Commit | Line | Data |
---|---|---|
3323eec9 MZ |
1 | # IBM Integrity Measurement Architecture |
2 | # | |
3 | config IMA | |
4 | bool "Integrity Measurement Architecture(IMA)" | |
5 | depends on ACPI | |
6 | select SECURITYFS | |
7 | select CRYPTO | |
8 | select CRYPTO_HMAC | |
9 | select CRYPTO_MD5 | |
10 | select CRYPTO_SHA1 | |
11 | select TCG_TPM | |
12 | select TCG_TIS | |
13 | help | |
14 | The Trusted Computing Group(TCG) runtime Integrity | |
15 | Measurement Architecture(IMA) maintains a list of hash | |
16 | values of executables and other sensitive system files, | |
17 | as they are read or executed. If an attacker manages | |
18 | to change the contents of an important system file | |
19 | being measured, we can tell. | |
20 | ||
21 | If your system has a TPM chip, then IMA also maintains | |
22 | an aggregate integrity value over this list inside the | |
23 | TPM hardware, so that the TPM can prove to a third party | |
24 | whether or not critical system files have been modified. | |
25 | Read <http://www.usenix.org/events/sec04/tech/sailer.html> | |
26 | to learn more about IMA. | |
27 | If unsure, say N. | |
28 | ||
29 | config IMA_MEASURE_PCR_IDX | |
30 | int | |
31 | depends on IMA | |
32 | range 8 14 | |
33 | default 10 | |
34 | help | |
35 | IMA_MEASURE_PCR_IDX determines the TPM PCR register index | |
36 | that IMA uses to maintain the integrity aggregate of the | |
37 | measurement list. If unsure, use the default 10. | |
38 | ||
39 | config IMA_AUDIT | |
40 | bool | |
41 | depends on IMA | |
42 | default y | |
43 | help | |
44 | This option adds a kernel parameter 'ima_audit', which | |
45 | allows informational auditing messages to be enabled | |
46 | at boot. If this option is selected, informational integrity | |
47 | auditing messages can be enabled with 'ima_audit=1' on | |
48 | the kernel command line. | |
49 | ||
4af4662f MZ |
50 | config IMA_LSM_RULES |
51 | bool | |
b53fab9d | 52 | depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) |
4af4662f MZ |
53 | default y |
54 | help | |
b53fab9d | 55 | Disabling this option will disregard LSM based policy rules. |