325 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			325 lines
		
	
	
		
			10 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| # SPDX-License-Identifier: GPL-2.0-only
 | |
| # IBM Integrity Measurement Architecture
 | |
| #
 | |
| config IMA
 | |
| 	bool "Integrity Measurement Architecture(IMA)"
 | |
| 	select SECURITYFS
 | |
| 	select CRYPTO
 | |
| 	select CRYPTO_HMAC
 | |
| 	select CRYPTO_SHA1
 | |
| 	select CRYPTO_HASH_INFO
 | |
| 	select SECURITY_PATH
 | |
| 	select TCG_TPM if HAS_IOMEM
 | |
| 	select TCG_TIS if TCG_TPM && X86
 | |
| 	select TCG_CRB if TCG_TPM && ACPI
 | |
| 	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
 | |
| 	select INTEGRITY_AUDIT if AUDIT
 | |
| 	help
 | |
| 	  The Trusted Computing Group(TCG) runtime Integrity
 | |
| 	  Measurement Architecture(IMA) maintains a list of hash
 | |
| 	  values of executables and other sensitive system files,
 | |
| 	  as they are read or executed. If an attacker manages
 | |
| 	  to change the contents of an important system file
 | |
| 	  being measured, we can tell.
 | |
| 
 | |
| 	  If your system has a TPM chip, then IMA also maintains
 | |
| 	  an aggregate integrity value over this list inside the
 | |
| 	  TPM hardware, so that the TPM can prove to a third party
 | |
| 	  whether or not critical system files have been modified.
 | |
| 	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
 | |
| 	  to learn more about IMA.
 | |
| 	  If unsure, say N.
 | |
| 
 | |
| if IMA
 | |
| 
 | |
| config IMA_KEXEC
 | |
| 	bool "Enable carrying the IMA measurement list across a soft boot"
 | |
| 	depends on TCG_TPM && HAVE_IMA_KEXEC
 | |
| 	default n
 | |
| 	help
 | |
| 	   TPM PCRs are only reset on a hard reboot.  In order to validate
 | |
| 	   a TPM's quote after a soft boot, the IMA measurement list of the
 | |
| 	   running kernel must be saved and restored on boot.
 | |
| 
 | |
| 	   Depending on the IMA policy, the measurement list can grow to
 | |
| 	   be very large.
 | |
| 
 | |
| config IMA_MEASURE_PCR_IDX
 | |
| 	int
 | |
| 	range 8 14
 | |
| 	default 10
 | |
| 	help
 | |
| 	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
 | |
| 	  that IMA uses to maintain the integrity aggregate of the
 | |
| 	  measurement list.  If unsure, use the default 10.
 | |
| 
 | |
| config IMA_LSM_RULES
 | |
| 	bool
 | |
| 	depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
 | |
| 	default y
 | |
| 	help
 | |
| 	  Disabling this option will disregard LSM based policy rules.
 | |
| 
 | |
| choice
 | |
| 	prompt "Default template"
 | |
| 	default IMA_NG_TEMPLATE
 | |
| 	help
 | |
| 	  Select the default IMA measurement template.
 | |
| 
 | |
| 	  The original 'ima' measurement list template contains a
 | |
| 	  hash, defined as 20 bytes, and a null terminated pathname,
 | |
| 	  limited to 255 characters.  The 'ima-ng' measurement list
 | |
| 	  template permits both larger hash digests and longer
 | |
| 	  pathnames. The configured default template can be replaced
 | |
| 	  by specifying "ima_template=" on the boot command line.
 | |
| 
 | |
| 	config IMA_NG_TEMPLATE
 | |
| 		bool "ima-ng (default)"
 | |
| 	config IMA_SIG_TEMPLATE
 | |
| 		bool "ima-sig"
 | |
| endchoice
 | |
| 
 | |
| config IMA_DEFAULT_TEMPLATE
 | |
| 	string
 | |
| 	default "ima-ng" if IMA_NG_TEMPLATE
 | |
| 	default "ima-sig" if IMA_SIG_TEMPLATE
 | |
| 
 | |
| choice
 | |
| 	prompt "Default integrity hash algorithm"
 | |
| 	default IMA_DEFAULT_HASH_SHA1
 | |
| 	help
 | |
| 	   Select the default hash algorithm used for the measurement
 | |
| 	   list, integrity appraisal and audit log.  The compiled default
 | |
| 	   hash algorithm can be overwritten using the kernel command
 | |
| 	   line 'ima_hash=' option.
 | |
| 
 | |
| 	config IMA_DEFAULT_HASH_SHA1
 | |
| 		bool "SHA1 (default)"
 | |
| 		depends on CRYPTO_SHA1=y
 | |
| 
 | |
| 	config IMA_DEFAULT_HASH_SHA256
 | |
| 		bool "SHA256"
 | |
| 		depends on CRYPTO_SHA256=y
 | |
| 
 | |
| 	config IMA_DEFAULT_HASH_SHA512
 | |
| 		bool "SHA512"
 | |
| 		depends on CRYPTO_SHA512=y
 | |
| 
 | |
| 	config IMA_DEFAULT_HASH_WP512
 | |
| 		bool "WP512"
 | |
| 		depends on CRYPTO_WP512=y
 | |
| 
 | |
| 	config IMA_DEFAULT_HASH_SM3
 | |
| 		bool "SM3"
 | |
| 		depends on CRYPTO_SM3_GENERIC=y
 | |
| endchoice
 | |
| 
 | |
| config IMA_DEFAULT_HASH
 | |
| 	string
 | |
| 	default "sha1" if IMA_DEFAULT_HASH_SHA1
 | |
| 	default "sha256" if IMA_DEFAULT_HASH_SHA256
 | |
| 	default "sha512" if IMA_DEFAULT_HASH_SHA512
 | |
| 	default "wp512" if IMA_DEFAULT_HASH_WP512
 | |
| 	default "sm3" if IMA_DEFAULT_HASH_SM3
 | |
| 
 | |
| config IMA_WRITE_POLICY
 | |
| 	bool "Enable multiple writes to the IMA policy"
 | |
| 	default n
 | |
| 	help
 | |
| 	  IMA policy can now be updated multiple times.  The new rules get
 | |
| 	  appended to the original policy.  Have in mind that the rules are
 | |
| 	  scanned in FIFO order so be careful when you design and add new ones.
 | |
| 
 | |
| 	  If unsure, say N.
 | |
| 
 | |
| config IMA_READ_POLICY
 | |
| 	bool "Enable reading back the current IMA policy"
 | |
| 	default y if IMA_WRITE_POLICY
 | |
| 	default n if !IMA_WRITE_POLICY
 | |
| 	help
 | |
| 	   It is often useful to be able to read back the IMA policy.  It is
 | |
| 	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
 | |
| 	   This option allows the root user to see the current policy rules.
 | |
| 
 | |
| config IMA_APPRAISE
 | |
| 	bool "Appraise integrity measurements"
 | |
| 	default n
 | |
| 	help
 | |
| 	  This option enables local measurement integrity appraisal.
 | |
| 	  It requires the system to be labeled with a security extended
 | |
| 	  attribute containing the file hash measurement.  To protect
 | |
| 	  the security extended attributes from offline attack, enable
 | |
| 	  and configure EVM.
 | |
| 
 | |
| 	  For more information on integrity appraisal refer to:
 | |
| 	  <http://linux-ima.sourceforge.net>
 | |
| 	  If unsure, say N.
 | |
| 
 | |
| config IMA_ARCH_POLICY
 | |
|         bool "Enable loading an IMA architecture specific policy"
 | |
|         depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
 | |
| 		   && INTEGRITY_ASYMMETRIC_KEYS
 | |
|         default n
 | |
|         help
 | |
|           This option enables loading an IMA architecture specific policy
 | |
|           based on run time secure boot flags.
 | |
| 
 | |
| config IMA_APPRAISE_BUILD_POLICY
 | |
| 	bool "IMA build time configured policy rules"
 | |
| 	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
 | |
| 	default n
 | |
| 	help
 | |
| 	  This option defines an IMA appraisal policy at build time, which
 | |
| 	  is enforced at run time without having to specify a builtin
 | |
| 	  policy name on the boot command line.  The build time appraisal
 | |
| 	  policy rules persist after loading a custom policy.
 | |
| 
 | |
| 	  Depending on the rules configured, this policy may require kernel
 | |
| 	  modules, firmware, the kexec kernel image, and/or the IMA policy
 | |
| 	  to be signed.  Unsigned files might prevent the system from
 | |
| 	  booting or applications from working properly.
 | |
| 
 | |
| config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
 | |
| 	bool "Appraise firmware signatures"
 | |
| 	depends on IMA_APPRAISE_BUILD_POLICY
 | |
| 	default n
 | |
| 	help
 | |
| 	  This option defines a policy requiring all firmware to be signed,
 | |
| 	  including the regulatory.db.  If both this option and
 | |
| 	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
 | |
| 	  verification methods are necessary.
 | |
| 
 | |
| config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
 | |
| 	bool "Appraise kexec kernel image signatures"
 | |
| 	depends on IMA_APPRAISE_BUILD_POLICY
 | |
| 	default n
 | |
| 	help
 | |
| 	  Enabling this rule will require all kexec'ed kernel images to
 | |
| 	  be signed and verified by a public key on the trusted IMA
 | |
| 	  keyring.
 | |
| 
 | |
| 	  Kernel image signatures can not be verified by the original
 | |
| 	  kexec_load syscall.  Enabling this rule will prevent its
 | |
| 	  usage.
 | |
| 
 | |
| config IMA_APPRAISE_REQUIRE_MODULE_SIGS
 | |
| 	bool "Appraise kernel modules signatures"
 | |
| 	depends on IMA_APPRAISE_BUILD_POLICY
 | |
| 	default n
 | |
| 	help
 | |
| 	  Enabling this rule will require all kernel modules to be signed
 | |
| 	  and verified by a public key on the trusted IMA keyring.
 | |
| 
 | |
| 	  Kernel module signatures can only be verified by IMA-appraisal,
 | |
| 	  via the finit_module syscall. Enabling this rule will prevent
 | |
| 	  the usage of the init_module syscall.
 | |
| 
 | |
| config IMA_APPRAISE_REQUIRE_POLICY_SIGS
 | |
| 	bool "Appraise IMA policy signature"
 | |
| 	depends on IMA_APPRAISE_BUILD_POLICY
 | |
| 	default n
 | |
| 	help
 | |
| 	  Enabling this rule will require the IMA policy to be signed and
 | |
| 	  and verified by a key on the trusted IMA keyring.
 | |
| 
 | |
| config IMA_APPRAISE_BOOTPARAM
 | |
| 	bool "ima_appraise boot parameter"
 | |
| 	depends on IMA_APPRAISE
 | |
| 	default y
 | |
| 	help
 | |
| 	  This option enables the different "ima_appraise=" modes
 | |
| 	  (eg. fix, log) from the boot command line.
 | |
| 
 | |
| config IMA_APPRAISE_MODSIG
 | |
| 	bool "Support module-style signatures for appraisal"
 | |
| 	depends on IMA_APPRAISE
 | |
| 	depends on INTEGRITY_ASYMMETRIC_KEYS
 | |
| 	select PKCS7_MESSAGE_PARSER
 | |
| 	select MODULE_SIG_FORMAT
 | |
| 	default n
 | |
| 	help
 | |
| 	   Adds support for signatures appended to files. The format of the
 | |
| 	   appended signature is the same used for signed kernel modules.
 | |
| 	   The modsig keyword can be used in the IMA policy to allow a hook
 | |
| 	   to accept such signatures.
 | |
| 
 | |
| config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
 | |
| 	bool "Permit keys validly signed by a built-in, machine (if configured) or secondary"
 | |
| 	depends on SYSTEM_TRUSTED_KEYRING
 | |
| 	depends on SECONDARY_TRUSTED_KEYRING
 | |
| 	depends on INTEGRITY_ASYMMETRIC_KEYS
 | |
| 	select INTEGRITY_TRUSTED_KEYRING
 | |
| 	default n
 | |
| 	help
 | |
| 	  Keys may be added to the IMA or IMA blacklist keyrings, if the
 | |
| 	  key is validly signed by a CA cert in the system built-in,
 | |
| 	  machine (if configured), or secondary trusted keyrings. The
 | |
| 	  key must also have the digitalSignature usage set.
 | |
| 
 | |
| 	  Intermediate keys between those the kernel has compiled in and the
 | |
| 	  IMA keys to be added may be added to the system secondary keyring,
 | |
| 	  provided they are validly signed by a key already resident in the
 | |
| 	  built-in, machine (if configured) or secondary trusted keyrings.
 | |
| 
 | |
| config IMA_BLACKLIST_KEYRING
 | |
| 	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
 | |
| 	depends on SYSTEM_TRUSTED_KEYRING
 | |
| 	depends on INTEGRITY_TRUSTED_KEYRING
 | |
| 	default n
 | |
| 	help
 | |
| 	   This option creates an IMA blacklist keyring, which contains all
 | |
| 	   revoked IMA keys.  It is consulted before any other keyring.  If
 | |
| 	   the search is successful the requested operation is rejected and
 | |
| 	   an error is returned to the caller.
 | |
| 
 | |
| config IMA_LOAD_X509
 | |
| 	bool "Load X509 certificate onto the '.ima' trusted keyring"
 | |
| 	depends on INTEGRITY_TRUSTED_KEYRING
 | |
| 	default n
 | |
| 	help
 | |
| 	   File signature verification is based on the public keys
 | |
| 	   loaded on the .ima trusted keyring. These public keys are
 | |
| 	   X509 certificates signed by a trusted key on the
 | |
| 	   .system keyring.  This option enables X509 certificate
 | |
| 	   loading from the kernel onto the '.ima' trusted keyring.
 | |
| 
 | |
| config IMA_X509_PATH
 | |
| 	string "IMA X509 certificate path"
 | |
| 	depends on IMA_LOAD_X509
 | |
| 	default "/etc/keys/x509_ima.der"
 | |
| 	help
 | |
| 	   This option defines IMA X509 certificate path.
 | |
| 
 | |
| config IMA_APPRAISE_SIGNED_INIT
 | |
| 	bool "Require signed user-space initialization"
 | |
| 	depends on IMA_LOAD_X509
 | |
| 	default n
 | |
| 	help
 | |
| 	   This option requires user-space init to be signed.
 | |
| 
 | |
| config IMA_MEASURE_ASYMMETRIC_KEYS
 | |
| 	bool
 | |
| 	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
 | |
| 	default y
 | |
| 
 | |
| config IMA_QUEUE_EARLY_BOOT_KEYS
 | |
| 	bool
 | |
| 	depends on IMA_MEASURE_ASYMMETRIC_KEYS
 | |
| 	depends on SYSTEM_TRUSTED_KEYRING
 | |
| 	default y
 | |
| 
 | |
| config IMA_SECURE_AND_OR_TRUSTED_BOOT
 | |
|        bool
 | |
|        depends on IMA_ARCH_POLICY
 | |
|        help
 | |
|           This option is selected by architectures to enable secure and/or
 | |
|           trusted boot based on IMA runtime policies.
 | |
| 
 | |
| config IMA_DISABLE_HTABLE
 | |
| 	bool "Disable htable to allow measurement of duplicate records"
 | |
| 	default n
 | |
| 	help
 | |
| 	   This option disables htable to allow measurement of duplicate records.
 | |
| 
 | |
| endif
 |