xref: /linux/security/integrity/ima/Kconfig (revision cd3cec0a02c7338ce2901c574f3935b8f6984aab)
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
23323eec9SMimi Zohar# IBM Integrity Measurement Architecture
33323eec9SMimi Zohar#
43323eec9SMimi Zoharconfig IMA
53323eec9SMimi Zohar	bool "Integrity Measurement Architecture(IMA)"
63323eec9SMimi Zohar	select SECURITYFS
73323eec9SMimi Zohar	select CRYPTO
83323eec9SMimi Zohar	select CRYPTO_HMAC
93323eec9SMimi Zohar	select CRYPTO_SHA1
10c7c8bb23SDmitry Kasatkin	select CRYPTO_HASH_INFO
11*cd3cec0aSRoberto Sassu	select SECURITY_PATH
12644f1741SRandy Dunlap	select TCG_TPM if HAS_IOMEM
13a69f1589SRandy Dunlap	select TCG_TIS if TCG_TPM && X86
14fac37c62SJiandi An	select TCG_CRB if TCG_TPM && ACPI
1563a0eb78SMichael Ellerman	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
162afd020aSStefan Berger	select INTEGRITY_AUDIT if AUDIT
173323eec9SMimi Zohar	help
183323eec9SMimi Zohar	  The Trusted Computing Group(TCG) runtime Integrity
193323eec9SMimi Zohar	  Measurement Architecture(IMA) maintains a list of hash
203323eec9SMimi Zohar	  values of executables and other sensitive system files,
213323eec9SMimi Zohar	  as they are read or executed. If an attacker manages
223323eec9SMimi Zohar	  to change the contents of an important system file
233323eec9SMimi Zohar	  being measured, we can tell.
243323eec9SMimi Zohar
253323eec9SMimi Zohar	  If your system has a TPM chip, then IMA also maintains
263323eec9SMimi Zohar	  an aggregate integrity value over this list inside the
273323eec9SMimi Zohar	  TPM hardware, so that the TPM can prove to a third party
283323eec9SMimi Zohar	  whether or not critical system files have been modified.
29c9fecf50SAlexander A. Klimov	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
303323eec9SMimi Zohar	  to learn more about IMA.
313323eec9SMimi Zohar	  If unsure, say N.
323323eec9SMimi Zohar
3391e32656SArnd Bergmannif IMA
3491e32656SArnd Bergmann
35d158847aSMimi Zoharconfig IMA_KEXEC
36d158847aSMimi Zohar	bool "Enable carrying the IMA measurement list across a soft boot"
3791e32656SArnd Bergmann	depends on TCG_TPM && HAVE_IMA_KEXEC
38d158847aSMimi Zohar	default n
39d158847aSMimi Zohar	help
40d158847aSMimi Zohar	   TPM PCRs are only reset on a hard reboot.  In order to validate
41d158847aSMimi Zohar	   a TPM's quote after a soft boot, the IMA measurement list of the
42d158847aSMimi Zohar	   running kernel must be saved and restored on boot.
43d158847aSMimi Zohar
44d158847aSMimi Zohar	   Depending on the IMA policy, the measurement list can grow to
45d158847aSMimi Zohar	   be very large.
46d158847aSMimi Zohar
473323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX
483323eec9SMimi Zohar	int
493323eec9SMimi Zohar	range 8 14
503323eec9SMimi Zohar	default 10
513323eec9SMimi Zohar	help
523323eec9SMimi Zohar	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
533323eec9SMimi Zohar	  that IMA uses to maintain the integrity aggregate of the
543323eec9SMimi Zohar	  measurement list.  If unsure, use the default 10.
553323eec9SMimi Zohar
564af4662fSMimi Zoharconfig IMA_LSM_RULES
574af4662fSMimi Zohar	bool
5891e32656SArnd Bergmann	depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
594af4662fSMimi Zohar	default y
604af4662fSMimi Zohar	help
61b53fab9dSRandy Dunlap	  Disabling this option will disregard LSM based policy rules.
622fe5d6deSMimi Zohar
634286587dSMimi Zoharchoice
644286587dSMimi Zohar	prompt "Default template"
654286587dSMimi Zohar	default IMA_NG_TEMPLATE
664286587dSMimi Zohar	help
674286587dSMimi Zohar	  Select the default IMA measurement template.
684286587dSMimi Zohar
694286587dSMimi Zohar	  The original 'ima' measurement list template contains a
704286587dSMimi Zohar	  hash, defined as 20 bytes, and a null terminated pathname,
714286587dSMimi Zohar	  limited to 255 characters.  The 'ima-ng' measurement list
724286587dSMimi Zohar	  template permits both larger hash digests and longer
73891163adSGUO Zihua	  pathnames. The configured default template can be replaced
74891163adSGUO Zihua	  by specifying "ima_template=" on the boot command line.
754286587dSMimi Zohar
764286587dSMimi Zohar	config IMA_NG_TEMPLATE
774286587dSMimi Zohar		bool "ima-ng (default)"
78bcbc9b0cSMimi Zohar	config IMA_SIG_TEMPLATE
79bcbc9b0cSMimi Zohar		bool "ima-sig"
804286587dSMimi Zoharendchoice
814286587dSMimi Zohar
824286587dSMimi Zoharconfig IMA_DEFAULT_TEMPLATE
834286587dSMimi Zohar	string
844286587dSMimi Zohar	default "ima-ng" if IMA_NG_TEMPLATE
85bcbc9b0cSMimi Zohar	default "ima-sig" if IMA_SIG_TEMPLATE
864286587dSMimi Zohar
87e7a2ad7eSMimi Zoharchoice
88e7a2ad7eSMimi Zohar	prompt "Default integrity hash algorithm"
89e7a2ad7eSMimi Zohar	default IMA_DEFAULT_HASH_SHA1
90e7a2ad7eSMimi Zohar	help
91e7a2ad7eSMimi Zohar	   Select the default hash algorithm used for the measurement
92e7a2ad7eSMimi Zohar	   list, integrity appraisal and audit log.  The compiled default
93e7a2ad7eSMimi Zohar	   hash algorithm can be overwritten using the kernel command
94e7a2ad7eSMimi Zohar	   line 'ima_hash=' option.
95e7a2ad7eSMimi Zohar
96e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA1
97e7a2ad7eSMimi Zohar		bool "SHA1 (default)"
9838d19268SBen Hutchings		depends on CRYPTO_SHA1=y
99e7a2ad7eSMimi Zohar
100e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA256
101e7a2ad7eSMimi Zohar		bool "SHA256"
102891163adSGUO Zihua		depends on CRYPTO_SHA256=y
103e7a2ad7eSMimi Zohar
104e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_SHA512
105e7a2ad7eSMimi Zohar		bool "SHA512"
106891163adSGUO Zihua		depends on CRYPTO_SHA512=y
107e7a2ad7eSMimi Zohar
108e7a2ad7eSMimi Zohar	config IMA_DEFAULT_HASH_WP512
109e7a2ad7eSMimi Zohar		bool "WP512"
110891163adSGUO Zihua		depends on CRYPTO_WP512=y
1115780b9abSTianjia Zhang
1125780b9abSTianjia Zhang	config IMA_DEFAULT_HASH_SM3
1135780b9abSTianjia Zhang		bool "SM3"
114b6018af4STianjia Zhang		depends on CRYPTO_SM3_GENERIC=y
115e7a2ad7eSMimi Zoharendchoice
116e7a2ad7eSMimi Zohar
117e7a2ad7eSMimi Zoharconfig IMA_DEFAULT_HASH
118e7a2ad7eSMimi Zohar	string
119e7a2ad7eSMimi Zohar	default "sha1" if IMA_DEFAULT_HASH_SHA1
120e7a2ad7eSMimi Zohar	default "sha256" if IMA_DEFAULT_HASH_SHA256
121e7a2ad7eSMimi Zohar	default "sha512" if IMA_DEFAULT_HASH_SHA512
122e7a2ad7eSMimi Zohar	default "wp512" if IMA_DEFAULT_HASH_WP512
1235780b9abSTianjia Zhang	default "sm3" if IMA_DEFAULT_HASH_SM3
124e7a2ad7eSMimi Zohar
12538d859f9SPetko Manolovconfig IMA_WRITE_POLICY
12638d859f9SPetko Manolov	bool "Enable multiple writes to the IMA policy"
12738d859f9SPetko Manolov	default n
12838d859f9SPetko Manolov	help
12938d859f9SPetko Manolov	  IMA policy can now be updated multiple times.  The new rules get
13038d859f9SPetko Manolov	  appended to the original policy.  Have in mind that the rules are
13138d859f9SPetko Manolov	  scanned in FIFO order so be careful when you design and add new ones.
13238d859f9SPetko Manolov
13338d859f9SPetko Manolov	  If unsure, say N.
13438d859f9SPetko Manolov
13580eae209SPetko Manolovconfig IMA_READ_POLICY
13680eae209SPetko Manolov	bool "Enable reading back the current IMA policy"
13780eae209SPetko Manolov	default y if IMA_WRITE_POLICY
13880eae209SPetko Manolov	default n if !IMA_WRITE_POLICY
13980eae209SPetko Manolov	help
14080eae209SPetko Manolov	   It is often useful to be able to read back the IMA policy.  It is
14180eae209SPetko Manolov	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
14280eae209SPetko Manolov	   This option allows the root user to see the current policy rules.
14380eae209SPetko Manolov
1442fe5d6deSMimi Zoharconfig IMA_APPRAISE
1452fe5d6deSMimi Zohar	bool "Appraise integrity measurements"
1462fe5d6deSMimi Zohar	default n
1472fe5d6deSMimi Zohar	help
1482fe5d6deSMimi Zohar	  This option enables local measurement integrity appraisal.
1492fe5d6deSMimi Zohar	  It requires the system to be labeled with a security extended
1502fe5d6deSMimi Zohar	  attribute containing the file hash measurement.  To protect
1512fe5d6deSMimi Zohar	  the security extended attributes from offline attack, enable
1522fe5d6deSMimi Zohar	  and configure EVM.
1532fe5d6deSMimi Zohar
1542fe5d6deSMimi Zohar	  For more information on integrity appraisal refer to:
1552fe5d6deSMimi Zohar	  <http://linux-ima.sourceforge.net>
1562fe5d6deSMimi Zohar	  If unsure, say N.
1577d2ce232SMimi Zohar
158d958083aSEric Richterconfig IMA_ARCH_POLICY
159d958083aSEric Richter        bool "Enable loading an IMA architecture specific policy"
160aefcf2f4SLinus Torvalds        depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
1619e1e5d43SNayna Jain		   && INTEGRITY_ASYMMETRIC_KEYS
162d958083aSEric Richter        default n
163d958083aSEric Richter        help
164d958083aSEric Richter          This option enables loading an IMA architecture specific policy
165d958083aSEric Richter          based on run time secure boot flags.
166d958083aSEric Richter
167ef96837bSMimi Zoharconfig IMA_APPRAISE_BUILD_POLICY
168ef96837bSMimi Zohar	bool "IMA build time configured policy rules"
169ef96837bSMimi Zohar	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
170ef96837bSMimi Zohar	default n
171ef96837bSMimi Zohar	help
172ef96837bSMimi Zohar	  This option defines an IMA appraisal policy at build time, which
173ef96837bSMimi Zohar	  is enforced at run time without having to specify a builtin
174ef96837bSMimi Zohar	  policy name on the boot command line.  The build time appraisal
175ef96837bSMimi Zohar	  policy rules persist after loading a custom policy.
176ef96837bSMimi Zohar
177ef96837bSMimi Zohar	  Depending on the rules configured, this policy may require kernel
178ef96837bSMimi Zohar	  modules, firmware, the kexec kernel image, and/or the IMA policy
179ef96837bSMimi Zohar	  to be signed.  Unsigned files might prevent the system from
180ef96837bSMimi Zohar	  booting or applications from working properly.
181ef96837bSMimi Zohar
182ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
183ef96837bSMimi Zohar	bool "Appraise firmware signatures"
184ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
185ef96837bSMimi Zohar	default n
186ef96837bSMimi Zohar	help
187ef96837bSMimi Zohar	  This option defines a policy requiring all firmware to be signed,
188ef96837bSMimi Zohar	  including the regulatory.db.  If both this option and
189ef96837bSMimi Zohar	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
190ef96837bSMimi Zohar	  verification methods are necessary.
191ef96837bSMimi Zohar
192ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_KEXEC_SIGS
193ef96837bSMimi Zohar	bool "Appraise kexec kernel image signatures"
194ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
195ef96837bSMimi Zohar	default n
196ef96837bSMimi Zohar	help
197ef96837bSMimi Zohar	  Enabling this rule will require all kexec'ed kernel images to
198ef96837bSMimi Zohar	  be signed and verified by a public key on the trusted IMA
199ef96837bSMimi Zohar	  keyring.
200ef96837bSMimi Zohar
201ef96837bSMimi Zohar	  Kernel image signatures can not be verified by the original
202ef96837bSMimi Zohar	  kexec_load syscall.  Enabling this rule will prevent its
203ef96837bSMimi Zohar	  usage.
204ef96837bSMimi Zohar
205ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_MODULE_SIGS
206ef96837bSMimi Zohar	bool "Appraise kernel modules signatures"
207ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
208ef96837bSMimi Zohar	default n
209ef96837bSMimi Zohar	help
210ef96837bSMimi Zohar	  Enabling this rule will require all kernel modules to be signed
211ef96837bSMimi Zohar	  and verified by a public key on the trusted IMA keyring.
212ef96837bSMimi Zohar
213ef96837bSMimi Zohar	  Kernel module signatures can only be verified by IMA-appraisal,
214ef96837bSMimi Zohar	  via the finit_module syscall. Enabling this rule will prevent
215ef96837bSMimi Zohar	  the usage of the init_module syscall.
216ef96837bSMimi Zohar
217ef96837bSMimi Zoharconfig IMA_APPRAISE_REQUIRE_POLICY_SIGS
218ef96837bSMimi Zohar	bool "Appraise IMA policy signature"
219ef96837bSMimi Zohar	depends on IMA_APPRAISE_BUILD_POLICY
220ef96837bSMimi Zohar	default n
221ef96837bSMimi Zohar	help
222ef96837bSMimi Zohar	  Enabling this rule will require the IMA policy to be signed and
223ef96837bSMimi Zohar	  and verified by a key on the trusted IMA keyring.
224ef96837bSMimi Zohar
225e1f5e01fSMimi Zoharconfig IMA_APPRAISE_BOOTPARAM
226e1f5e01fSMimi Zohar	bool "ima_appraise boot parameter"
227311aa6aaSBruno Meneguele	depends on IMA_APPRAISE
228e1f5e01fSMimi Zohar	default y
229e1f5e01fSMimi Zohar	help
230e1f5e01fSMimi Zohar	  This option enables the different "ima_appraise=" modes
231e1f5e01fSMimi Zohar	  (eg. fix, log) from the boot command line.
232e1f5e01fSMimi Zohar
2339044d627SThiago Jung Bauermannconfig IMA_APPRAISE_MODSIG
2349044d627SThiago Jung Bauermann	bool "Support module-style signatures for appraisal"
2359044d627SThiago Jung Bauermann	depends on IMA_APPRAISE
23639b07096SThiago Jung Bauermann	depends on INTEGRITY_ASYMMETRIC_KEYS
23739b07096SThiago Jung Bauermann	select PKCS7_MESSAGE_PARSER
23839b07096SThiago Jung Bauermann	select MODULE_SIG_FORMAT
2399044d627SThiago Jung Bauermann	default n
2409044d627SThiago Jung Bauermann	help
2419044d627SThiago Jung Bauermann	   Adds support for signatures appended to files. The format of the
2429044d627SThiago Jung Bauermann	   appended signature is the same used for signed kernel modules.
2439044d627SThiago Jung Bauermann	   The modsig keyword can be used in the IMA policy to allow a hook
2449044d627SThiago Jung Bauermann	   to accept such signatures.
2459044d627SThiago Jung Bauermann
24656104cf2SDavid Howellsconfig IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
247f17167beSEric Snowberg	bool "Permit keys validly signed by a built-in, machine (if configured) or secondary"
24856104cf2SDavid Howells	depends on SYSTEM_TRUSTED_KEYRING
24956104cf2SDavid Howells	depends on SECONDARY_TRUSTED_KEYRING
25056104cf2SDavid Howells	depends on INTEGRITY_ASYMMETRIC_KEYS
25156104cf2SDavid Howells	select INTEGRITY_TRUSTED_KEYRING
25256104cf2SDavid Howells	default n
25356104cf2SDavid Howells	help
25456104cf2SDavid Howells	  Keys may be added to the IMA or IMA blacklist keyrings, if the
255bdf1abd1SEric Snowberg	  key is validly signed by a CA cert in the system built-in,
256bdf1abd1SEric Snowberg	  machine (if configured), or secondary trusted keyrings. The
257bdf1abd1SEric Snowberg	  key must also have the digitalSignature usage set.
25856104cf2SDavid Howells
25956104cf2SDavid Howells	  Intermediate keys between those the kernel has compiled in and the
26056104cf2SDavid Howells	  IMA keys to be added may be added to the system secondary keyring,
26156104cf2SDavid Howells	  provided they are validly signed by a key already resident in the
262bdf1abd1SEric Snowberg	  built-in, machine (if configured) or secondary trusted keyrings.
26356104cf2SDavid Howells
26456104cf2SDavid Howellsconfig IMA_BLACKLIST_KEYRING
26556104cf2SDavid Howells	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
26641c89b64SPetko Manolov	depends on SYSTEM_TRUSTED_KEYRING
267be210c6dSOleksandr Tymoshenko	depends on INTEGRITY_TRUSTED_KEYRING
26841c89b64SPetko Manolov	default n
26941c89b64SPetko Manolov	help
27056104cf2SDavid Howells	   This option creates an IMA blacklist keyring, which contains all
27156104cf2SDavid Howells	   revoked IMA keys.  It is consulted before any other keyring.  If
27256104cf2SDavid Howells	   the search is successful the requested operation is rejected and
27356104cf2SDavid Howells	   an error is returned to the caller.
27441c89b64SPetko Manolov
275fd5f4e90SDmitry Kasatkinconfig IMA_LOAD_X509
276fd5f4e90SDmitry Kasatkin	bool "Load X509 certificate onto the '.ima' trusted keyring"
277be210c6dSOleksandr Tymoshenko	depends on INTEGRITY_TRUSTED_KEYRING
278fd5f4e90SDmitry Kasatkin	default n
279fd5f4e90SDmitry Kasatkin	help
280fd5f4e90SDmitry Kasatkin	   File signature verification is based on the public keys
281fd5f4e90SDmitry Kasatkin	   loaded on the .ima trusted keyring. These public keys are
282fd5f4e90SDmitry Kasatkin	   X509 certificates signed by a trusted key on the
283fd5f4e90SDmitry Kasatkin	   .system keyring.  This option enables X509 certificate
284fd5f4e90SDmitry Kasatkin	   loading from the kernel onto the '.ima' trusted keyring.
285fd5f4e90SDmitry Kasatkin
286fd5f4e90SDmitry Kasatkinconfig IMA_X509_PATH
287fd5f4e90SDmitry Kasatkin	string "IMA X509 certificate path"
288fd5f4e90SDmitry Kasatkin	depends on IMA_LOAD_X509
289fd5f4e90SDmitry Kasatkin	default "/etc/keys/x509_ima.der"
290fd5f4e90SDmitry Kasatkin	help
291fd5f4e90SDmitry Kasatkin	   This option defines IMA X509 certificate path.
292c57782c1SDmitry Kasatkin
293c57782c1SDmitry Kasatkinconfig IMA_APPRAISE_SIGNED_INIT
294c57782c1SDmitry Kasatkin	bool "Require signed user-space initialization"
295c57782c1SDmitry Kasatkin	depends on IMA_LOAD_X509
296c57782c1SDmitry Kasatkin	default n
297c57782c1SDmitry Kasatkin	help
298c57782c1SDmitry Kasatkin	   This option requires user-space init to be signed.
299ea78979dSLakshmi Ramasubramanian
300ea78979dSLakshmi Ramasubramanianconfig IMA_MEASURE_ASYMMETRIC_KEYS
301ea78979dSLakshmi Ramasubramanian	bool
302ea78979dSLakshmi Ramasubramanian	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
303ea78979dSLakshmi Ramasubramanian	default y
3049f81a2edSLakshmi Ramasubramanian
3059f81a2edSLakshmi Ramasubramanianconfig IMA_QUEUE_EARLY_BOOT_KEYS
3069f81a2edSLakshmi Ramasubramanian	bool
3079f81a2edSLakshmi Ramasubramanian	depends on IMA_MEASURE_ASYMMETRIC_KEYS
3089f81a2edSLakshmi Ramasubramanian	depends on SYSTEM_TRUSTED_KEYRING
3099f81a2edSLakshmi Ramasubramanian	default y
3109e2b4be3SNayna Jain
3119e2b4be3SNayna Jainconfig IMA_SECURE_AND_OR_TRUSTED_BOOT
3129e2b4be3SNayna Jain       bool
3139e2b4be3SNayna Jain       depends on IMA_ARCH_POLICY
3149e2b4be3SNayna Jain       help
3159e2b4be3SNayna Jain          This option is selected by architectures to enable secure and/or
3169e2b4be3SNayna Jain          trusted boot based on IMA runtime policies.
31752c20839STushar Sugandhi
31852c20839STushar Sugandhiconfig IMA_DISABLE_HTABLE
31952c20839STushar Sugandhi	bool "Disable htable to allow measurement of duplicate records"
32052c20839STushar Sugandhi	default n
32152c20839STushar Sugandhi	help
32252c20839STushar Sugandhi	   This option disables htable to allow measurement of duplicate records.
32391e32656SArnd Bergmann
32491e32656SArnd Bergmannendif
325