| # SPDX-License-Identifier: GPL-2.0-only |
| # IBM Integrity Measurement Architecture |
| # |
| config IMA |
| bool "Integrity Measurement Architecture(IMA)" |
| select SECURITYFS |
| select CRYPTO |
| select CRYPTO_HMAC |
| select CRYPTO_SHA1 |
| select CRYPTO_HASH_INFO |
| select TCG_TPM if HAS_IOMEM && !UML |
| select TCG_TIS if TCG_TPM && X86 |
| select TCG_CRB if TCG_TPM && ACPI |
| select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES |
| select INTEGRITY_AUDIT if AUDIT |
| help |
| The Trusted Computing Group(TCG) runtime Integrity |
| Measurement Architecture(IMA) maintains a list of hash |
| values of executables and other sensitive system files, |
| as they are read or executed. If an attacker manages |
| to change the contents of an important system file |
| being measured, we can tell. |
| |
| If your system has a TPM chip, then IMA also maintains |
| an aggregate integrity value over this list inside the |
| TPM hardware, so that the TPM can prove to a third party |
| whether or not critical system files have been modified. |
| Read <https://www.usenix.org/events/sec04/tech/sailer.html> |
| to learn more about IMA. |
| If unsure, say N. |
| |
| config IMA_KEXEC |
| bool "Enable carrying the IMA measurement list across a soft boot" |
| depends on IMA && TCG_TPM && HAVE_IMA_KEXEC |
| default n |
| help |
| TPM PCRs are only reset on a hard reboot. In order to validate |
| a TPM's quote after a soft boot, the IMA measurement list of the |
| running kernel must be saved and restored on boot. |
| |
| Depending on the IMA policy, the measurement list can grow to |
| be very large. |
| |
| config IMA_MEASURE_PCR_IDX |
| int |
| depends on IMA |
| range 8 14 |
| default 10 |
| help |
| IMA_MEASURE_PCR_IDX determines the TPM PCR register index |
| that IMA uses to maintain the integrity aggregate of the |
| measurement list. If unsure, use the default 10. |
| |
| config IMA_LSM_RULES |
| bool |
| depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) |
| default y |
| help |
| Disabling this option will disregard LSM based policy rules. |
| |
| choice |
| prompt "Default template" |
| default IMA_NG_TEMPLATE |
| depends on IMA |
| help |
| Select the default IMA measurement template. |
| |
| The original 'ima' measurement list template contains a |
| hash, defined as 20 bytes, and a null terminated pathname, |
| limited to 255 characters. The 'ima-ng' measurement list |
| template permits both larger hash digests and longer |
| pathnames. |
| |
| config IMA_TEMPLATE |
| bool "ima" |
| config IMA_NG_TEMPLATE |
| bool "ima-ng (default)" |
| config IMA_SIG_TEMPLATE |
| bool "ima-sig" |
| endchoice |
| |
| config IMA_DEFAULT_TEMPLATE |
| string |
| depends on IMA |
| default "ima" if IMA_TEMPLATE |
| default "ima-ng" if IMA_NG_TEMPLATE |
| default "ima-sig" if IMA_SIG_TEMPLATE |
| |
| choice |
| prompt "Default integrity hash algorithm" |
| default IMA_DEFAULT_HASH_SHA1 |
| depends on IMA |
| help |
| Select the default hash algorithm used for the measurement |
| list, integrity appraisal and audit log. The compiled default |
| hash algorithm can be overwritten using the kernel command |
| line 'ima_hash=' option. |
| |
| config IMA_DEFAULT_HASH_SHA1 |
| bool "SHA1 (default)" |
| depends on CRYPTO_SHA1=y |
| |
| config IMA_DEFAULT_HASH_SHA256 |
| bool "SHA256" |
| depends on CRYPTO_SHA256=y && !IMA_TEMPLATE |
| |
| config IMA_DEFAULT_HASH_SHA512 |
| bool "SHA512" |
| depends on CRYPTO_SHA512=y && !IMA_TEMPLATE |
| |
| config IMA_DEFAULT_HASH_WP512 |
| bool "WP512" |
| depends on CRYPTO_WP512=y && !IMA_TEMPLATE |
| |
| config IMA_DEFAULT_HASH_SM3 |
| bool "SM3" |
| depends on CRYPTO_SM3=y && !IMA_TEMPLATE |
| endchoice |
| |
| config IMA_DEFAULT_HASH |
| string |
| depends on IMA |
| default "sha1" if IMA_DEFAULT_HASH_SHA1 |
| default "sha256" if IMA_DEFAULT_HASH_SHA256 |
| default "sha512" if IMA_DEFAULT_HASH_SHA512 |
| default "wp512" if IMA_DEFAULT_HASH_WP512 |
| default "sm3" if IMA_DEFAULT_HASH_SM3 |
| |
| config IMA_WRITE_POLICY |
| bool "Enable multiple writes to the IMA policy" |
| depends on IMA |
| default n |
| help |
| IMA policy can now be updated multiple times. The new rules get |
| appended to the original policy. Have in mind that the rules are |
| scanned in FIFO order so be careful when you design and add new ones. |
| |
| If unsure, say N. |
| |
| config IMA_READ_POLICY |
| bool "Enable reading back the current IMA policy" |
| depends on IMA |
| default y if IMA_WRITE_POLICY |
| default n if !IMA_WRITE_POLICY |
| help |
| It is often useful to be able to read back the IMA policy. It is |
| even more important after introducing CONFIG_IMA_WRITE_POLICY. |
| This option allows the root user to see the current policy rules. |
| |
| config IMA_APPRAISE |
| bool "Appraise integrity measurements" |
| depends on IMA |
| default n |
| help |
| This option enables local measurement integrity appraisal. |
| It requires the system to be labeled with a security extended |
| attribute containing the file hash measurement. To protect |
| the security extended attributes from offline attack, enable |
| and configure EVM. |
| |
| For more information on integrity appraisal refer to: |
| <http://linux-ima.sourceforge.net> |
| If unsure, say N. |
| |
| config IMA_ARCH_POLICY |
| bool "Enable loading an IMA architecture specific policy" |
| depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \ |
| && INTEGRITY_ASYMMETRIC_KEYS |
| default n |
| help |
| This option enables loading an IMA architecture specific policy |
| based on run time secure boot flags. |
| |
| config IMA_APPRAISE_BUILD_POLICY |
| bool "IMA build time configured policy rules" |
| depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS |
| default n |
| help |
| This option defines an IMA appraisal policy at build time, which |
| is enforced at run time without having to specify a builtin |
| policy name on the boot command line. The build time appraisal |
| policy rules persist after loading a custom policy. |
| |
| Depending on the rules configured, this policy may require kernel |
| modules, firmware, the kexec kernel image, and/or the IMA policy |
| to be signed. Unsigned files might prevent the system from |
| booting or applications from working properly. |
| |
| config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS |
| bool "Appraise firmware signatures" |
| depends on IMA_APPRAISE_BUILD_POLICY |
| default n |
| help |
| This option defines a policy requiring all firmware to be signed, |
| including the regulatory.db. If both this option and |
| CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature |
| verification methods are necessary. |
| |
| config IMA_APPRAISE_REQUIRE_KEXEC_SIGS |
| bool "Appraise kexec kernel image signatures" |
| depends on IMA_APPRAISE_BUILD_POLICY |
| default n |
| help |
| Enabling this rule will require all kexec'ed kernel images to |
| be signed and verified by a public key on the trusted IMA |
| keyring. |
| |
| Kernel image signatures can not be verified by the original |
| kexec_load syscall. Enabling this rule will prevent its |
| usage. |
| |
| config IMA_APPRAISE_REQUIRE_MODULE_SIGS |
| bool "Appraise kernel modules signatures" |
| depends on IMA_APPRAISE_BUILD_POLICY |
| default n |
| help |
| Enabling this rule will require all kernel modules to be signed |
| and verified by a public key on the trusted IMA keyring. |
| |
| Kernel module signatures can only be verified by IMA-appraisal, |
| via the finit_module syscall. Enabling this rule will prevent |
| the usage of the init_module syscall. |
| |
| config IMA_APPRAISE_REQUIRE_POLICY_SIGS |
| bool "Appraise IMA policy signature" |
| depends on IMA_APPRAISE_BUILD_POLICY |
| default n |
| help |
| Enabling this rule will require the IMA policy to be signed and |
| and verified by a key on the trusted IMA keyring. |
| |
| config IMA_APPRAISE_BOOTPARAM |
| bool "ima_appraise boot parameter" |
| depends on IMA_APPRAISE |
| default y |
| help |
| This option enables the different "ima_appraise=" modes |
| (eg. fix, log) from the boot command line. |
| |
| config IMA_APPRAISE_MODSIG |
| bool "Support module-style signatures for appraisal" |
| depends on IMA_APPRAISE |
| depends on INTEGRITY_ASYMMETRIC_KEYS |
| select PKCS7_MESSAGE_PARSER |
| select MODULE_SIG_FORMAT |
| default n |
| help |
| Adds support for signatures appended to files. The format of the |
| appended signature is the same used for signed kernel modules. |
| The modsig keyword can be used in the IMA policy to allow a hook |
| to accept such signatures. |
| |
| config IMA_TRUSTED_KEYRING |
| bool "Require all keys on the .ima keyring be signed (deprecated)" |
| depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING |
| depends on INTEGRITY_ASYMMETRIC_KEYS |
| select INTEGRITY_TRUSTED_KEYRING |
| default y |
| help |
| This option requires that all keys added to the .ima |
| keyring be signed by a key on the system trusted keyring. |
| |
| This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING |
| |
| config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY |
| bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" |
| depends on SYSTEM_TRUSTED_KEYRING |
| depends on SECONDARY_TRUSTED_KEYRING |
| depends on INTEGRITY_ASYMMETRIC_KEYS |
| select INTEGRITY_TRUSTED_KEYRING |
| default n |
| help |
| Keys may be added to the IMA or IMA blacklist keyrings, if the |
| key is validly signed by a CA cert in the system built-in or |
| secondary trusted keyrings. |
| |
| Intermediate keys between those the kernel has compiled in and the |
| IMA keys to be added may be added to the system secondary keyring, |
| provided they are validly signed by a key already resident in the |
| built-in or secondary trusted keyrings. |
| |
| config IMA_BLACKLIST_KEYRING |
| bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" |
| depends on SYSTEM_TRUSTED_KEYRING |
| depends on IMA_TRUSTED_KEYRING |
| default n |
| help |
| This option creates an IMA blacklist keyring, which contains all |
| revoked IMA keys. It is consulted before any other keyring. If |
| the search is successful the requested operation is rejected and |
| an error is returned to the caller. |
| |
| config IMA_LOAD_X509 |
| bool "Load X509 certificate onto the '.ima' trusted keyring" |
| depends on IMA_TRUSTED_KEYRING |
| default n |
| help |
| File signature verification is based on the public keys |
| loaded on the .ima trusted keyring. These public keys are |
| X509 certificates signed by a trusted key on the |
| .system keyring. This option enables X509 certificate |
| loading from the kernel onto the '.ima' trusted keyring. |
| |
| config IMA_X509_PATH |
| string "IMA X509 certificate path" |
| depends on IMA_LOAD_X509 |
| default "/etc/keys/x509_ima.der" |
| help |
| This option defines IMA X509 certificate path. |
| |
| config IMA_APPRAISE_SIGNED_INIT |
| bool "Require signed user-space initialization" |
| depends on IMA_LOAD_X509 |
| default n |
| help |
| This option requires user-space init to be signed. |
| |
| config IMA_MEASURE_ASYMMETRIC_KEYS |
| bool |
| depends on IMA |
| depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y |
| default y |
| |
| config IMA_QUEUE_EARLY_BOOT_KEYS |
| bool |
| depends on IMA_MEASURE_ASYMMETRIC_KEYS |
| depends on SYSTEM_TRUSTED_KEYRING |
| default y |
| |
| config IMA_SECURE_AND_OR_TRUSTED_BOOT |
| bool |
| depends on IMA_ARCH_POLICY |
| help |
| This option is selected by architectures to enable secure and/or |
| trusted boot based on IMA runtime policies. |