Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
3323eec9 MZ |
2 | # IBM Integrity Measurement Architecture |
3 | # | |
4 | config IMA | |
5 | bool "Integrity Measurement Architecture(IMA)" | |
3323eec9 MZ |
6 | select SECURITYFS |
7 | select CRYPTO | |
8 | select CRYPTO_HMAC | |
9 | select CRYPTO_MD5 | |
10 | select CRYPTO_SHA1 | |
c7c8bb23 | 11 | select CRYPTO_HASH_INFO |
f4a0391d | 12 | select TCG_TPM if HAS_IOMEM && !UML |
a69f1589 | 13 | select TCG_TIS if TCG_TPM && X86 |
fac37c62 | 14 | select TCG_CRB if TCG_TPM && ACPI |
63a0eb78 | 15 | select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES |
2afd020a | 16 | select INTEGRITY_AUDIT if AUDIT |
3323eec9 MZ |
17 | help |
18 | The Trusted Computing Group(TCG) runtime Integrity | |
19 | Measurement Architecture(IMA) maintains a list of hash | |
20 | values of executables and other sensitive system files, | |
21 | as they are read or executed. If an attacker manages | |
22 | to change the contents of an important system file | |
23 | being measured, we can tell. | |
24 | ||
25 | If your system has a TPM chip, then IMA also maintains | |
26 | an aggregate integrity value over this list inside the | |
27 | TPM hardware, so that the TPM can prove to a third party | |
28 | whether or not critical system files have been modified. | |
29 | Read <http://www.usenix.org/events/sec04/tech/sailer.html> | |
30 | to learn more about IMA. | |
31 | If unsure, say N. | |
32 | ||
d158847a MZ |
33 | config IMA_KEXEC |
34 | bool "Enable carrying the IMA measurement list across a soft boot" | |
35 | depends on IMA && TCG_TPM && HAVE_IMA_KEXEC | |
36 | default n | |
37 | help | |
38 | TPM PCRs are only reset on a hard reboot. In order to validate | |
39 | a TPM's quote after a soft boot, the IMA measurement list of the | |
40 | running kernel must be saved and restored on boot. | |
41 | ||
42 | Depending on the IMA policy, the measurement list can grow to | |
43 | be very large. | |
44 | ||
3323eec9 MZ |
45 | config IMA_MEASURE_PCR_IDX |
46 | int | |
47 | depends on IMA | |
48 | range 8 14 | |
49 | default 10 | |
50 | help | |
51 | IMA_MEASURE_PCR_IDX determines the TPM PCR register index | |
52 | that IMA uses to maintain the integrity aggregate of the | |
53 | measurement list. If unsure, use the default 10. | |
54 | ||
4af4662f MZ |
55 | config IMA_LSM_RULES |
56 | bool | |
b53fab9d | 57 | depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) |
4af4662f MZ |
58 | default y |
59 | help | |
b53fab9d | 60 | Disabling this option will disregard LSM based policy rules. |
2fe5d6de | 61 | |
4286587d MZ |
62 | choice |
63 | prompt "Default template" | |
64 | default IMA_NG_TEMPLATE | |
65 | depends on IMA | |
66 | help | |
67 | Select the default IMA measurement template. | |
68 | ||
69 | The original 'ima' measurement list template contains a | |
70 | hash, defined as 20 bytes, and a null terminated pathname, | |
71 | limited to 255 characters. The 'ima-ng' measurement list | |
72 | template permits both larger hash digests and longer | |
73 | pathnames. | |
74 | ||
75 | config IMA_TEMPLATE | |
76 | bool "ima" | |
77 | config IMA_NG_TEMPLATE | |
78 | bool "ima-ng (default)" | |
bcbc9b0c MZ |
79 | config IMA_SIG_TEMPLATE |
80 | bool "ima-sig" | |
4286587d MZ |
81 | endchoice |
82 | ||
83 | config IMA_DEFAULT_TEMPLATE | |
84 | string | |
85 | depends on IMA | |
86 | default "ima" if IMA_TEMPLATE | |
87 | default "ima-ng" if IMA_NG_TEMPLATE | |
bcbc9b0c | 88 | default "ima-sig" if IMA_SIG_TEMPLATE |
4286587d | 89 | |
e7a2ad7e MZ |
90 | choice |
91 | prompt "Default integrity hash algorithm" | |
92 | default IMA_DEFAULT_HASH_SHA1 | |
93 | depends on IMA | |
94 | help | |
95 | Select the default hash algorithm used for the measurement | |
96 | list, integrity appraisal and audit log. The compiled default | |
97 | hash algorithm can be overwritten using the kernel command | |
98 | line 'ima_hash=' option. | |
99 | ||
100 | config IMA_DEFAULT_HASH_SHA1 | |
101 | bool "SHA1 (default)" | |
38d19268 | 102 | depends on CRYPTO_SHA1=y |
e7a2ad7e MZ |
103 | |
104 | config IMA_DEFAULT_HASH_SHA256 | |
105 | bool "SHA256" | |
38d19268 | 106 | depends on CRYPTO_SHA256=y && !IMA_TEMPLATE |
e7a2ad7e MZ |
107 | |
108 | config IMA_DEFAULT_HASH_SHA512 | |
109 | bool "SHA512" | |
38d19268 | 110 | depends on CRYPTO_SHA512=y && !IMA_TEMPLATE |
e7a2ad7e MZ |
111 | |
112 | config IMA_DEFAULT_HASH_WP512 | |
113 | bool "WP512" | |
38d19268 | 114 | depends on CRYPTO_WP512=y && !IMA_TEMPLATE |
5780b9ab TZ |
115 | |
116 | config IMA_DEFAULT_HASH_SM3 | |
117 | bool "SM3" | |
118 | depends on CRYPTO_SM3=y && !IMA_TEMPLATE | |
e7a2ad7e MZ |
119 | endchoice |
120 | ||
121 | config IMA_DEFAULT_HASH | |
122 | string | |
123 | depends on IMA | |
124 | default "sha1" if IMA_DEFAULT_HASH_SHA1 | |
125 | default "sha256" if IMA_DEFAULT_HASH_SHA256 | |
126 | default "sha512" if IMA_DEFAULT_HASH_SHA512 | |
127 | default "wp512" if IMA_DEFAULT_HASH_WP512 | |
5780b9ab | 128 | default "sm3" if IMA_DEFAULT_HASH_SM3 |
e7a2ad7e | 129 | |
38d859f9 PM |
130 | config IMA_WRITE_POLICY |
131 | bool "Enable multiple writes to the IMA policy" | |
132 | depends on IMA | |
133 | default n | |
134 | help | |
135 | IMA policy can now be updated multiple times. The new rules get | |
136 | appended to the original policy. Have in mind that the rules are | |
137 | scanned in FIFO order so be careful when you design and add new ones. | |
138 | ||
139 | If unsure, say N. | |
140 | ||
80eae209 PM |
141 | config IMA_READ_POLICY |
142 | bool "Enable reading back the current IMA policy" | |
143 | depends on IMA | |
144 | default y if IMA_WRITE_POLICY | |
145 | default n if !IMA_WRITE_POLICY | |
146 | help | |
147 | It is often useful to be able to read back the IMA policy. It is | |
148 | even more important after introducing CONFIG_IMA_WRITE_POLICY. | |
149 | This option allows the root user to see the current policy rules. | |
150 | ||
2fe5d6de MZ |
151 | config IMA_APPRAISE |
152 | bool "Appraise integrity measurements" | |
153 | depends on IMA | |
154 | default n | |
155 | help | |
156 | This option enables local measurement integrity appraisal. | |
157 | It requires the system to be labeled with a security extended | |
158 | attribute containing the file hash measurement. To protect | |
159 | the security extended attributes from offline attack, enable | |
160 | and configure EVM. | |
161 | ||
162 | For more information on integrity appraisal refer to: | |
163 | <http://linux-ima.sourceforge.net> | |
164 | If unsure, say N. | |
7d2ce232 | 165 | |
d958083a ER |
166 | config IMA_ARCH_POLICY |
167 | bool "Enable loading an IMA architecture specific policy" | |
aefcf2f4 | 168 | depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \ |
9e1e5d43 | 169 | && INTEGRITY_ASYMMETRIC_KEYS |
d958083a ER |
170 | default n |
171 | help | |
172 | This option enables loading an IMA architecture specific policy | |
173 | based on run time secure boot flags. | |
174 | ||
ef96837b MZ |
175 | config IMA_APPRAISE_BUILD_POLICY |
176 | bool "IMA build time configured policy rules" | |
177 | depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS | |
178 | default n | |
179 | help | |
180 | This option defines an IMA appraisal policy at build time, which | |
181 | is enforced at run time without having to specify a builtin | |
182 | policy name on the boot command line. The build time appraisal | |
183 | policy rules persist after loading a custom policy. | |
184 | ||
185 | Depending on the rules configured, this policy may require kernel | |
186 | modules, firmware, the kexec kernel image, and/or the IMA policy | |
187 | to be signed. Unsigned files might prevent the system from | |
188 | booting or applications from working properly. | |
189 | ||
190 | config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS | |
191 | bool "Appraise firmware signatures" | |
192 | depends on IMA_APPRAISE_BUILD_POLICY | |
193 | default n | |
194 | help | |
195 | This option defines a policy requiring all firmware to be signed, | |
196 | including the regulatory.db. If both this option and | |
197 | CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature | |
198 | verification methods are necessary. | |
199 | ||
200 | config IMA_APPRAISE_REQUIRE_KEXEC_SIGS | |
201 | bool "Appraise kexec kernel image signatures" | |
202 | depends on IMA_APPRAISE_BUILD_POLICY | |
203 | default n | |
204 | help | |
205 | Enabling this rule will require all kexec'ed kernel images to | |
206 | be signed and verified by a public key on the trusted IMA | |
207 | keyring. | |
208 | ||
209 | Kernel image signatures can not be verified by the original | |
210 | kexec_load syscall. Enabling this rule will prevent its | |
211 | usage. | |
212 | ||
213 | config IMA_APPRAISE_REQUIRE_MODULE_SIGS | |
214 | bool "Appraise kernel modules signatures" | |
215 | depends on IMA_APPRAISE_BUILD_POLICY | |
216 | default n | |
217 | help | |
218 | Enabling this rule will require all kernel modules to be signed | |
219 | and verified by a public key on the trusted IMA keyring. | |
220 | ||
221 | Kernel module signatures can only be verified by IMA-appraisal, | |
222 | via the finit_module syscall. Enabling this rule will prevent | |
223 | the usage of the init_module syscall. | |
224 | ||
225 | config IMA_APPRAISE_REQUIRE_POLICY_SIGS | |
226 | bool "Appraise IMA policy signature" | |
227 | depends on IMA_APPRAISE_BUILD_POLICY | |
228 | default n | |
229 | help | |
230 | Enabling this rule will require the IMA policy to be signed and | |
231 | and verified by a key on the trusted IMA keyring. | |
232 | ||
e1f5e01f MZ |
233 | config IMA_APPRAISE_BOOTPARAM |
234 | bool "ima_appraise boot parameter" | |
d958083a | 235 | depends on IMA_APPRAISE && !IMA_ARCH_POLICY |
e1f5e01f MZ |
236 | default y |
237 | help | |
238 | This option enables the different "ima_appraise=" modes | |
239 | (eg. fix, log) from the boot command line. | |
240 | ||
9044d627 TJB |
241 | config IMA_APPRAISE_MODSIG |
242 | bool "Support module-style signatures for appraisal" | |
243 | depends on IMA_APPRAISE | |
39b07096 TJB |
244 | depends on INTEGRITY_ASYMMETRIC_KEYS |
245 | select PKCS7_MESSAGE_PARSER | |
246 | select MODULE_SIG_FORMAT | |
9044d627 TJB |
247 | default n |
248 | help | |
249 | Adds support for signatures appended to files. The format of the | |
250 | appended signature is the same used for signed kernel modules. | |
251 | The modsig keyword can be used in the IMA policy to allow a hook | |
252 | to accept such signatures. | |
253 | ||
7d2ce232 | 254 | config IMA_TRUSTED_KEYRING |
f4dc3778 | 255 | bool "Require all keys on the .ima keyring be signed (deprecated)" |
7d2ce232 MZ |
256 | depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING |
257 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
f4dc3778 | 258 | select INTEGRITY_TRUSTED_KEYRING |
7d2ce232 MZ |
259 | default y |
260 | help | |
261 | This option requires that all keys added to the .ima | |
262 | keyring be signed by a key on the system trusted keyring. | |
fd5f4e90 | 263 | |
f4dc3778 DK |
264 | This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING |
265 | ||
56104cf2 DH |
266 | config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY |
267 | bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)" | |
268 | depends on SYSTEM_TRUSTED_KEYRING | |
269 | depends on SECONDARY_TRUSTED_KEYRING | |
270 | depends on INTEGRITY_ASYMMETRIC_KEYS | |
271 | select INTEGRITY_TRUSTED_KEYRING | |
272 | default n | |
273 | help | |
274 | Keys may be added to the IMA or IMA blacklist keyrings, if the | |
275 | key is validly signed by a CA cert in the system built-in or | |
276 | secondary trusted keyrings. | |
277 | ||
278 | Intermediate keys between those the kernel has compiled in and the | |
279 | IMA keys to be added may be added to the system secondary keyring, | |
280 | provided they are validly signed by a key already resident in the | |
281 | built-in or secondary trusted keyrings. | |
282 | ||
283 | config IMA_BLACKLIST_KEYRING | |
284 | bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)" | |
41c89b64 PM |
285 | depends on SYSTEM_TRUSTED_KEYRING |
286 | depends on IMA_TRUSTED_KEYRING | |
287 | default n | |
288 | help | |
56104cf2 DH |
289 | This option creates an IMA blacklist keyring, which contains all |
290 | revoked IMA keys. It is consulted before any other keyring. If | |
291 | the search is successful the requested operation is rejected and | |
292 | an error is returned to the caller. | |
41c89b64 | 293 | |
fd5f4e90 DK |
294 | config IMA_LOAD_X509 |
295 | bool "Load X509 certificate onto the '.ima' trusted keyring" | |
296 | depends on IMA_TRUSTED_KEYRING | |
297 | default n | |
298 | help | |
299 | File signature verification is based on the public keys | |
300 | loaded on the .ima trusted keyring. These public keys are | |
301 | X509 certificates signed by a trusted key on the | |
302 | .system keyring. This option enables X509 certificate | |
303 | loading from the kernel onto the '.ima' trusted keyring. | |
304 | ||
305 | config IMA_X509_PATH | |
306 | string "IMA X509 certificate path" | |
307 | depends on IMA_LOAD_X509 | |
308 | default "/etc/keys/x509_ima.der" | |
309 | help | |
310 | This option defines IMA X509 certificate path. | |
c57782c1 DK |
311 | |
312 | config IMA_APPRAISE_SIGNED_INIT | |
313 | bool "Require signed user-space initialization" | |
314 | depends on IMA_LOAD_X509 | |
315 | default n | |
316 | help | |
317 | This option requires user-space init to be signed. | |
ea78979d LR |
318 | |
319 | config IMA_MEASURE_ASYMMETRIC_KEYS | |
320 | bool | |
321 | depends on IMA | |
322 | depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y | |
323 | default y | |
9f81a2ed LR |
324 | |
325 | config IMA_QUEUE_EARLY_BOOT_KEYS | |
326 | bool | |
327 | depends on IMA_MEASURE_ASYMMETRIC_KEYS | |
328 | depends on SYSTEM_TRUSTED_KEYRING | |
329 | default y |