0001 # SPDX-License-Identifier: GPL-2.0-only
0002 # IBM Integrity Measurement Architecture
0003 #
0004 config IMA
0005 bool "Integrity Measurement Architecture(IMA)"
0006 select SECURITYFS
0007 select CRYPTO
0008 select CRYPTO_HMAC
0009 select CRYPTO_SHA1
0010 select CRYPTO_HASH_INFO
0011 select TCG_TPM if HAS_IOMEM && !UML
0012 select TCG_TIS if TCG_TPM && X86
0013 select TCG_CRB if TCG_TPM && ACPI
0014 select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
0015 select INTEGRITY_AUDIT if AUDIT
0016 help
0017 The Trusted Computing Group(TCG) runtime Integrity
0018 Measurement Architecture(IMA) maintains a list of hash
0019 values of executables and other sensitive system files,
0020 as they are read or executed. If an attacker manages
0021 to change the contents of an important system file
0022 being measured, we can tell.
0023
0024 If your system has a TPM chip, then IMA also maintains
0025 an aggregate integrity value over this list inside the
0026 TPM hardware, so that the TPM can prove to a third party
0027 whether or not critical system files have been modified.
0028 Read <https://www.usenix.org/events/sec04/tech/sailer.html>
0029 to learn more about IMA.
0030 If unsure, say N.
0031
0032 config IMA_KEXEC
0033 bool "Enable carrying the IMA measurement list across a soft boot"
0034 depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
0035 default n
0036 help
0037 TPM PCRs are only reset on a hard reboot. In order to validate
0038 a TPM's quote after a soft boot, the IMA measurement list of the
0039 running kernel must be saved and restored on boot.
0040
0041 Depending on the IMA policy, the measurement list can grow to
0042 be very large.
0043
0044 config IMA_MEASURE_PCR_IDX
0045 int
0046 depends on IMA
0047 range 8 14
0048 default 10
0049 help
0050 IMA_MEASURE_PCR_IDX determines the TPM PCR register index
0051 that IMA uses to maintain the integrity aggregate of the
0052 measurement list. If unsure, use the default 10.
0053
0054 config IMA_LSM_RULES
0055 bool
0056 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
0057 default y
0058 help
0059 Disabling this option will disregard LSM based policy rules.
0060
0061 choice
0062 prompt "Default template"
0063 default IMA_NG_TEMPLATE
0064 depends on IMA
0065 help
0066 Select the default IMA measurement template.
0067
0068 The original 'ima' measurement list template contains a
0069 hash, defined as 20 bytes, and a null terminated pathname,
0070 limited to 255 characters. The 'ima-ng' measurement list
0071 template permits both larger hash digests and longer
0072 pathnames. The configured default template can be replaced
0073 by specifying "ima_template=" on the boot command line.
0074
0075 config IMA_NG_TEMPLATE
0076 bool "ima-ng (default)"
0077 config IMA_SIG_TEMPLATE
0078 bool "ima-sig"
0079 endchoice
0080
0081 config IMA_DEFAULT_TEMPLATE
0082 string
0083 depends on IMA
0084 default "ima-ng" if IMA_NG_TEMPLATE
0085 default "ima-sig" if IMA_SIG_TEMPLATE
0086
0087 choice
0088 prompt "Default integrity hash algorithm"
0089 default IMA_DEFAULT_HASH_SHA1
0090 depends on IMA
0091 help
0092 Select the default hash algorithm used for the measurement
0093 list, integrity appraisal and audit log. The compiled default
0094 hash algorithm can be overwritten using the kernel command
0095 line 'ima_hash=' option.
0096
0097 config IMA_DEFAULT_HASH_SHA1
0098 bool "SHA1 (default)"
0099 depends on CRYPTO_SHA1=y
0100
0101 config IMA_DEFAULT_HASH_SHA256
0102 bool "SHA256"
0103 depends on CRYPTO_SHA256=y
0104
0105 config IMA_DEFAULT_HASH_SHA512
0106 bool "SHA512"
0107 depends on CRYPTO_SHA512=y
0108
0109 config IMA_DEFAULT_HASH_WP512
0110 bool "WP512"
0111 depends on CRYPTO_WP512=y
0112
0113 config IMA_DEFAULT_HASH_SM3
0114 bool "SM3"
0115 depends on CRYPTO_SM3=y
0116 endchoice
0117
0118 config IMA_DEFAULT_HASH
0119 string
0120 depends on IMA
0121 default "sha1" if IMA_DEFAULT_HASH_SHA1
0122 default "sha256" if IMA_DEFAULT_HASH_SHA256
0123 default "sha512" if IMA_DEFAULT_HASH_SHA512
0124 default "wp512" if IMA_DEFAULT_HASH_WP512
0125 default "sm3" if IMA_DEFAULT_HASH_SM3
0126
0127 config IMA_WRITE_POLICY
0128 bool "Enable multiple writes to the IMA policy"
0129 depends on IMA
0130 default n
0131 help
0132 IMA policy can now be updated multiple times. The new rules get
0133 appended to the original policy. Have in mind that the rules are
0134 scanned in FIFO order so be careful when you design and add new ones.
0135
0136 If unsure, say N.
0137
0138 config IMA_READ_POLICY
0139 bool "Enable reading back the current IMA policy"
0140 depends on IMA
0141 default y if IMA_WRITE_POLICY
0142 default n if !IMA_WRITE_POLICY
0143 help
0144 It is often useful to be able to read back the IMA policy. It is
0145 even more important after introducing CONFIG_IMA_WRITE_POLICY.
0146 This option allows the root user to see the current policy rules.
0147
0148 config IMA_APPRAISE
0149 bool "Appraise integrity measurements"
0150 depends on IMA
0151 default n
0152 help
0153 This option enables local measurement integrity appraisal.
0154 It requires the system to be labeled with a security extended
0155 attribute containing the file hash measurement. To protect
0156 the security extended attributes from offline attack, enable
0157 and configure EVM.
0158
0159 For more information on integrity appraisal refer to:
0160 <http://linux-ima.sourceforge.net>
0161 If unsure, say N.
0162
0163 config IMA_ARCH_POLICY
0164 bool "Enable loading an IMA architecture specific policy"
0165 depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
0166 && INTEGRITY_ASYMMETRIC_KEYS
0167 default n
0168 help
0169 This option enables loading an IMA architecture specific policy
0170 based on run time secure boot flags.
0171
0172 config IMA_APPRAISE_BUILD_POLICY
0173 bool "IMA build time configured policy rules"
0174 depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
0175 default n
0176 help
0177 This option defines an IMA appraisal policy at build time, which
0178 is enforced at run time without having to specify a builtin
0179 policy name on the boot command line. The build time appraisal
0180 policy rules persist after loading a custom policy.
0181
0182 Depending on the rules configured, this policy may require kernel
0183 modules, firmware, the kexec kernel image, and/or the IMA policy
0184 to be signed. Unsigned files might prevent the system from
0185 booting or applications from working properly.
0186
0187 config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
0188 bool "Appraise firmware signatures"
0189 depends on IMA_APPRAISE_BUILD_POLICY
0190 default n
0191 help
0192 This option defines a policy requiring all firmware to be signed,
0193 including the regulatory.db. If both this option and
0194 CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
0195 verification methods are necessary.
0196
0197 config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
0198 bool "Appraise kexec kernel image signatures"
0199 depends on IMA_APPRAISE_BUILD_POLICY
0200 default n
0201 help
0202 Enabling this rule will require all kexec'ed kernel images to
0203 be signed and verified by a public key on the trusted IMA
0204 keyring.
0205
0206 Kernel image signatures can not be verified by the original
0207 kexec_load syscall. Enabling this rule will prevent its
0208 usage.
0209
0210 config IMA_APPRAISE_REQUIRE_MODULE_SIGS
0211 bool "Appraise kernel modules signatures"
0212 depends on IMA_APPRAISE_BUILD_POLICY
0213 default n
0214 help
0215 Enabling this rule will require all kernel modules to be signed
0216 and verified by a public key on the trusted IMA keyring.
0217
0218 Kernel module signatures can only be verified by IMA-appraisal,
0219 via the finit_module syscall. Enabling this rule will prevent
0220 the usage of the init_module syscall.
0221
0222 config IMA_APPRAISE_REQUIRE_POLICY_SIGS
0223 bool "Appraise IMA policy signature"
0224 depends on IMA_APPRAISE_BUILD_POLICY
0225 default n
0226 help
0227 Enabling this rule will require the IMA policy to be signed and
0228 and verified by a key on the trusted IMA keyring.
0229
0230 config IMA_APPRAISE_BOOTPARAM
0231 bool "ima_appraise boot parameter"
0232 depends on IMA_APPRAISE
0233 default y
0234 help
0235 This option enables the different "ima_appraise=" modes
0236 (eg. fix, log) from the boot command line.
0237
0238 config IMA_APPRAISE_MODSIG
0239 bool "Support module-style signatures for appraisal"
0240 depends on IMA_APPRAISE
0241 depends on INTEGRITY_ASYMMETRIC_KEYS
0242 select PKCS7_MESSAGE_PARSER
0243 select MODULE_SIG_FORMAT
0244 default n
0245 help
0246 Adds support for signatures appended to files. The format of the
0247 appended signature is the same used for signed kernel modules.
0248 The modsig keyword can be used in the IMA policy to allow a hook
0249 to accept such signatures.
0250
0251 config IMA_TRUSTED_KEYRING
0252 bool "Require all keys on the .ima keyring be signed (deprecated)"
0253 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
0254 depends on INTEGRITY_ASYMMETRIC_KEYS
0255 select INTEGRITY_TRUSTED_KEYRING
0256 default y
0257 help
0258 This option requires that all keys added to the .ima
0259 keyring be signed by a key on the system trusted keyring.
0260
0261 This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
0262
0263 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
0264 bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
0265 depends on SYSTEM_TRUSTED_KEYRING
0266 depends on SECONDARY_TRUSTED_KEYRING
0267 depends on INTEGRITY_ASYMMETRIC_KEYS
0268 select INTEGRITY_TRUSTED_KEYRING
0269 default n
0270 help
0271 Keys may be added to the IMA or IMA blacklist keyrings, if the
0272 key is validly signed by a CA cert in the system built-in or
0273 secondary trusted keyrings.
0274
0275 Intermediate keys between those the kernel has compiled in and the
0276 IMA keys to be added may be added to the system secondary keyring,
0277 provided they are validly signed by a key already resident in the
0278 built-in or secondary trusted keyrings.
0279
0280 config IMA_BLACKLIST_KEYRING
0281 bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
0282 depends on SYSTEM_TRUSTED_KEYRING
0283 depends on IMA_TRUSTED_KEYRING
0284 default n
0285 help
0286 This option creates an IMA blacklist keyring, which contains all
0287 revoked IMA keys. It is consulted before any other keyring. If
0288 the search is successful the requested operation is rejected and
0289 an error is returned to the caller.
0290
0291 config IMA_LOAD_X509
0292 bool "Load X509 certificate onto the '.ima' trusted keyring"
0293 depends on IMA_TRUSTED_KEYRING
0294 default n
0295 help
0296 File signature verification is based on the public keys
0297 loaded on the .ima trusted keyring. These public keys are
0298 X509 certificates signed by a trusted key on the
0299 .system keyring. This option enables X509 certificate
0300 loading from the kernel onto the '.ima' trusted keyring.
0301
0302 config IMA_X509_PATH
0303 string "IMA X509 certificate path"
0304 depends on IMA_LOAD_X509
0305 default "/etc/keys/x509_ima.der"
0306 help
0307 This option defines IMA X509 certificate path.
0308
0309 config IMA_APPRAISE_SIGNED_INIT
0310 bool "Require signed user-space initialization"
0311 depends on IMA_LOAD_X509
0312 default n
0313 help
0314 This option requires user-space init to be signed.
0315
0316 config IMA_MEASURE_ASYMMETRIC_KEYS
0317 bool
0318 depends on IMA
0319 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
0320 default y
0321
0322 config IMA_QUEUE_EARLY_BOOT_KEYS
0323 bool
0324 depends on IMA_MEASURE_ASYMMETRIC_KEYS
0325 depends on SYSTEM_TRUSTED_KEYRING
0326 default y
0327
0328 config IMA_SECURE_AND_OR_TRUSTED_BOOT
0329 bool
0330 depends on IMA_ARCH_POLICY
0331 help
0332 This option is selected by architectures to enable secure and/or
0333 trusted boot based on IMA runtime policies.
0334
0335 config IMA_DISABLE_HTABLE
0336 bool "Disable htable to allow measurement of duplicate records"
0337 depends on IMA
0338 default n
0339 help
0340 This option disables htable to allow measurement of duplicate records.
