Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
Mimi Zohar | 3323eec | 2009-02-04 09:06:58 -0500 | [diff] [blame] | 2 | # IBM Integrity Measurement Architecture |
| 3 | # |
| 4 | config IMA |
| 5 | bool "Integrity Measurement Architecture(IMA)" |
Mimi Zohar | 3323eec | 2009-02-04 09:06:58 -0500 | [diff] [blame] | 6 | select SECURITYFS |
| 7 | select CRYPTO |
| 8 | select CRYPTO_HMAC |
Mimi Zohar | 3323eec | 2009-02-04 09:06:58 -0500 | [diff] [blame] | 9 | select CRYPTO_SHA1 |
Dmitry Kasatkin | c7c8bb2 | 2013-04-25 10:43:56 +0300 | [diff] [blame] | 10 | select CRYPTO_HASH_INFO |
Randy Dunlap | 644f174 | 2023-02-23 19:27:03 -0800 | [diff] [blame] | 11 | select TCG_TPM if HAS_IOMEM |
Randy Dunlap | a69f158 | 2012-02-24 11:28:05 -0800 | [diff] [blame] | 12 | select TCG_TIS if TCG_TPM && X86 |
Jiandi An | fac37c62 | 2018-03-06 23:26:26 -0600 | [diff] [blame] | 13 | select TCG_CRB if TCG_TPM && ACPI |
Michael Ellerman | 63a0eb7 | 2014-12-03 17:04:50 +1100 | [diff] [blame] | 14 | select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES |
Stefan Berger | 2afd020a | 2018-06-04 16:54:54 -0400 | [diff] [blame] | 15 | select INTEGRITY_AUDIT if AUDIT |
Mimi Zohar | 3323eec | 2009-02-04 09:06:58 -0500 | [diff] [blame] | 16 | help |
| 17 | The Trusted Computing Group(TCG) runtime Integrity |
| 18 | Measurement Architecture(IMA) maintains a list of hash |
| 19 | values of executables and other sensitive system files, |
| 20 | as they are read or executed. If an attacker manages |
| 21 | to change the contents of an important system file |
| 22 | being measured, we can tell. |
| 23 | |
| 24 | If your system has a TPM chip, then IMA also maintains |
| 25 | an aggregate integrity value over this list inside the |
| 26 | TPM hardware, so that the TPM can prove to a third party |
| 27 | whether or not critical system files have been modified. |
Alexander A. Klimov | c9fecf5 | 2020-07-05 23:45:12 +0200 | [diff] [blame] | 28 | Read <https://www.usenix.org/events/sec04/tech/sailer.html> |
Mimi Zohar | 3323eec | 2009-02-04 09:06:58 -0500 | [diff] [blame] | 29 | to learn more about IMA. |
| 30 | If unsure, say N. |
| 31 | |
Mimi Zohar | d158847 | 2016-12-19 16:22:42 -0800 | [diff] [blame] | 32 | config IMA_KEXEC |
| 33 | bool "Enable carrying the IMA measurement list across a soft boot" |
| 34 | depends on IMA && TCG_TPM && HAVE_IMA_KEXEC |
| 35 | default n |
| 36 | help |
| 37 | TPM PCRs are only reset on a hard reboot. In order to validate |
| 38 | a TPM's quote after a soft boot, the IMA measurement list of the |
| 39 | running kernel must be saved and restored on boot. |
| 40 | |
| 41 | Depending on the IMA policy, the measurement list can grow to |
| 42 | be very large. |
| 43 | |
Mimi Zohar | 3323eec | 2009-02-04 09:06:58 -0500 | [diff] [blame] | 44 | config IMA_MEASURE_PCR_IDX |
| 45 | int |
| 46 | depends on IMA |
| 47 | range 8 14 |
| 48 | default 10 |
| 49 | help |
| 50 | IMA_MEASURE_PCR_IDX determines the TPM PCR register index |
| 51 | that IMA uses to maintain the integrity aggregate of the |
| 52 | measurement list. If unsure, use the default 10. |
| 53 | |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 54 | config IMA_LSM_RULES |
| 55 | bool |
Tyler Hicks | 1768215 | 2020-06-23 18:38:23 -0500 | [diff] [blame] | 56 | depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR) |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame] | 57 | default y |
| 58 | help |
Randy Dunlap | b53fab9 | 2009-02-12 09:54:14 -0800 | [diff] [blame] | 59 | Disabling this option will disregard LSM based policy rules. |
Mimi Zohar | 2fe5d6d | 2012-02-13 10:15:05 -0500 | [diff] [blame] | 60 | |
Mimi Zohar | 4286587 | 2013-06-07 12:16:34 +0200 | [diff] [blame] | 61 | choice |
| 62 | prompt "Default template" |
| 63 | default IMA_NG_TEMPLATE |
| 64 | depends on IMA |
| 65 | help |
| 66 | Select the default IMA measurement template. |
| 67 | |
| 68 | The original 'ima' measurement list template contains a |
| 69 | hash, defined as 20 bytes, and a null terminated pathname, |
| 70 | limited to 255 characters. The 'ima-ng' measurement list |
| 71 | template permits both larger hash digests and longer |
GUO Zihua | 891163a | 2022-04-07 10:16:19 +0800 | [diff] [blame] | 72 | pathnames. The configured default template can be replaced |
| 73 | by specifying "ima_template=" on the boot command line. |
Mimi Zohar | 4286587 | 2013-06-07 12:16:34 +0200 | [diff] [blame] | 74 | |
Mimi Zohar | 4286587 | 2013-06-07 12:16:34 +0200 | [diff] [blame] | 75 | config IMA_NG_TEMPLATE |
| 76 | bool "ima-ng (default)" |
Mimi Zohar | bcbc9b0c | 2013-07-23 11:15:00 -0400 | [diff] [blame] | 77 | config IMA_SIG_TEMPLATE |
| 78 | bool "ima-sig" |
Mimi Zohar | 4286587 | 2013-06-07 12:16:34 +0200 | [diff] [blame] | 79 | endchoice |
| 80 | |
| 81 | config IMA_DEFAULT_TEMPLATE |
| 82 | string |
| 83 | depends on IMA |
Mimi Zohar | 4286587 | 2013-06-07 12:16:34 +0200 | [diff] [blame] | 84 | default "ima-ng" if IMA_NG_TEMPLATE |
Mimi Zohar | bcbc9b0c | 2013-07-23 11:15:00 -0400 | [diff] [blame] | 85 | default "ima-sig" if IMA_SIG_TEMPLATE |
Mimi Zohar | 4286587 | 2013-06-07 12:16:34 +0200 | [diff] [blame] | 86 | |
Mimi Zohar | e7a2ad7 | 2013-06-07 12:16:37 +0200 | [diff] [blame] | 87 | choice |
| 88 | prompt "Default integrity hash algorithm" |
| 89 | default IMA_DEFAULT_HASH_SHA1 |
| 90 | depends on IMA |
| 91 | help |
| 92 | Select the default hash algorithm used for the measurement |
| 93 | list, integrity appraisal and audit log. The compiled default |
| 94 | hash algorithm can be overwritten using the kernel command |
| 95 | line 'ima_hash=' option. |
| 96 | |
| 97 | config IMA_DEFAULT_HASH_SHA1 |
| 98 | bool "SHA1 (default)" |
Ben Hutchings | 38d1926 | 2017-05-02 19:27:00 +0100 | [diff] [blame] | 99 | depends on CRYPTO_SHA1=y |
Mimi Zohar | e7a2ad7 | 2013-06-07 12:16:37 +0200 | [diff] [blame] | 100 | |
| 101 | config IMA_DEFAULT_HASH_SHA256 |
| 102 | bool "SHA256" |
GUO Zihua | 891163a | 2022-04-07 10:16:19 +0800 | [diff] [blame] | 103 | depends on CRYPTO_SHA256=y |
Mimi Zohar | e7a2ad7 | 2013-06-07 12:16:37 +0200 | [diff] [blame] | 104 | |
| 105 | config IMA_DEFAULT_HASH_SHA512 |
| 106 | bool "SHA512" |
GUO Zihua | 891163a | 2022-04-07 10:16:19 +0800 | [diff] [blame] | 107 | depends on CRYPTO_SHA512=y |
Mimi Zohar | e7a2ad7 | 2013-06-07 12:16:37 +0200 | [diff] [blame] | 108 | |
| 109 | config IMA_DEFAULT_HASH_WP512 |
| 110 | bool "WP512" |
GUO Zihua | 891163a | 2022-04-07 10:16:19 +0800 | [diff] [blame] | 111 | depends on CRYPTO_WP512=y |
Tianjia Zhang | 5780b9a | 2020-02-10 20:44:40 +0800 | [diff] [blame] | 112 | |
| 113 | config IMA_DEFAULT_HASH_SM3 |
| 114 | bool "SM3" |
Tianjia Zhang | b6018af | 2022-11-25 20:18:40 +0800 | [diff] [blame] | 115 | depends on CRYPTO_SM3_GENERIC=y |
Mimi Zohar | e7a2ad7 | 2013-06-07 12:16:37 +0200 | [diff] [blame] | 116 | endchoice |
| 117 | |
| 118 | config IMA_DEFAULT_HASH |
| 119 | string |
| 120 | depends on IMA |
| 121 | default "sha1" if IMA_DEFAULT_HASH_SHA1 |
| 122 | default "sha256" if IMA_DEFAULT_HASH_SHA256 |
| 123 | default "sha512" if IMA_DEFAULT_HASH_SHA512 |
| 124 | default "wp512" if IMA_DEFAULT_HASH_WP512 |
Tianjia Zhang | 5780b9a | 2020-02-10 20:44:40 +0800 | [diff] [blame] | 125 | default "sm3" if IMA_DEFAULT_HASH_SM3 |
Mimi Zohar | e7a2ad7 | 2013-06-07 12:16:37 +0200 | [diff] [blame] | 126 | |
Petko Manolov | 38d859f | 2015-12-02 17:47:54 +0200 | [diff] [blame] | 127 | config IMA_WRITE_POLICY |
| 128 | bool "Enable multiple writes to the IMA policy" |
| 129 | depends on IMA |
| 130 | default n |
| 131 | help |
| 132 | IMA policy can now be updated multiple times. The new rules get |
| 133 | appended to the original policy. Have in mind that the rules are |
| 134 | scanned in FIFO order so be careful when you design and add new ones. |
| 135 | |
| 136 | If unsure, say N. |
| 137 | |
Petko Manolov | 80eae20 | 2015-12-02 17:47:56 +0200 | [diff] [blame] | 138 | config IMA_READ_POLICY |
| 139 | bool "Enable reading back the current IMA policy" |
| 140 | depends on IMA |
| 141 | default y if IMA_WRITE_POLICY |
| 142 | default n if !IMA_WRITE_POLICY |
| 143 | help |
| 144 | It is often useful to be able to read back the IMA policy. It is |
| 145 | even more important after introducing CONFIG_IMA_WRITE_POLICY. |
| 146 | This option allows the root user to see the current policy rules. |
| 147 | |
Mimi Zohar | 2fe5d6d | 2012-02-13 10:15:05 -0500 | [diff] [blame] | 148 | config IMA_APPRAISE |
| 149 | bool "Appraise integrity measurements" |
| 150 | depends on IMA |
| 151 | default n |
| 152 | help |
| 153 | This option enables local measurement integrity appraisal. |
| 154 | It requires the system to be labeled with a security extended |
| 155 | attribute containing the file hash measurement. To protect |
| 156 | the security extended attributes from offline attack, enable |
| 157 | and configure EVM. |
| 158 | |
| 159 | For more information on integrity appraisal refer to: |
| 160 | <http://linux-ima.sourceforge.net> |
| 161 | If unsure, say N. |
Mimi Zohar | 7d2ce23 | 2013-08-13 08:47:43 -0400 | [diff] [blame] | 162 | |
Eric Richter | d958083 | 2018-10-09 23:00:37 +0530 | [diff] [blame] | 163 | config IMA_ARCH_POLICY |
| 164 | bool "Enable loading an IMA architecture specific policy" |
Linus Torvalds | aefcf2f | 2019-09-28 08:14:15 -0700 | [diff] [blame] | 165 | depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \ |
Nayna Jain | 9e1e5d4 | 2019-06-07 15:12:06 -0400 | [diff] [blame] | 166 | && INTEGRITY_ASYMMETRIC_KEYS |
Eric Richter | d958083 | 2018-10-09 23:00:37 +0530 | [diff] [blame] | 167 | default n |
| 168 | help |
| 169 | This option enables loading an IMA architecture specific policy |
| 170 | based on run time secure boot flags. |
| 171 | |
Mimi Zohar | ef96837 | 2018-07-13 14:06:01 -0400 | [diff] [blame] | 172 | config IMA_APPRAISE_BUILD_POLICY |
| 173 | bool "IMA build time configured policy rules" |
| 174 | depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS |
| 175 | default n |
| 176 | help |
| 177 | This option defines an IMA appraisal policy at build time, which |
| 178 | is enforced at run time without having to specify a builtin |
| 179 | policy name on the boot command line. The build time appraisal |
| 180 | policy rules persist after loading a custom policy. |
| 181 | |
| 182 | Depending on the rules configured, this policy may require kernel |
| 183 | modules, firmware, the kexec kernel image, and/or the IMA policy |
| 184 | to be signed. Unsigned files might prevent the system from |
| 185 | booting or applications from working properly. |
| 186 | |
| 187 | config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS |
| 188 | bool "Appraise firmware signatures" |
| 189 | depends on IMA_APPRAISE_BUILD_POLICY |
| 190 | default n |
| 191 | help |
| 192 | This option defines a policy requiring all firmware to be signed, |
| 193 | including the regulatory.db. If both this option and |
| 194 | CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature |
| 195 | verification methods are necessary. |
| 196 | |
| 197 | config IMA_APPRAISE_REQUIRE_KEXEC_SIGS |
| 198 | bool "Appraise kexec kernel image signatures" |
| 199 | depends on IMA_APPRAISE_BUILD_POLICY |
| 200 | default n |
| 201 | help |
| 202 | Enabling this rule will require all kexec'ed kernel images to |
| 203 | be signed and verified by a public key on the trusted IMA |
| 204 | keyring. |
| 205 | |
| 206 | Kernel image signatures can not be verified by the original |
| 207 | kexec_load syscall. Enabling this rule will prevent its |
| 208 | usage. |
| 209 | |
| 210 | config IMA_APPRAISE_REQUIRE_MODULE_SIGS |
| 211 | bool "Appraise kernel modules signatures" |
| 212 | depends on IMA_APPRAISE_BUILD_POLICY |
| 213 | default n |
| 214 | help |
| 215 | Enabling this rule will require all kernel modules to be signed |
| 216 | and verified by a public key on the trusted IMA keyring. |
| 217 | |
| 218 | Kernel module signatures can only be verified by IMA-appraisal, |
| 219 | via the finit_module syscall. Enabling this rule will prevent |
| 220 | the usage of the init_module syscall. |
| 221 | |
| 222 | config IMA_APPRAISE_REQUIRE_POLICY_SIGS |
| 223 | bool "Appraise IMA policy signature" |
| 224 | depends on IMA_APPRAISE_BUILD_POLICY |
| 225 | default n |
| 226 | help |
| 227 | Enabling this rule will require the IMA policy to be signed and |
| 228 | and verified by a key on the trusted IMA keyring. |
| 229 | |
Mimi Zohar | e1f5e01 | 2017-04-24 22:06:49 -0400 | [diff] [blame] | 230 | config IMA_APPRAISE_BOOTPARAM |
| 231 | bool "ima_appraise boot parameter" |
Bruno Meneguele | 311aa6a | 2020-07-13 13:48:30 -0300 | [diff] [blame] | 232 | depends on IMA_APPRAISE |
Mimi Zohar | e1f5e01 | 2017-04-24 22:06:49 -0400 | [diff] [blame] | 233 | default y |
| 234 | help |
| 235 | This option enables the different "ima_appraise=" modes |
| 236 | (eg. fix, log) from the boot command line. |
| 237 | |
Thiago Jung Bauermann | 9044d62 | 2019-06-27 23:19:28 -0300 | [diff] [blame] | 238 | config IMA_APPRAISE_MODSIG |
| 239 | bool "Support module-style signatures for appraisal" |
| 240 | depends on IMA_APPRAISE |
Thiago Jung Bauermann | 39b0709 | 2019-06-27 23:19:30 -0300 | [diff] [blame] | 241 | depends on INTEGRITY_ASYMMETRIC_KEYS |
| 242 | select PKCS7_MESSAGE_PARSER |
| 243 | select MODULE_SIG_FORMAT |
Thiago Jung Bauermann | 9044d62 | 2019-06-27 23:19:28 -0300 | [diff] [blame] | 244 | default n |
| 245 | help |
| 246 | Adds support for signatures appended to files. The format of the |
| 247 | appended signature is the same used for signed kernel modules. |
| 248 | The modsig keyword can be used in the IMA policy to allow a hook |
| 249 | to accept such signatures. |
| 250 | |
David Howells | 56104cf | 2016-04-07 09:45:23 +0100 | [diff] [blame] | 251 | config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY |
| 252 | bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" |
| 253 | depends on SYSTEM_TRUSTED_KEYRING |
| 254 | depends on SECONDARY_TRUSTED_KEYRING |
| 255 | depends on INTEGRITY_ASYMMETRIC_KEYS |
| 256 | select INTEGRITY_TRUSTED_KEYRING |
| 257 | default n |
| 258 | help |
| 259 | Keys may be added to the IMA or IMA blacklist keyrings, if the |
| 260 | key is validly signed by a CA cert in the system built-in or |
Eric Snowberg | 90f6f69 | 2023-05-22 19:09:43 -0400 | [diff] [blame] | 261 | secondary trusted keyrings. The key must also have the |
| 262 | digitalSignature usage set. |
David Howells | 56104cf | 2016-04-07 09:45:23 +0100 | [diff] [blame] | 263 | |
| 264 | Intermediate keys between those the kernel has compiled in and the |
| 265 | IMA keys to be added may be added to the system secondary keyring, |
| 266 | provided they are validly signed by a key already resident in the |
| 267 | built-in or secondary trusted keyrings. |
| 268 | |
| 269 | config IMA_BLACKLIST_KEYRING |
| 270 | bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" |
Petko Manolov | 41c89b6 | 2015-12-02 17:47:55 +0200 | [diff] [blame] | 271 | depends on SYSTEM_TRUSTED_KEYRING |
| 272 | depends on IMA_TRUSTED_KEYRING |
| 273 | default n |
| 274 | help |
David Howells | 56104cf | 2016-04-07 09:45:23 +0100 | [diff] [blame] | 275 | This option creates an IMA blacklist keyring, which contains all |
| 276 | revoked IMA keys. It is consulted before any other keyring. If |
| 277 | the search is successful the requested operation is rejected and |
| 278 | an error is returned to the caller. |
Petko Manolov | 41c89b6 | 2015-12-02 17:47:55 +0200 | [diff] [blame] | 279 | |
Dmitry Kasatkin | fd5f4e90 | 2014-11-05 17:01:14 +0200 | [diff] [blame] | 280 | config IMA_LOAD_X509 |
| 281 | bool "Load X509 certificate onto the '.ima' trusted keyring" |
| 282 | depends on IMA_TRUSTED_KEYRING |
| 283 | default n |
| 284 | help |
| 285 | File signature verification is based on the public keys |
| 286 | loaded on the .ima trusted keyring. These public keys are |
| 287 | X509 certificates signed by a trusted key on the |
| 288 | .system keyring. This option enables X509 certificate |
| 289 | loading from the kernel onto the '.ima' trusted keyring. |
| 290 | |
| 291 | config IMA_X509_PATH |
| 292 | string "IMA X509 certificate path" |
| 293 | depends on IMA_LOAD_X509 |
| 294 | default "/etc/keys/x509_ima.der" |
| 295 | help |
| 296 | This option defines IMA X509 certificate path. |
Dmitry Kasatkin | c57782c | 2014-11-05 17:01:16 +0200 | [diff] [blame] | 297 | |
| 298 | config IMA_APPRAISE_SIGNED_INIT |
| 299 | bool "Require signed user-space initialization" |
| 300 | depends on IMA_LOAD_X509 |
| 301 | default n |
| 302 | help |
| 303 | This option requires user-space init to be signed. |
Lakshmi Ramasubramanian | ea78979 | 2020-01-08 08:05:08 -0800 | [diff] [blame] | 304 | |
| 305 | config IMA_MEASURE_ASYMMETRIC_KEYS |
| 306 | bool |
| 307 | depends on IMA |
| 308 | depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y |
| 309 | default y |
Lakshmi Ramasubramanian | 9f81a2e | 2020-01-22 17:32:04 -0800 | [diff] [blame] | 310 | |
| 311 | config IMA_QUEUE_EARLY_BOOT_KEYS |
| 312 | bool |
| 313 | depends on IMA_MEASURE_ASYMMETRIC_KEYS |
| 314 | depends on SYSTEM_TRUSTED_KEYRING |
| 315 | default y |
Nayna Jain | 9e2b4be | 2020-03-08 20:57:51 -0400 | [diff] [blame] | 316 | |
| 317 | config IMA_SECURE_AND_OR_TRUSTED_BOOT |
| 318 | bool |
| 319 | depends on IMA_ARCH_POLICY |
| 320 | help |
| 321 | This option is selected by architectures to enable secure and/or |
| 322 | trusted boot based on IMA runtime policies. |
Tushar Sugandhi | 52c2083 | 2021-05-10 12:09:39 -0700 | [diff] [blame] | 323 | |
| 324 | config IMA_DISABLE_HTABLE |
| 325 | bool "Disable htable to allow measurement of duplicate records" |
| 326 | depends on IMA |
| 327 | default n |
| 328 | help |
| 329 | This option disables htable to allow measurement of duplicate records. |