Kconfig 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335
  1. # SPDX-License-Identifier: GPL-2.0-only
  2. # IBM Integrity Measurement Architecture
  3. #
  4. config IMA
  5. bool "Integrity Measurement Architecture(IMA)"
  6. select SECURITYFS
  7. select CRYPTO
  8. select CRYPTO_HMAC
  9. select CRYPTO_SHA1
  10. select CRYPTO_HASH_INFO
  11. select SECURITY_PATH
  12. select TCG_TPM if HAS_IOMEM
  13. select TCG_TIS if TCG_TPM && X86
  14. select TCG_CRB if TCG_TPM && ACPI
  15. select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
  16. select INTEGRITY_AUDIT if AUDIT
  17. help
  18. The Trusted Computing Group(TCG) runtime Integrity
  19. Measurement Architecture(IMA) maintains a list of hash
  20. values of executables and other sensitive system files,
  21. as they are read or executed. If an attacker manages
  22. to change the contents of an important system file
  23. being measured, we can tell.
  24. If your system has a TPM chip, then IMA also maintains
  25. an aggregate integrity value over this list inside the
  26. TPM hardware, so that the TPM can prove to a third party
  27. whether or not critical system files have been modified.
  28. Read <https://www.usenix.org/events/sec04/tech/sailer.html>
  29. to learn more about IMA.
  30. If unsure, say N.
  31. if IMA
  32. config IMA_KEXEC
  33. bool "Enable carrying the IMA measurement list across a soft boot"
  34. depends on TCG_TPM && HAVE_IMA_KEXEC
  35. default n
  36. help
  37. TPM PCRs are only reset on a hard reboot. In order to validate
  38. a TPM's quote after a soft boot, the IMA measurement list of the
  39. running kernel must be saved and restored on boot.
  40. Depending on the IMA policy, the measurement list can grow to
  41. be very large.
  42. config IMA_MEASURE_PCR_IDX
  43. int
  44. range 8 14
  45. default 10
  46. help
  47. IMA_MEASURE_PCR_IDX determines the TPM PCR register index
  48. that IMA uses to maintain the integrity aggregate of the
  49. measurement list. If unsure, use the default 10.
  50. config IMA_LSM_RULES
  51. bool
  52. depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
  53. default y
  54. help
  55. Disabling this option will disregard LSM based policy rules.
  56. choice
  57. prompt "Default template"
  58. default IMA_NG_TEMPLATE
  59. help
  60. Select the default IMA measurement template.
  61. The original 'ima' measurement list template contains a
  62. hash, defined as 20 bytes, and a null terminated pathname,
  63. limited to 255 characters. The 'ima-ng' measurement list
  64. template permits both larger hash digests and longer
  65. pathnames. The configured default template can be replaced
  66. by specifying "ima_template=" on the boot command line.
  67. config IMA_NG_TEMPLATE
  68. bool "ima-ng (default)"
  69. config IMA_SIG_TEMPLATE
  70. bool "ima-sig"
  71. endchoice
  72. config IMA_DEFAULT_TEMPLATE
  73. string
  74. default "ima-ng" if IMA_NG_TEMPLATE
  75. default "ima-sig" if IMA_SIG_TEMPLATE
  76. choice
  77. prompt "Default integrity hash algorithm"
  78. default IMA_DEFAULT_HASH_SHA1
  79. help
  80. Select the default hash algorithm used for the measurement
  81. list, integrity appraisal and audit log. The compiled default
  82. hash algorithm can be overwritten using the kernel command
  83. line 'ima_hash=' option.
  84. config IMA_DEFAULT_HASH_SHA1
  85. bool "SHA1 (default)"
  86. depends on CRYPTO_SHA1=y
  87. config IMA_DEFAULT_HASH_SHA256
  88. bool "SHA256"
  89. depends on CRYPTO_SHA256=y
  90. config IMA_DEFAULT_HASH_SHA512
  91. bool "SHA512"
  92. depends on CRYPTO_SHA512=y
  93. config IMA_DEFAULT_HASH_WP512
  94. bool "WP512"
  95. depends on CRYPTO_WP512=y
  96. config IMA_DEFAULT_HASH_SM3
  97. bool "SM3"
  98. depends on CRYPTO_SM3_GENERIC=y
  99. endchoice
  100. config IMA_DEFAULT_HASH
  101. string
  102. default "sha1" if IMA_DEFAULT_HASH_SHA1
  103. default "sha256" if IMA_DEFAULT_HASH_SHA256
  104. default "sha512" if IMA_DEFAULT_HASH_SHA512
  105. default "wp512" if IMA_DEFAULT_HASH_WP512
  106. default "sm3" if IMA_DEFAULT_HASH_SM3
  107. config IMA_WRITE_POLICY
  108. bool "Enable multiple writes to the IMA policy"
  109. default n
  110. help
  111. IMA policy can now be updated multiple times. The new rules get
  112. appended to the original policy. Have in mind that the rules are
  113. scanned in FIFO order so be careful when you design and add new ones.
  114. If unsure, say N.
  115. config IMA_READ_POLICY
  116. bool "Enable reading back the current IMA policy"
  117. default y if IMA_WRITE_POLICY
  118. default n if !IMA_WRITE_POLICY
  119. help
  120. It is often useful to be able to read back the IMA policy. It is
  121. even more important after introducing CONFIG_IMA_WRITE_POLICY.
  122. This option allows the root user to see the current policy rules.
  123. config IMA_APPRAISE
  124. bool "Appraise integrity measurements"
  125. default n
  126. help
  127. This option enables local measurement integrity appraisal.
  128. It requires the system to be labeled with a security extended
  129. attribute containing the file hash measurement. To protect
  130. the security extended attributes from offline attack, enable
  131. and configure EVM.
  132. For more information on integrity appraisal refer to:
  133. <http://linux-ima.sourceforge.net>
  134. If unsure, say N.
  135. config IMA_ARCH_POLICY
  136. bool "Enable loading an IMA architecture specific policy"
  137. depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
  138. && INTEGRITY_ASYMMETRIC_KEYS
  139. default n
  140. help
  141. This option enables loading an IMA architecture specific policy
  142. based on run time secure boot flags.
  143. config IMA_APPRAISE_BUILD_POLICY
  144. bool "IMA build time configured policy rules"
  145. depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
  146. default n
  147. help
  148. This option defines an IMA appraisal policy at build time, which
  149. is enforced at run time without having to specify a builtin
  150. policy name on the boot command line. The build time appraisal
  151. policy rules persist after loading a custom policy.
  152. Depending on the rules configured, this policy may require kernel
  153. modules, firmware, the kexec kernel image, and/or the IMA policy
  154. to be signed. Unsigned files might prevent the system from
  155. booting or applications from working properly.
  156. config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
  157. bool "Appraise firmware signatures"
  158. depends on IMA_APPRAISE_BUILD_POLICY
  159. default n
  160. help
  161. This option defines a policy requiring all firmware to be signed,
  162. including the regulatory.db. If both this option and
  163. CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
  164. verification methods are necessary.
  165. config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
  166. bool "Appraise kexec kernel image signatures"
  167. depends on IMA_APPRAISE_BUILD_POLICY
  168. default n
  169. help
  170. Enabling this rule will require all kexec'ed kernel images to
  171. be signed and verified by a public key on the trusted IMA
  172. keyring.
  173. Kernel image signatures can not be verified by the original
  174. kexec_load syscall. Enabling this rule will prevent its
  175. usage.
  176. config IMA_APPRAISE_REQUIRE_MODULE_SIGS
  177. bool "Appraise kernel modules signatures"
  178. depends on IMA_APPRAISE_BUILD_POLICY
  179. default n
  180. help
  181. Enabling this rule will require all kernel modules to be signed
  182. and verified by a public key on the trusted IMA keyring.
  183. Kernel module signatures can only be verified by IMA-appraisal,
  184. via the finit_module syscall. Enabling this rule will prevent
  185. the usage of the init_module syscall.
  186. config IMA_APPRAISE_REQUIRE_POLICY_SIGS
  187. bool "Appraise IMA policy signature"
  188. depends on IMA_APPRAISE_BUILD_POLICY
  189. default n
  190. help
  191. Enabling this rule will require the IMA policy to be signed and
  192. and verified by a key on the trusted IMA keyring.
  193. config IMA_APPRAISE_BOOTPARAM
  194. bool "ima_appraise boot parameter"
  195. depends on IMA_APPRAISE
  196. default y
  197. help
  198. This option enables the different "ima_appraise=" modes
  199. (eg. fix, log) from the boot command line.
  200. config IMA_APPRAISE_MODSIG
  201. bool "Support module-style signatures for appraisal"
  202. depends on IMA_APPRAISE
  203. depends on INTEGRITY_ASYMMETRIC_KEYS
  204. select PKCS7_MESSAGE_PARSER
  205. select MODULE_SIG_FORMAT
  206. default n
  207. help
  208. Adds support for signatures appended to files. The format of the
  209. appended signature is the same used for signed kernel modules.
  210. The modsig keyword can be used in the IMA policy to allow a hook
  211. to accept such signatures.
  212. config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
  213. bool "Permit keys validly signed by a built-in, machine (if configured) or secondary"
  214. depends on SYSTEM_TRUSTED_KEYRING
  215. depends on SECONDARY_TRUSTED_KEYRING
  216. depends on INTEGRITY_ASYMMETRIC_KEYS
  217. select INTEGRITY_TRUSTED_KEYRING
  218. default n
  219. help
  220. Keys may be added to the IMA or IMA blacklist keyrings, if the
  221. key is validly signed by a CA cert in the system built-in,
  222. machine (if configured), or secondary trusted keyrings. The
  223. key must also have the digitalSignature usage set.
  224. Intermediate keys between those the kernel has compiled in and the
  225. IMA keys to be added may be added to the system secondary keyring,
  226. provided they are validly signed by a key already resident in the
  227. built-in, machine (if configured) or secondary trusted keyrings.
  228. config IMA_BLACKLIST_KEYRING
  229. bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
  230. depends on SYSTEM_TRUSTED_KEYRING
  231. depends on INTEGRITY_TRUSTED_KEYRING
  232. default n
  233. help
  234. This option creates an IMA blacklist keyring, which contains all
  235. revoked IMA keys. It is consulted before any other keyring. If
  236. the search is successful the requested operation is rejected and
  237. an error is returned to the caller.
  238. config IMA_LOAD_X509
  239. bool "Load X509 certificate onto the '.ima' trusted keyring"
  240. depends on INTEGRITY_TRUSTED_KEYRING
  241. default n
  242. help
  243. File signature verification is based on the public keys
  244. loaded on the .ima trusted keyring. These public keys are
  245. X509 certificates signed by a trusted key on the
  246. .system keyring. This option enables X509 certificate
  247. loading from the kernel onto the '.ima' trusted keyring.
  248. config IMA_X509_PATH
  249. string "IMA X509 certificate path"
  250. depends on IMA_LOAD_X509
  251. default "/etc/keys/x509_ima.der"
  252. help
  253. This option defines IMA X509 certificate path.
  254. config IMA_APPRAISE_SIGNED_INIT
  255. bool "Require signed user-space initialization"
  256. depends on IMA_LOAD_X509
  257. default n
  258. help
  259. This option requires user-space init to be signed.
  260. config IMA_MEASURE_ASYMMETRIC_KEYS
  261. bool
  262. depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
  263. default y
  264. config IMA_QUEUE_EARLY_BOOT_KEYS
  265. bool
  266. depends on IMA_MEASURE_ASYMMETRIC_KEYS
  267. depends on SYSTEM_TRUSTED_KEYRING
  268. default y
  269. config IMA_SECURE_AND_OR_TRUSTED_BOOT
  270. bool
  271. depends on IMA_ARCH_POLICY
  272. help
  273. This option is selected by architectures to enable secure and/or
  274. trusted boot based on IMA runtime policies.
  275. config IMA_DISABLE_HTABLE
  276. bool "Disable htable to allow measurement of duplicate records"
  277. default n
  278. help
  279. This option disables htable to allow measurement of duplicate records.
  280. config IMA_KEXEC_EXTRA_MEMORY_KB
  281. int "Extra memory for IMA measurements added during kexec soft reboot"
  282. range 0 40
  283. depends on IMA_KEXEC
  284. default 0
  285. help
  286. IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
  287. allocated (in kb) for IMA measurements added during kexec soft reboot.
  288. If set to the default value of 0, an extra half page of memory for those
  289. additional measurements will be allocated.
  290. endif