xref: /linux/security/integrity/ima/Kconfig (revision 2361f738b67ab7f1152187fa3d321a09b7c95c09)
1# IBM Integrity Measurement Architecture
2#
3config IMA
4	bool "Integrity Measurement Architecture(IMA)"
5	depends on SECURITY
6	select INTEGRITY
7	select SECURITYFS
8	select CRYPTO
9	select CRYPTO_HMAC
10	select CRYPTO_MD5
11	select CRYPTO_SHA1
12	select TCG_TPM if HAS_IOMEM && !UML
13	select TCG_TIS if TCG_TPM && X86
14	help
15	  The Trusted Computing Group(TCG) runtime Integrity
16	  Measurement Architecture(IMA) maintains a list of hash
17	  values of executables and other sensitive system files,
18	  as they are read or executed. If an attacker manages
19	  to change the contents of an important system file
20	  being measured, we can tell.
21
22	  If your system has a TPM chip, then IMA also maintains
23	  an aggregate integrity value over this list inside the
24	  TPM hardware, so that the TPM can prove to a third party
25	  whether or not critical system files have been modified.
26	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
27	  to learn more about IMA.
28	  If unsure, say N.
29
30config IMA_MEASURE_PCR_IDX
31	int
32	depends on IMA
33	range 8 14
34	default 10
35	help
36	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
37	  that IMA uses to maintain the integrity aggregate of the
38	  measurement list.  If unsure, use the default 10.
39
40config IMA_AUDIT
41	bool "Enables auditing support"
42	depends on IMA
43	depends on AUDIT
44	default y
45	help
46	  This option adds a kernel parameter 'ima_audit', which
47	  allows informational auditing messages to be enabled
48	  at boot.  If this option is selected, informational integrity
49	  auditing messages can be enabled with 'ima_audit=1' on
50	  the kernel command line.
51
52config IMA_LSM_RULES
53	bool
54	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
55	default y
56	help
57	  Disabling this option will disregard LSM based policy rules.
58