9abSTianjia Zhang
1165780b9abSTianjia Zhang	config IMA_DEFAULT_HASH_SM3
1175780b9abSTianjia Zhang		bool "SM3"
1185780b9abSTianjia Zhang		depends on CRYPTO_SM3=y && !IMA_TEMPLATE
119e7a2ad7eSMimi Zoharendchoice
120e7a2ad7eSMimi Zohar
121e7a2ad7eSMimi Zoharconfig IMA_DEFAULT_HASH
122e7a2ad7eSMimi Zohar	string
123e7a2ad7eSMimi Zohar	depends on IMA
124e7a2ad7eSMimi Zohar	default "sha1" if IMA_DEFAULT_HASH_SHA1
125e7a2ad7eSMimi Zohar	default "sha256" if IMA_DEFAULT_HASH_SHA256
126e7a2ad7eSMimi Zohar	default "sha512" if IMA_DEFAULT_HASH_SHA512
127e7a2ad7eSMimi Zohar	default "wp512" if IMA_DEFAULT_HASH_WP512
1285780b9abSTianjia Zhang	default "sm3" if IMA_DEFAULT_HASH_SM3
129e7a2ad7eSMimi Zohar
13038d859f9SPetko Manolovconfig IMA_WRITE_POLICY
13138d859f9SPetko Manolov	bool "Enable multiple writes to the IMA policy"
13238d859f9SPetko Manolov	depends on IMA
13338d859f9SPetko Manolov	default n
13438d859f9SPetko Manolov	help
13538d859f9SPetko Manolov	  IMA policy can now be updated multiple times.  The new rules get
13638d859f9SPetko Manolov	  appended to the original policy.  Have in mind that the rules are
13738d859f9SPetko Manolov	  scanned in FIFO order so be careful when you design and add new ones.
13838d859f9SPetko Manolov
13938d859f9SPetko Manolov	  If unsure, say N.
14038d859f9SPetko Manolov
14180eae209SPetko Manolovconfig IMA_READ_POLICY
14280eae209SPetko Manolov	bool "Enable reading back the current IMA policy"
14380eae209SPetko Manolov	depends on IMA
14480eae209SPetko Manolov	default y if IMA_WRITE_POLICY
14580eae209SPetko Manolov	default n if !IMA_WRITE_POLICY
14680eae209SPetko Manolov	help
14780eae209SPetko Manolov	   It is often useful to be able to read back the IMA policy.  It is
14880eae209SPetko Manolov	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
14980eae209SPetko Manolov	   This option allows the root user to see the current policy rules.
15080eae209SPetko Manolov
1512fe5d6deSMimi Zoharconfig IMA_APPRAISE
1522fe5d6deSMimi Zohar	bool "Appraise integrity measurements"
1532fe5d6deSMimi Zohar	depends on IMA
1542fe5d6deSMimi Zohar	default n
1552fe5d6deSMimi Zohar	help
1562fe5d6deSMimi Zohar	  This option enables local measurement integrity appraisal.
1572fe5d6deSMimi Zohar	  It requires the system to be labeled with a security extended
1582fe5d6deSMimi Zohar	  attribute containing the file hash measurement.  To protect
1592fe5d6deSMimi Zohar	  the security extended attributes from offline attack, enable
1602fe5d6deSMimi Zohar	  and configure EVM.
1612fe5d6deSMimi Zohar
1622fe5d6deSMimi Zohar	  For more information on integrity appraisal refer to:
1632fe5d6deSMimi Zohar	  <http://linux-ima.sourceforge.net>
1642fe5d6deSMimi Zohar	  If unsure, say N.
1657d2ce232SMimi Zohar
166d958083aSEric Richterconfig IMA_ARCH_POLICY
167d958083aSEric Richter        bool "Enable loading an IMA architecture specific policy"
168aefcf2f4SLinus Torvalds        depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
1699e1e5d43SNayna Jain		   && INTEGRITY_ASYMMETRIC_KEYS
170d958083aSEric Richter        default n
171d958083aSEric Richter        help
172d958083aSEric Richter          This option enables loading an IMA architecture specific policy
173d958083aSEric Richter          based on run time secure boot flags.
174d958083aSEric Richter
175ef96837bSMimi Zoharconfig IMA_APPRAISE_BUILD_POLICY
176ef96837bSMimi Zohar	bool "IMA build time configured policy rules"
177ef96837bSMimi Zohar	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
178ef96837bSMimi Zohar	default n
179ef96837bSMimi Zohar	help
180ef96837bSMimi Zohar	  This option defines an IMA appraisal policy at build time, which
181ef96837bSMimi Zohar	  is enforced at run time without having to specify a builtin
182ef96837bSMimi Zohar	  policy name on the boot command line.  The build time appraisal
183ef96837bSMimi Zohar	  policy rules persist after loading a custom policy.
184ef96837bSMimi Zohar
185ef96837bSMimi Zohar	  Depending on the rules configured, this policy may require kernel
186ef96837bSMimi Zohar	  modules, firmware, the kexec kernel image, and/or the IMA policy
187ef96837bSMimi Zohar	  to be signed.  Unsigned files might prevent the system from
188ef96837bSMimi Zohar	  booting or applications from working properly.
189ef96837bSMimi Zohar
190ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
191ef96837bSMimi Zohar	bool "Appraise firmware signatures"
192ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
193ef96837bSMimi Zohar	default n
194ef96837bSMimi Zohar	help
195ef96837bSMimi Zohar	  This option defines a policy requiring all firmware to be signed,
196ef96837bSMimi Zohar	  including the regulatory.db.  If both this option and
197ef96837bSMimi Zohar	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
198ef96837bSMimi Zohar	  verification methods are necessary.
199ef96837bSMimi Zohar
200ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_KEXEC_SIGS
201ef96837bSMimi Zohar	bool "Appraise kexec kernel image signatures"
202ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
203ef96837bSMimi Zohar	default n
204ef96837bSMimi Zohar	help
205ef96837bSMimi Zohar	  Enabling this rule will require all kexec'ed kernel images to
206ef96837bSMimi Zohar	  be signed and verified by a public key on the trusted IMA
207ef96837bSMimi Zohar	  keyring.
208ef96837bSMimi Zohar
209ef96837bSMimi Zohar	  Kernel image signatures can not be verified by the original
210ef96837bSMimi Zohar	  kexec_load syscall.  Enabling this rule will prevent its
211ef96837bSMimi Zohar	  usage.
212ef96837bSMimi Zohar
213ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_MODULE_SIGS
214ef96837bSMimi Zohar	bool "Appraise kernel modules signatures"
215ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
216ef96837bSMimi Zohar	default n
217ef96837bSMimi Zohar	help
218ef96837bSMimi Zohar	  Enabling this rule will require all kernel modules to be signed
219ef96837bSMimi Zohar	  and verified by a public key on the trusted IMA keyring.
220ef96837bSMimi Zohar
221ef96837bSMimi Zohar	  Kernel module signatures can only be verified by IMA-appraisal,
222ef96837bSMimi Zohar	  via the finit_module syscall. Enabling this rule will prevent
223ef96837bSMimi Zohar	  the usage of the init_module syscall.
224ef96837bSMimi Zohar
225ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_POLICY_SIGS
226ef96837bSMimi Zohar	bool "Appraise IMA policy signature"
227ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
228ef96837bSMimi Zohar	default n
229ef96837bSMimi Zohar	help
230ef96837bSMimi Zohar	  Enabling this rule will require the IMA policy to be signed and
231ef96837bSMimi Zohar	  and verified by a key on the trusted IMA keyring.
232ef96837bSMimi Zohar
233e1f5e01fSMimi Zoharconfig IMA_APPRAISE_BOOTPARAM
234e1f5e01fSMimi Zohar	bool "ima_appraise boot parameter"
235d958083aSEric Richter	depends on IMA_APPRAISE && !IMA_ARCH_POLICY
236e1f5e01fSMimi Zohar	default y
237e1f5e01fSMimi Zohar	help
238e1f5e01fSMimi Zohar	  This option enables the different "ima_appraise=" modes
239e1f5e01fSMimi Zohar	  (eg. fix, log) from the boot command line.
240e1f5e01fSMimi Zohar
2419044d627SThiago Jung Bauermannconfig IMA_APPRAISE_MODSIG
2429044d627SThiago Jung Bauermann	bool "Support module-style signatures for appraisal"
2439044d627SThiago Jung Bauermann	depends on IMA_APPRAISE
24439b07096SThiago Jung Bauermann	depends on INTEGRITY_ASYMMETRIC_KEYS
24539b07096SThiago Jung Bauermann	select PKCS7_MESSAGE_PARSER
24639b07096SThiago Jung Bauermann	select MODULE_SIG_FORMAT
2479044d627SThiago Jung Bauermann	default n
2489044d627SThiago Jung Bauermann	help
2499044d627SThiago Jung Bauermann	   Adds support for signatures appended to files. The format of the
2509044d627SThiago Jung Bauermann	   appended signature is the same used for signed kernel modules.
2519044d627SThiago Jung Bauermann	   The modsig keyword can be used in the IMA policy to allow a hook
2529044d627SThiago Jung Bauermann	   to accept such signatures.
2539044d627SThiago Jung Bauermann
2547d2ce232SMimi Zoharconfig IMA_TRUSTED_KEYRING
255f4dc3778SDmitry Kasatkin	bool "Require all keys on the .ima keyring be signed (deprecated)"
2567d2ce232SMimi Zohar	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
2577d2ce232SMimi Zohar	depends on INTEGRITY_ASYMMETRIC_KEYS
258f4dc3778SDmitry Kasatkin	select INTEGRITY_TRUSTED_KEYRING
2597d2ce232SMimi Zohar	default y
2607d2ce232SMimi Zohar	help
2617d2ce232SMimi Zohar	   This option requires that all keys added to the .ima
2627d2ce232SMimi Zohar	   keyring be signed by a key on the system trusted keyring.
263fd5f4e90SDmitry Kasatkin
264f4dc3778SDmitry Kasatkin	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
265f4dc3778SDmitry Kasatkin
26656104cf2SDavid Howellsconfig IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
26756104cf2SDavid Howells	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
26856104cf2SDavid Howells	depends on SYSTEM_TRUSTED_KEYRING
26956104cf2SDavid Howells	depends on SECONDARY_TRUSTED_KEYRING
27056104cf2SDavid Howells	depends on INTEGRITY_ASYMMETRIC_KEYS
27156104cf2SDavid Howells	select INTEGRITY_TRUSTED_KEYRING
27256104cf2SDavid Howells	default n
27356104cf2SDavid Howells	help
27456104cf2SDavid Howells	  Keys may be added to the IMA or IMA blacklist keyrings, if the
27556104cf2SDavid Howells	  key is validly signed by a CA cert in the system built-in or
27656104cf2SDavid Howells	  secondary trusted keyrings.
27756104cf2SDavid Howells
27856104cf2SDavid Howells	  Intermediate keys between those the kernel has compiled in and the
27956104cf2SDavid Howells	  IMA keys to be added may be added to the system secondary keyring,
28056104cf2SDavid Howells	  provided they are validly signed by a key already resident in the
28156104cf2SDavid Howells	  built-in or secondary trusted keyrings.
28256104cf2SDavid Howells
28356104cf2SDavid Howellsconfig IMA_BLACKLIST_KEYRING
28456104cf2SDavid Howells	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
28541c89b64SPetko Manolov	depends on SYSTEM_TRUSTED_KEYRING
28641c89b64SPetko Manolov	depends on IMA_TRUSTED_KEYRING
28741c89b64SPetko Manolov	default n
28841c89b64SPetko Manolov	help
28956104cf2SDavid Howells	   This option creates an IMA blacklist keyring, which contains all
29056104cf2SDavid Howells	   revoked IMA keys.  It is consulted before any other keyring.  If
29156104cf2SDavid Howells	   the search is successful the requested operation is rejected and
29256104cf2SDavid Howells	   an error is returned to the caller.
29341c89b64SPetko Manolov
294fd5f4e90SDmitry Kasatkinconfig IMA_LOAD_X509
295fd5f4e90SDmitry Kasatkin	bool "Load X509 certificate onto the '.ima' trusted keyring"
296fd5f4e90SDmitry Kasatkin	depends on IMA_TRUSTED_KEYRING
297fd5f4e90SDmitry Kasatkin	default n
298fd5f4e90SDmitry Kasatkin	help
299fd5f4e90SDmitry Kasatkin	   File signature verification is based on the public keys
300fd5f4e90SDmitry Kasatkin	   loaded on the .ima trusted keyring. These public keys are
301fd5f4e90SDmitry Kasatkin	   X509 certificates signed by a trusted key on the
302fd5f4e90SDmitry Kasatkin	   .system keyring.  This option enables X509 certificate
303fd5f4e90SDmitry Kasatkin	   loading from the kernel onto the '.ima' trusted keyring.
304fd5f4e90SDmitry Kasatkin
305fd5f4e90SDmitry Kasatkinconfig IMA_X509_PATH
306fd5f4e90SDmitry Kasatkin	string "IMA X509 certificate path"
307fd5f4e90SDmitry Kasatkin	depends on IMA_LOAD_X509
308fd5f4e90SDmitry Kasatkin	default "/etc/keys/x509_ima.der"
309fd5f4e90SDmitry Kasatkin	help
310fd5f4e90SDmitry Kasatkin	   This option defines IMA X509 certificate path.
311c57782c1SDmitry Kasatkin
312c57782c1SDmitry Kasatkinconfig IMA_APPRAISE_SIGNED_INIT
313c57782c1SDmitry Kasatkin	bool "Require signed user-space initialization"
314c57782c1SDmitry Kasatkin	depends on IMA_LOAD_X509
315c57782c1SDmitry Kasatkin	default n
316c57782c1SDmitry Kasatkin	help
317c57782c1SDmitry Kasatkin	   This option requires user-space init to be signed.
318ea78979dSLakshmi Ramasubramanian
319ea78979dSLakshmi Ramasubramanianconfig IMA_MEASURE_ASYMMETRIC_KEYS
320ea78979dSLakshmi Ramasubramanian	bool
321ea78979dSLakshmi Ramasubramanian	depends on IMA
322ea78979dSLakshmi Ramasubramanian	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
323ea78979dSLakshmi Ramasubramanian	default y
3249f81a2edSLakshmi Ramasubramanian
3259f81a2edSLakshmi Ramasubramanianconfig IMA_QUEUE_EARLY_BOOT_KEYS
3269f81a2edSLakshmi Ramasubramanian	bool
3279f81a2edSLakshmi Ramasubramanian	depends on IMA_MEASURE_ASYMMETRIC_KEYS
3289f81a2edSLakshmi Ramasubramanian	depends on SYSTEM_TRUSTED_KEYRING
3299f81a2edSLakshmi Ramasubramanian	default y
3309e2b4be3SNayna Jain
3319e2b4be3SNayna Jainconfig IMA_SECURE_AND_OR_TRUSTED_BOOT
3329e2b4be3SNayna Jain       bool
3339e2b4be3SNayna Jain       depends on IMA_ARCH_POLICY
3349e2b4be3SNayna Jain       help
3359e2b4be3SNayna Jain          This option is selected by architectures to enable secure and/or
3369e2b4be3SNayna Jain          trusted boot based on IMA runtime policies.
337