324 lines
10 KiB
Plaintext
324 lines
10 KiB
Plaintext
|
# SPDX-License-Identifier: GPL-2.0-only
|
||
|
# IBM Integrity Measurement Architecture
|
||
|
#
|
||
|
config IMA
|
||
|
bool "Integrity Measurement Architecture(IMA)"
|
||
|
select SECURITYFS
|
||
|
select CRYPTO
|
||
|
select CRYPTO_HMAC
|
||
|
select CRYPTO_SHA1
|
||
|
select CRYPTO_HASH_INFO
|
||
|
select TCG_TPM if HAS_IOMEM
|
||
|
select TCG_TIS if TCG_TPM && X86
|
||
|
select TCG_CRB if TCG_TPM && ACPI
|
||
|
select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
|
||
|
select INTEGRITY_AUDIT if AUDIT
|
||
|
help
|
||
|
The Trusted Computing Group(TCG) runtime Integrity
|
||
|
Measurement Architecture(IMA) maintains a list of hash
|
||
|
values of executables and other sensitive system files,
|
||
|
as they are read or executed. If an attacker manages
|
||
|
to change the contents of an important system file
|
||
|
being measured, we can tell.
|
||
|
|
||
|
If your system has a TPM chip, then IMA also maintains
|
||
|
an aggregate integrity value over this list inside the
|
||
|
TPM hardware, so that the TPM can prove to a third party
|
||
|
whether or not critical system files have been modified.
|
||
|
Read <https://www.usenix.org/events/sec04/tech/sailer.html>
|
||
|
to learn more about IMA.
|
||
|
If unsure, say N.
|
||
|
|
||
|
if IMA
|
||
|
|
||
|
config IMA_KEXEC
|
||
|
bool "Enable carrying the IMA measurement list across a soft boot"
|
||
|
depends on TCG_TPM && HAVE_IMA_KEXEC
|
||
|
default n
|
||
|
help
|
||
|
TPM PCRs are only reset on a hard reboot. In order to validate
|
||
|
a TPM's quote after a soft boot, the IMA measurement list of the
|
||
|
running kernel must be saved and restored on boot.
|
||
|
|
||
|
Depending on the IMA policy, the measurement list can grow to
|
||
|
be very large.
|
||
|
|
||
|
config IMA_MEASURE_PCR_IDX
|
||
|
int
|
||
|
range 8 14
|
||
|
default 10
|
||
|
help
|
||
|
IMA_MEASURE_PCR_IDX determines the TPM PCR register index
|
||
|
that IMA uses to maintain the integrity aggregate of the
|
||
|
measurement list. If unsure, use the default 10.
|
||
|
|
||
|
config IMA_LSM_RULES
|
||
|
bool
|
||
|
depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
|
||
|
default y
|
||
|
help
|
||
|
Disabling this option will disregard LSM based policy rules.
|
||
|
|
||
|
choice
|
||
|
prompt "Default template"
|
||
|
default IMA_NG_TEMPLATE
|
||
|
help
|
||
|
Select the default IMA measurement template.
|
||
|
|
||
|
The original 'ima' measurement list template contains a
|
||
|
hash, defined as 20 bytes, and a null terminated pathname,
|
||
|
limited to 255 characters. The 'ima-ng' measurement list
|
||
|
template permits both larger hash digests and longer
|
||
|
pathnames. The configured default template can be replaced
|
||
|
by specifying "ima_template=" on the boot command line.
|
||
|
|
||
|
config IMA_NG_TEMPLATE
|
||
|
bool "ima-ng (default)"
|
||
|
config IMA_SIG_TEMPLATE
|
||
|
bool "ima-sig"
|
||
|
endchoice
|
||
|
|
||
|
config IMA_DEFAULT_TEMPLATE
|
||
|
string
|
||
|
default "ima-ng" if IMA_NG_TEMPLATE
|
||
|
default "ima-sig" if IMA_SIG_TEMPLATE
|
||
|
|
||
|
choice
|
||
|
prompt "Default integrity hash algorithm"
|
||
|
default IMA_DEFAULT_HASH_SHA1
|
||
|
help
|
||
|
Select the default hash algorithm used for the measurement
|
||
|
list, integrity appraisal and audit log. The compiled default
|
||
|
hash algorithm can be overwritten using the kernel command
|
||
|
line 'ima_hash=' option.
|
||
|
|
||
|
config IMA_DEFAULT_HASH_SHA1
|
||
|
bool "SHA1 (default)"
|
||
|
depends on CRYPTO_SHA1=y
|
||
|
|
||
|
config IMA_DEFAULT_HASH_SHA256
|
||
|
bool "SHA256"
|
||
|
depends on CRYPTO_SHA256=y
|
||
|
|
||
|
config IMA_DEFAULT_HASH_SHA512
|
||
|
bool "SHA512"
|
||
|
depends on CRYPTO_SHA512=y
|
||
|
|
||
|
config IMA_DEFAULT_HASH_WP512
|
||
|
bool "WP512"
|
||
|
depends on CRYPTO_WP512=y
|
||
|
|
||
|
config IMA_DEFAULT_HASH_SM3
|
||
|
bool "SM3"
|
||
|
depends on CRYPTO_SM3_GENERIC=y
|
||
|
endchoice
|
||
|
|
||
|
config IMA_DEFAULT_HASH
|
||
|
string
|
||
|
default "sha1" if IMA_DEFAULT_HASH_SHA1
|
||
|
default "sha256" if IMA_DEFAULT_HASH_SHA256
|
||
|
default "sha512" if IMA_DEFAULT_HASH_SHA512
|
||
|
default "wp512" if IMA_DEFAULT_HASH_WP512
|
||
|
default "sm3" if IMA_DEFAULT_HASH_SM3
|
||
|
|
||
|
config IMA_WRITE_POLICY
|
||
|
bool "Enable multiple writes to the IMA policy"
|
||
|
default n
|
||
|
help
|
||
|
IMA policy can now be updated multiple times. The new rules get
|
||
|
appended to the original policy. Have in mind that the rules are
|
||
|
scanned in FIFO order so be careful when you design and add new ones.
|
||
|
|
||
|
If unsure, say N.
|
||
|
|
||
|
config IMA_READ_POLICY
|
||
|
bool "Enable reading back the current IMA policy"
|
||
|
default y if IMA_WRITE_POLICY
|
||
|
default n if !IMA_WRITE_POLICY
|
||
|
help
|
||
|
It is often useful to be able to read back the IMA policy. It is
|
||
|
even more important after introducing CONFIG_IMA_WRITE_POLICY.
|
||
|
This option allows the root user to see the current policy rules.
|
||
|
|
||
|
config IMA_APPRAISE
|
||
|
bool "Appraise integrity measurements"
|
||
|
default n
|
||
|
help
|
||
|
This option enables local measurement integrity appraisal.
|
||
|
It requires the system to be labeled with a security extended
|
||
|
attribute containing the file hash measurement. To protect
|
||
|
the security extended attributes from offline attack, enable
|
||
|
and configure EVM.
|
||
|
|
||
|
For more information on integrity appraisal refer to:
|
||
|
<http://linux-ima.sourceforge.net>
|
||
|
If unsure, say N.
|
||
|
|
||
|
config IMA_ARCH_POLICY
|
||
|
bool "Enable loading an IMA architecture specific policy"
|
||
|
depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
|
||
|
&& INTEGRITY_ASYMMETRIC_KEYS
|
||
|
default n
|
||
|
help
|
||
|
This option enables loading an IMA architecture specific policy
|
||
|
based on run time secure boot flags.
|
||
|
|
||
|
config IMA_APPRAISE_BUILD_POLICY
|
||
|
bool "IMA build time configured policy rules"
|
||
|
depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
|
||
|
default n
|
||
|
help
|
||
|
This option defines an IMA appraisal policy at build time, which
|
||
|
is enforced at run time without having to specify a builtin
|
||
|
policy name on the boot command line. The build time appraisal
|
||
|
policy rules persist after loading a custom policy.
|
||
|
|
||
|
Depending on the rules configured, this policy may require kernel
|
||
|
modules, firmware, the kexec kernel image, and/or the IMA policy
|
||
|
to be signed. Unsigned files might prevent the system from
|
||
|
booting or applications from working properly.
|
||
|
|
||
|
config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
|
||
|
bool "Appraise firmware signatures"
|
||
|
depends on IMA_APPRAISE_BUILD_POLICY
|
||
|
default n
|
||
|
help
|
||
|
This option defines a policy requiring all firmware to be signed,
|
||
|
including the regulatory.db. If both this option and
|
||
|
CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
|
||
|
verification methods are necessary.
|
||
|
|
||
|
config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
|
||
|
bool "Appraise kexec kernel image signatures"
|
||
|
depends on IMA_APPRAISE_BUILD_POLICY
|
||
|
default n
|
||
|
help
|
||
|
Enabling this rule will require all kexec'ed kernel images to
|
||
|
be signed and verified by a public key on the trusted IMA
|
||
|
keyring.
|
||
|
|
||
|
Kernel image signatures can not be verified by the original
|
||
|
kexec_load syscall. Enabling this rule will prevent its
|
||
|
usage.
|
||
|
|
||
|
config IMA_APPRAISE_REQUIRE_MODULE_SIGS
|
||
|
bool "Appraise kernel modules signatures"
|
||
|
depends on IMA_APPRAISE_BUILD_POLICY
|
||
|
default n
|
||
|
help
|
||
|
Enabling this rule will require all kernel modules to be signed
|
||
|
and verified by a public key on the trusted IMA keyring.
|
||
|
|
||
|
Kernel module signatures can only be verified by IMA-appraisal,
|
||
|
via the finit_module syscall. Enabling this rule will prevent
|
||
|
the usage of the init_module syscall.
|
||
|
|
||
|
config IMA_APPRAISE_REQUIRE_POLICY_SIGS
|
||
|
bool "Appraise IMA policy signature"
|
||
|
depends on IMA_APPRAISE_BUILD_POLICY
|
||
|
default n
|
||
|
help
|
||
|
Enabling this rule will require the IMA policy to be signed and
|
||
|
and verified by a key on the trusted IMA keyring.
|
||
|
|
||
|
config IMA_APPRAISE_BOOTPARAM
|
||
|
bool "ima_appraise boot parameter"
|
||
|
depends on IMA_APPRAISE
|
||
|
default y
|
||
|
help
|
||
|
This option enables the different "ima_appraise=" modes
|
||
|
(eg. fix, log) from the boot command line.
|
||
|
|
||
|
config IMA_APPRAISE_MODSIG
|
||
|
bool "Support module-style signatures for appraisal"
|
||
|
depends on IMA_APPRAISE
|
||
|
depends on INTEGRITY_ASYMMETRIC_KEYS
|
||
|
select PKCS7_MESSAGE_PARSER
|
||
|
select MODULE_SIG_FORMAT
|
||
|
default n
|
||
|
help
|
||
|
Adds support for signatures appended to files. The format of the
|
||
|
appended signature is the same used for signed kernel modules.
|
||
|
The modsig keyword can be used in the IMA policy to allow a hook
|
||
|
to accept such signatures.
|
||
|
|
||
|
config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
|
||
|
bool "Permit keys validly signed by a built-in, machine (if configured) or secondary"
|
||
|
depends on SYSTEM_TRUSTED_KEYRING
|
||
|
depends on SECONDARY_TRUSTED_KEYRING
|
||
|
depends on INTEGRITY_ASYMMETRIC_KEYS
|
||
|
select INTEGRITY_TRUSTED_KEYRING
|
||
|
default n
|
||
|
help
|
||
|
Keys may be added to the IMA or IMA blacklist keyrings, if the
|
||
|
key is validly signed by a CA cert in the system built-in,
|
||
|
machine (if configured), or secondary trusted keyrings. The
|
||
|
key must also have the digitalSignature usage set.
|
||
|
|
||
|
Intermediate keys between those the kernel has compiled in and the
|
||
|
IMA keys to be added may be added to the system secondary keyring,
|
||
|
provided they are validly signed by a key already resident in the
|
||
|
built-in, machine (if configured) or secondary trusted keyrings.
|
||
|
|
||
|
config IMA_BLACKLIST_KEYRING
|
||
|
bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
|
||
|
depends on SYSTEM_TRUSTED_KEYRING
|
||
|
depends on INTEGRITY_TRUSTED_KEYRING
|
||
|
default n
|
||
|
help
|
||
|
This option creates an IMA blacklist keyring, which contains all
|
||
|
revoked IMA keys. It is consulted before any other keyring. If
|
||
|
the search is successful the requested operation is rejected and
|
||
|
an error is returned to the caller.
|
||
|
|
||
|
config IMA_LOAD_X509
|
||
|
bool "Load X509 certificate onto the '.ima' trusted keyring"
|
||
|
depends on INTEGRITY_TRUSTED_KEYRING
|
||
|
default n
|
||
|
help
|
||
|
File signature verification is based on the public keys
|
||
|
loaded on the .ima trusted keyring. These public keys are
|
||
|
X509 certificates signed by a trusted key on the
|
||
|
.system keyring. This option enables X509 certificate
|
||
|
loading from the kernel onto the '.ima' trusted keyring.
|
||
|
|
||
|
config IMA_X509_PATH
|
||
|
string "IMA X509 certificate path"
|
||
|
depends on IMA_LOAD_X509
|
||
|
default "/etc/keys/x509_ima.der"
|
||
|
help
|
||
|
This option defines IMA X509 certificate path.
|
||
|
|
||
|
config IMA_APPRAISE_SIGNED_INIT
|
||
|
bool "Require signed user-space initialization"
|
||
|
depends on IMA_LOAD_X509
|
||
|
default n
|
||
|
help
|
||
|
This option requires user-space init to be signed.
|
||
|
|
||
|
config IMA_MEASURE_ASYMMETRIC_KEYS
|
||
|
bool
|
||
|
depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
|
||
|
default y
|
||
|
|
||
|
config IMA_QUEUE_EARLY_BOOT_KEYS
|
||
|
bool
|
||
|
depends on IMA_MEASURE_ASYMMETRIC_KEYS
|
||
|
depends on SYSTEM_TRUSTED_KEYRING
|
||
|
default y
|
||
|
|
||
|
config IMA_SECURE_AND_OR_TRUSTED_BOOT
|
||
|
bool
|
||
|
depends on IMA_ARCH_POLICY
|
||
|
help
|
||
|
This option is selected by architectures to enable secure and/or
|
||
|
trusted boot based on IMA runtime policies.
|
||
|
|
||
|
config IMA_DISABLE_HTABLE
|
||
|
bool "Disable htable to allow measurement of duplicate records"
|
||
|
default n
|
||
|
help
|
||
|
This option disables htable to allow measurement of duplicate records.
|
||
|
|
||
|
endif
|