13323eec9SMimi Zohar# IBM Integrity Measurement Architecture 23323eec9SMimi Zohar# 33323eec9SMimi Zoharconfig IMA 43323eec9SMimi Zohar bool "Integrity Measurement Architecture(IMA)" 53323eec9SMimi Zohar select SECURITYFS 63323eec9SMimi Zohar select CRYPTO 73323eec9SMimi Zohar select CRYPTO_HMAC 83323eec9SMimi Zohar select CRYPTO_MD5 93323eec9SMimi Zohar select CRYPTO_SHA1 10c7c8bb23SDmitry Kasatkin select CRYPTO_HASH_INFO 11f4a0391dSFabio Estevam select TCG_TPM if HAS_IOMEM && !UML 12a69f1589SRandy Dunlap select TCG_TIS if TCG_TPM && X86 1320328b56SKent Yoder select TCG_IBMVTPM if TCG_TPM && PPC64 143323eec9SMimi Zohar help 153323eec9SMimi Zohar The Trusted Computing Group(TCG) runtime Integrity 163323eec9SMimi Zohar Measurement Architecture(IMA) maintains a list of hash 173323eec9SMimi Zohar values of executables and other sensitive system files, 183323eec9SMimi Zohar as they are read or executed. If an attacker manages 193323eec9SMimi Zohar to change the contents of an important system file 203323eec9SMimi Zohar being measured, we can tell. 213323eec9SMimi Zohar 223323eec9SMimi Zohar If your system has a TPM chip, then IMA also maintains 233323eec9SMimi Zohar an aggregate integrity value over this list inside the 243323eec9SMimi Zohar TPM hardware, so that the TPM can prove to a third party 253323eec9SMimi Zohar whether or not critical system files have been modified. 263323eec9SMimi Zohar Read <http://www.usenix.org/events/sec04/tech/sailer.html> 273323eec9SMimi Zohar to learn more about IMA. 283323eec9SMimi Zohar If unsure, say N. 293323eec9SMimi Zohar 303323eec9SMimi Zoharconfig IMA_MEASURE_PCR_IDX 313323eec9SMimi Zohar int 323323eec9SMimi Zohar depends on IMA 333323eec9SMimi Zohar range 8 14 343323eec9SMimi Zohar default 10 353323eec9SMimi Zohar help 363323eec9SMimi Zohar IMA_MEASURE_PCR_IDX determines the TPM PCR register index 373323eec9SMimi Zohar that IMA uses to maintain the integrity aggregate of the 383323eec9SMimi Zohar measurement list. If unsure, use the default 10. 393323eec9SMimi Zohar 404af4662fSMimi Zoharconfig IMA_LSM_RULES 414af4662fSMimi Zohar bool 42b53fab9dSRandy Dunlap depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) 434af4662fSMimi Zohar default y 444af4662fSMimi Zohar help 45b53fab9dSRandy Dunlap Disabling this option will disregard LSM based policy rules. 462fe5d6deSMimi Zohar 474286587dSMimi Zoharchoice 484286587dSMimi Zohar prompt "Default template" 494286587dSMimi Zohar default IMA_NG_TEMPLATE 504286587dSMimi Zohar depends on IMA 514286587dSMimi Zohar help 524286587dSMimi Zohar Select the default IMA measurement template. 534286587dSMimi Zohar 544286587dSMimi Zohar The original 'ima' measurement list template contains a 554286587dSMimi Zohar hash, defined as 20 bytes, and a null terminated pathname, 564286587dSMimi Zohar limited to 255 characters. The 'ima-ng' measurement list 574286587dSMimi Zohar template permits both larger hash digests and longer 584286587dSMimi Zohar pathnames. 594286587dSMimi Zohar 604286587dSMimi Zohar config IMA_TEMPLATE 614286587dSMimi Zohar bool "ima" 624286587dSMimi Zohar config IMA_NG_TEMPLATE 634286587dSMimi Zohar bool "ima-ng (default)" 64bcbc9b0cSMimi Zohar config IMA_SIG_TEMPLATE 65bcbc9b0cSMimi Zohar bool "ima-sig" 664286587dSMimi Zoharendchoice 674286587dSMimi Zohar 684286587dSMimi Zoharconfig IMA_DEFAULT_TEMPLATE 694286587dSMimi Zohar string 704286587dSMimi Zohar depends on IMA 714286587dSMimi Zohar default "ima" if IMA_TEMPLATE 724286587dSMimi Zohar default "ima-ng" if IMA_NG_TEMPLATE 73bcbc9b0cSMimi Zohar default "ima-sig" if IMA_SIG_TEMPLATE 744286587dSMimi Zohar 75e7a2ad7eSMimi Zoharchoice 76e7a2ad7eSMimi Zohar prompt "Default integrity hash algorithm" 77e7a2ad7eSMimi Zohar default IMA_DEFAULT_HASH_SHA1 78e7a2ad7eSMimi Zohar depends on IMA 79e7a2ad7eSMimi Zohar help 80e7a2ad7eSMimi Zohar Select the default hash algorithm used for the measurement 81e7a2ad7eSMimi Zohar list, integrity appraisal and audit log. The compiled default 82e7a2ad7eSMimi Zohar hash algorithm can be overwritten using the kernel command 83e7a2ad7eSMimi Zohar line 'ima_hash=' option. 84e7a2ad7eSMimi Zohar 85e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA1 86e7a2ad7eSMimi Zohar bool "SHA1 (default)" 87e7a2ad7eSMimi Zohar depends on CRYPTO_SHA1 88e7a2ad7eSMimi Zohar 89e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA256 90e7a2ad7eSMimi Zohar bool "SHA256" 91e7a2ad7eSMimi Zohar depends on CRYPTO_SHA256 && !IMA_TEMPLATE 92e7a2ad7eSMimi Zohar 93e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_SHA512 94e7a2ad7eSMimi Zohar bool "SHA512" 95e7a2ad7eSMimi Zohar depends on CRYPTO_SHA512 && !IMA_TEMPLATE 96e7a2ad7eSMimi Zohar 97e7a2ad7eSMimi Zohar config IMA_DEFAULT_HASH_WP512 98e7a2ad7eSMimi Zohar bool "WP512" 99e7a2ad7eSMimi Zohar depends on CRYPTO_WP512 && !IMA_TEMPLATE 100e7a2ad7eSMimi Zoharendchoice 101e7a2ad7eSMimi Zohar 102e7a2ad7eSMimi Zoharconfig IMA_DEFAULT_HASH 103e7a2ad7eSMimi Zohar string 104e7a2ad7eSMimi Zohar depends on IMA 105e7a2ad7eSMimi Zohar default "sha1" if IMA_DEFAULT_HASH_SHA1 106e7a2ad7eSMimi Zohar default "sha256" if IMA_DEFAULT_HASH_SHA256 107e7a2ad7eSMimi Zohar default "sha512" if IMA_DEFAULT_HASH_SHA512 108e7a2ad7eSMimi Zohar default "wp512" if IMA_DEFAULT_HASH_WP512 109e7a2ad7eSMimi Zohar 1102fe5d6deSMimi Zoharconfig IMA_APPRAISE 1112fe5d6deSMimi Zohar bool "Appraise integrity measurements" 1122fe5d6deSMimi Zohar depends on IMA 1132fe5d6deSMimi Zohar default n 1142fe5d6deSMimi Zohar help 1152fe5d6deSMimi Zohar This option enables local measurement integrity appraisal. 1162fe5d6deSMimi Zohar It requires the system to be labeled with a security extended 1172fe5d6deSMimi Zohar attribute containing the file hash measurement. To protect 1182fe5d6deSMimi Zohar the security extended attributes from offline attack, enable 1192fe5d6deSMimi Zohar and configure EVM. 1202fe5d6deSMimi Zohar 1212fe5d6deSMimi Zohar For more information on integrity appraisal refer to: 1222fe5d6deSMimi Zohar <http://linux-ima.sourceforge.net> 1232fe5d6deSMimi Zohar If unsure, say N. 1247d2ce232SMimi Zohar 1257d2ce232SMimi Zoharconfig IMA_TRUSTED_KEYRING 1267d2ce232SMimi Zohar bool "Require all keys on the .ima keyring be signed" 1277d2ce232SMimi Zohar depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING 1287d2ce232SMimi Zohar depends on INTEGRITY_ASYMMETRIC_KEYS 1297d2ce232SMimi Zohar select KEYS_DEBUG_PROC_KEYS 1307d2ce232SMimi Zohar default y 1317d2ce232SMimi Zohar help 1327d2ce232SMimi Zohar This option requires that all keys added to the .ima 1337d2ce232SMimi Zohar keyring be signed by a key on the system trusted keyring. 134*fd5f4e90SDmitry Kasatkin 135*fd5f4e90SDmitry Kasatkinconfig IMA_LOAD_X509 136*fd5f4e90SDmitry Kasatkin bool "Load X509 certificate onto the '.ima' trusted keyring" 137*fd5f4e90SDmitry Kasatkin depends on IMA_TRUSTED_KEYRING 138*fd5f4e90SDmitry Kasatkin default n 139*fd5f4e90SDmitry Kasatkin help 140*fd5f4e90SDmitry Kasatkin File signature verification is based on the public keys 141*fd5f4e90SDmitry Kasatkin loaded on the .ima trusted keyring. These public keys are 142*fd5f4e90SDmitry Kasatkin X509 certificates signed by a trusted key on the 143*fd5f4e90SDmitry Kasatkin .system keyring. This option enables X509 certificate 144*fd5f4e90SDmitry Kasatkin loading from the kernel onto the '.ima' trusted keyring. 145*fd5f4e90SDmitry Kasatkin 146*fd5f4e90SDmitry Kasatkinconfig IMA_X509_PATH 147*fd5f4e90SDmitry Kasatkin string "IMA X509 certificate path" 148*fd5f4e90SDmitry Kasatkin depends on IMA_LOAD_X509 149*fd5f4e90SDmitry Kasatkin default "/etc/keys/x509_ima.der" 150*fd5f4e90SDmitry Kasatkin help 151*fd5f4e90SDmitry Kasatkin This option defines IMA X509 certificate path. 152