162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
262306a36Sopenharmony_ci# IBM Integrity Measurement Architecture
362306a36Sopenharmony_ci#
462306a36Sopenharmony_ciconfig IMA
562306a36Sopenharmony_ci	bool "Integrity Measurement Architecture(IMA)"
662306a36Sopenharmony_ci	select SECURITYFS
762306a36Sopenharmony_ci	select CRYPTO
862306a36Sopenharmony_ci	select CRYPTO_HMAC
962306a36Sopenharmony_ci	select CRYPTO_SHA1
1062306a36Sopenharmony_ci	select CRYPTO_HASH_INFO
1162306a36Sopenharmony_ci	select TCG_TPM if HAS_IOMEM
1262306a36Sopenharmony_ci	select TCG_TIS if TCG_TPM && X86
1362306a36Sopenharmony_ci	select TCG_CRB if TCG_TPM && ACPI
1462306a36Sopenharmony_ci	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
1562306a36Sopenharmony_ci	select INTEGRITY_AUDIT if AUDIT
1662306a36Sopenharmony_ci	help
1762306a36Sopenharmony_ci	  The Trusted Computing Group(TCG) runtime Integrity
1862306a36Sopenharmony_ci	  Measurement Architecture(IMA) maintains a list of hash
1962306a36Sopenharmony_ci	  values of executables and other sensitive system files,
2062306a36Sopenharmony_ci	  as they are read or executed. If an attacker manages
2162306a36Sopenharmony_ci	  to change the contents of an important system file
2262306a36Sopenharmony_ci	  being measured, we can tell.
2362306a36Sopenharmony_ci
2462306a36Sopenharmony_ci	  If your system has a TPM chip, then IMA also maintains
2562306a36Sopenharmony_ci	  an aggregate integrity value over this list inside the
2662306a36Sopenharmony_ci	  TPM hardware, so that the TPM can prove to a third party
2762306a36Sopenharmony_ci	  whether or not critical system files have been modified.
2862306a36Sopenharmony_ci	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
2962306a36Sopenharmony_ci	  to learn more about IMA.
3062306a36Sopenharmony_ci	  If unsure, say N.
3162306a36Sopenharmony_ci
3262306a36Sopenharmony_ciif IMA
3362306a36Sopenharmony_ci
3462306a36Sopenharmony_ciconfig IMA_KEXEC
3562306a36Sopenharmony_ci	bool "Enable carrying the IMA measurement list across a soft boot"
3662306a36Sopenharmony_ci	depends on TCG_TPM && HAVE_IMA_KEXEC
3762306a36Sopenharmony_ci	default n
3862306a36Sopenharmony_ci	help
3962306a36Sopenharmony_ci	   TPM PCRs are only reset on a hard reboot.  In order to validate
4062306a36Sopenharmony_ci	   a TPM's quote after a soft boot, the IMA measurement list of the
4162306a36Sopenharmony_ci	   running kernel must be saved and restored on boot.
4262306a36Sopenharmony_ci
4362306a36Sopenharmony_ci	   Depending on the IMA policy, the measurement list can grow to
4462306a36Sopenharmony_ci	   be very large.
4562306a36Sopenharmony_ci
4662306a36Sopenharmony_ciconfig IMA_MEASURE_PCR_IDX
4762306a36Sopenharmony_ci	int
4862306a36Sopenharmony_ci	range 8 14
4962306a36Sopenharmony_ci	default 10
5062306a36Sopenharmony_ci	help
5162306a36Sopenharmony_ci	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
5262306a36Sopenharmony_ci	  that IMA uses to maintain the integrity aggregate of the
5362306a36Sopenharmony_ci	  measurement list.  If unsure, use the default 10.
5462306a36Sopenharmony_ci
5562306a36Sopenharmony_ciconfig IMA_LSM_RULES
5662306a36Sopenharmony_ci	bool
5762306a36Sopenharmony_ci	depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
5862306a36Sopenharmony_ci	default y
5962306a36Sopenharmony_ci	help
6062306a36Sopenharmony_ci	  Disabling this option will disregard LSM based policy rules.
6162306a36Sopenharmony_ci
6262306a36Sopenharmony_cichoice
6362306a36Sopenharmony_ci	prompt "Default template"
6462306a36Sopenharmony_ci	default IMA_NG_TEMPLATE
6562306a36Sopenharmony_ci	help
6662306a36Sopenharmony_ci	  Select the default IMA measurement template.
6762306a36Sopenharmony_ci
6862306a36Sopenharmony_ci	  The original 'ima' measurement list template contains a
6962306a36Sopenharmony_ci	  hash, defined as 20 bytes, and a null terminated pathname,
7062306a36Sopenharmony_ci	  limited to 255 characters.  The 'ima-ng' measurement list
7162306a36Sopenharmony_ci	  template permits both larger hash digests and longer
7262306a36Sopenharmony_ci	  pathnames. The configured default template can be replaced
7362306a36Sopenharmony_ci	  by specifying "ima_template=" on the boot command line.
7462306a36Sopenharmony_ci
7562306a36Sopenharmony_ci	config IMA_NG_TEMPLATE
7662306a36Sopenharmony_ci		bool "ima-ng (default)"
7762306a36Sopenharmony_ci	config IMA_SIG_TEMPLATE
7862306a36Sopenharmony_ci		bool "ima-sig"
7962306a36Sopenharmony_ciendchoice
8062306a36Sopenharmony_ci
8162306a36Sopenharmony_ciconfig IMA_DEFAULT_TEMPLATE
8262306a36Sopenharmony_ci	string
8362306a36Sopenharmony_ci	default "ima-ng" if IMA_NG_TEMPLATE
8462306a36Sopenharmony_ci	default "ima-sig" if IMA_SIG_TEMPLATE
8562306a36Sopenharmony_ci
8662306a36Sopenharmony_cichoice
8762306a36Sopenharmony_ci	prompt "Default integrity hash algorithm"
8862306a36Sopenharmony_ci	default IMA_DEFAULT_HASH_SHA1
8962306a36Sopenharmony_ci	help
9062306a36Sopenharmony_ci	   Select the default hash algorithm used for the measurement
9162306a36Sopenharmony_ci	   list, integrity appraisal and audit log.  The compiled default
9262306a36Sopenharmony_ci	   hash algorithm can be overwritten using the kernel command
9362306a36Sopenharmony_ci	   line 'ima_hash=' option.
9462306a36Sopenharmony_ci
9562306a36Sopenharmony_ci	config IMA_DEFAULT_HASH_SHA1
9662306a36Sopenharmony_ci		bool "SHA1 (default)"
9762306a36Sopenharmony_ci		depends on CRYPTO_SHA1=y
9862306a36Sopenharmony_ci
9962306a36Sopenharmony_ci	config IMA_DEFAULT_HASH_SHA256
10062306a36Sopenharmony_ci		bool "SHA256"
10162306a36Sopenharmony_ci		depends on CRYPTO_SHA256=y
10262306a36Sopenharmony_ci
10362306a36Sopenharmony_ci	config IMA_DEFAULT_HASH_SHA512
10462306a36Sopenharmony_ci		bool "SHA512"
10562306a36Sopenharmony_ci		depends on CRYPTO_SHA512=y
10662306a36Sopenharmony_ci
10762306a36Sopenharmony_ci	config IMA_DEFAULT_HASH_WP512
10862306a36Sopenharmony_ci		bool "WP512"
10962306a36Sopenharmony_ci		depends on CRYPTO_WP512=y
11062306a36Sopenharmony_ci
11162306a36Sopenharmony_ci	config IMA_DEFAULT_HASH_SM3
11262306a36Sopenharmony_ci		bool "SM3"
11362306a36Sopenharmony_ci		depends on CRYPTO_SM3_GENERIC=y
11462306a36Sopenharmony_ciendchoice
11562306a36Sopenharmony_ci
11662306a36Sopenharmony_ciconfig IMA_DEFAULT_HASH
11762306a36Sopenharmony_ci	string
11862306a36Sopenharmony_ci	default "sha1" if IMA_DEFAULT_HASH_SHA1
11962306a36Sopenharmony_ci	default "sha256" if IMA_DEFAULT_HASH_SHA256
12062306a36Sopenharmony_ci	default "sha512" if IMA_DEFAULT_HASH_SHA512
12162306a36Sopenharmony_ci	default "wp512" if IMA_DEFAULT_HASH_WP512
12262306a36Sopenharmony_ci	default "sm3" if IMA_DEFAULT_HASH_SM3
12362306a36Sopenharmony_ci
12462306a36Sopenharmony_ciconfig IMA_WRITE_POLICY
12562306a36Sopenharmony_ci	bool "Enable multiple writes to the IMA policy"
12662306a36Sopenharmony_ci	default n
12762306a36Sopenharmony_ci	help
12862306a36Sopenharmony_ci	  IMA policy can now be updated multiple times.  The new rules get
12962306a36Sopenharmony_ci	  appended to the original policy.  Have in mind that the rules are
13062306a36Sopenharmony_ci	  scanned in FIFO order so be careful when you design and add new ones.
13162306a36Sopenharmony_ci
13262306a36Sopenharmony_ci	  If unsure, say N.
13362306a36Sopenharmony_ci
13462306a36Sopenharmony_ciconfig IMA_READ_POLICY
13562306a36Sopenharmony_ci	bool "Enable reading back the current IMA policy"
13662306a36Sopenharmony_ci	default y if IMA_WRITE_POLICY
13762306a36Sopenharmony_ci	default n if !IMA_WRITE_POLICY
13862306a36Sopenharmony_ci	help
13962306a36Sopenharmony_ci	   It is often useful to be able to read back the IMA policy.  It is
14062306a36Sopenharmony_ci	   even more important after introducing CONFIG_IMA_WRITE_POLICY.
14162306a36Sopenharmony_ci	   This option allows the root user to see the current policy rules.
14262306a36Sopenharmony_ci
14362306a36Sopenharmony_ciconfig IMA_APPRAISE
14462306a36Sopenharmony_ci	bool "Appraise integrity measurements"
14562306a36Sopenharmony_ci	default n
14662306a36Sopenharmony_ci	help
14762306a36Sopenharmony_ci	  This option enables local measurement integrity appraisal.
14862306a36Sopenharmony_ci	  It requires the system to be labeled with a security extended
14962306a36Sopenharmony_ci	  attribute containing the file hash measurement.  To protect
15062306a36Sopenharmony_ci	  the security extended attributes from offline attack, enable
15162306a36Sopenharmony_ci	  and configure EVM.
15262306a36Sopenharmony_ci
15362306a36Sopenharmony_ci	  For more information on integrity appraisal refer to:
15462306a36Sopenharmony_ci	  <http://linux-ima.sourceforge.net>
15562306a36Sopenharmony_ci	  If unsure, say N.
15662306a36Sopenharmony_ci
15762306a36Sopenharmony_ciconfig IMA_ARCH_POLICY
15862306a36Sopenharmony_ci        bool "Enable loading an IMA architecture specific policy"
15962306a36Sopenharmony_ci        depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
16062306a36Sopenharmony_ci		   && INTEGRITY_ASYMMETRIC_KEYS
16162306a36Sopenharmony_ci        default n
16262306a36Sopenharmony_ci        help
16362306a36Sopenharmony_ci          This option enables loading an IMA architecture specific policy
16462306a36Sopenharmony_ci          based on run time secure boot flags.
16562306a36Sopenharmony_ci
16662306a36Sopenharmony_ciconfig IMA_APPRAISE_BUILD_POLICY
16762306a36Sopenharmony_ci	bool "IMA build time configured policy rules"
16862306a36Sopenharmony_ci	depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
16962306a36Sopenharmony_ci	default n
17062306a36Sopenharmony_ci	help
17162306a36Sopenharmony_ci	  This option defines an IMA appraisal policy at build time, which
17262306a36Sopenharmony_ci	  is enforced at run time without having to specify a builtin
17362306a36Sopenharmony_ci	  policy name on the boot command line.  The build time appraisal
17462306a36Sopenharmony_ci	  policy rules persist after loading a custom policy.
17562306a36Sopenharmony_ci
17662306a36Sopenharmony_ci	  Depending on the rules configured, this policy may require kernel
17762306a36Sopenharmony_ci	  modules, firmware, the kexec kernel image, and/or the IMA policy
17862306a36Sopenharmony_ci	  to be signed.  Unsigned files might prevent the system from
17962306a36Sopenharmony_ci	  booting or applications from working properly.
18062306a36Sopenharmony_ci
18162306a36Sopenharmony_ciconfig IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
18262306a36Sopenharmony_ci	bool "Appraise firmware signatures"
18362306a36Sopenharmony_ci	depends on IMA_APPRAISE_BUILD_POLICY
18462306a36Sopenharmony_ci	default n
18562306a36Sopenharmony_ci	help
18662306a36Sopenharmony_ci	  This option defines a policy requiring all firmware to be signed,
18762306a36Sopenharmony_ci	  including the regulatory.db.  If both this option and
18862306a36Sopenharmony_ci	  CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
18962306a36Sopenharmony_ci	  verification methods are necessary.
19062306a36Sopenharmony_ci
19162306a36Sopenharmony_ciconfig IMA_APPRAISE_REQUIRE_KEXEC_SIGS
19262306a36Sopenharmony_ci	bool "Appraise kexec kernel image signatures"
19362306a36Sopenharmony_ci	depends on IMA_APPRAISE_BUILD_POLICY
19462306a36Sopenharmony_ci	default n
19562306a36Sopenharmony_ci	help
19662306a36Sopenharmony_ci	  Enabling this rule will require all kexec'ed kernel images to
19762306a36Sopenharmony_ci	  be signed and verified by a public key on the trusted IMA
19862306a36Sopenharmony_ci	  keyring.
19962306a36Sopenharmony_ci
20062306a36Sopenharmony_ci	  Kernel image signatures can not be verified by the original
20162306a36Sopenharmony_ci	  kexec_load syscall.  Enabling this rule will prevent its
20262306a36Sopenharmony_ci	  usage.
20362306a36Sopenharmony_ci
20462306a36Sopenharmony_ciconfig IMA_APPRAISE_REQUIRE_MODULE_SIGS
20562306a36Sopenharmony_ci	bool "Appraise kernel modules signatures"
20662306a36Sopenharmony_ci	depends on IMA_APPRAISE_BUILD_POLICY
20762306a36Sopenharmony_ci	default n
20862306a36Sopenharmony_ci	help
20962306a36Sopenharmony_ci	  Enabling this rule will require all kernel modules to be signed
21062306a36Sopenharmony_ci	  and verified by a public key on the trusted IMA keyring.
21162306a36Sopenharmony_ci
21262306a36Sopenharmony_ci	  Kernel module signatures can only be verified by IMA-appraisal,
21362306a36Sopenharmony_ci	  via the finit_module syscall. Enabling this rule will prevent
21462306a36Sopenharmony_ci	  the usage of the init_module syscall.
21562306a36Sopenharmony_ci
21662306a36Sopenharmony_ciconfig IMA_APPRAISE_REQUIRE_POLICY_SIGS
21762306a36Sopenharmony_ci	bool "Appraise IMA policy signature"
21862306a36Sopenharmony_ci	depends on IMA_APPRAISE_BUILD_POLICY
21962306a36Sopenharmony_ci	default n
22062306a36Sopenharmony_ci	help
22162306a36Sopenharmony_ci	  Enabling this rule will require the IMA policy to be signed and
22262306a36Sopenharmony_ci	  and verified by a key on the trusted IMA keyring.
22362306a36Sopenharmony_ci
22462306a36Sopenharmony_ciconfig IMA_APPRAISE_BOOTPARAM
22562306a36Sopenharmony_ci	bool "ima_appraise boot parameter"
22662306a36Sopenharmony_ci	depends on IMA_APPRAISE
22762306a36Sopenharmony_ci	default y
22862306a36Sopenharmony_ci	help
22962306a36Sopenharmony_ci	  This option enables the different "ima_appraise=" modes
23062306a36Sopenharmony_ci	  (eg. fix, log) from the boot command line.
23162306a36Sopenharmony_ci
23262306a36Sopenharmony_ciconfig IMA_APPRAISE_MODSIG
23362306a36Sopenharmony_ci	bool "Support module-style signatures for appraisal"
23462306a36Sopenharmony_ci	depends on IMA_APPRAISE
23562306a36Sopenharmony_ci	depends on INTEGRITY_ASYMMETRIC_KEYS
23662306a36Sopenharmony_ci	select PKCS7_MESSAGE_PARSER
23762306a36Sopenharmony_ci	select MODULE_SIG_FORMAT
23862306a36Sopenharmony_ci	default n
23962306a36Sopenharmony_ci	help
24062306a36Sopenharmony_ci	   Adds support for signatures appended to files. The format of the
24162306a36Sopenharmony_ci	   appended signature is the same used for signed kernel modules.
24262306a36Sopenharmony_ci	   The modsig keyword can be used in the IMA policy to allow a hook
24362306a36Sopenharmony_ci	   to accept such signatures.
24462306a36Sopenharmony_ci
24562306a36Sopenharmony_ciconfig IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
24662306a36Sopenharmony_ci	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
24762306a36Sopenharmony_ci	depends on SYSTEM_TRUSTED_KEYRING
24862306a36Sopenharmony_ci	depends on SECONDARY_TRUSTED_KEYRING
24962306a36Sopenharmony_ci	depends on INTEGRITY_ASYMMETRIC_KEYS
25062306a36Sopenharmony_ci	select INTEGRITY_TRUSTED_KEYRING
25162306a36Sopenharmony_ci	default n
25262306a36Sopenharmony_ci	help
25362306a36Sopenharmony_ci	  Keys may be added to the IMA or IMA blacklist keyrings, if the
25462306a36Sopenharmony_ci	  key is validly signed by a CA cert in the system built-in or
25562306a36Sopenharmony_ci	  secondary trusted keyrings. The key must also have the
25662306a36Sopenharmony_ci	  digitalSignature usage set.
25762306a36Sopenharmony_ci
25862306a36Sopenharmony_ci	  Intermediate keys between those the kernel has compiled in and the
25962306a36Sopenharmony_ci	  IMA keys to be added may be added to the system secondary keyring,
26062306a36Sopenharmony_ci	  provided they are validly signed by a key already resident in the
26162306a36Sopenharmony_ci	  built-in or secondary trusted keyrings.
26262306a36Sopenharmony_ci
26362306a36Sopenharmony_ciconfig IMA_BLACKLIST_KEYRING
26462306a36Sopenharmony_ci	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
26562306a36Sopenharmony_ci	depends on SYSTEM_TRUSTED_KEYRING
26662306a36Sopenharmony_ci	depends on INTEGRITY_TRUSTED_KEYRING
26762306a36Sopenharmony_ci	default n
26862306a36Sopenharmony_ci	help
26962306a36Sopenharmony_ci	   This option creates an IMA blacklist keyring, which contains all
27062306a36Sopenharmony_ci	   revoked IMA keys.  It is consulted before any other keyring.  If
27162306a36Sopenharmony_ci	   the search is successful the requested operation is rejected and
27262306a36Sopenharmony_ci	   an error is returned to the caller.
27362306a36Sopenharmony_ci
27462306a36Sopenharmony_ciconfig IMA_LOAD_X509
27562306a36Sopenharmony_ci	bool "Load X509 certificate onto the '.ima' trusted keyring"
27662306a36Sopenharmony_ci	depends on INTEGRITY_TRUSTED_KEYRING
27762306a36Sopenharmony_ci	default n
27862306a36Sopenharmony_ci	help
27962306a36Sopenharmony_ci	   File signature verification is based on the public keys
28062306a36Sopenharmony_ci	   loaded on the .ima trusted keyring. These public keys are
28162306a36Sopenharmony_ci	   X509 certificates signed by a trusted key on the
28262306a36Sopenharmony_ci	   .system keyring.  This option enables X509 certificate
28362306a36Sopenharmony_ci	   loading from the kernel onto the '.ima' trusted keyring.
28462306a36Sopenharmony_ci
28562306a36Sopenharmony_ciconfig IMA_X509_PATH
28662306a36Sopenharmony_ci	string "IMA X509 certificate path"
28762306a36Sopenharmony_ci	depends on IMA_LOAD_X509
28862306a36Sopenharmony_ci	default "/etc/keys/x509_ima.der"
28962306a36Sopenharmony_ci	help
29062306a36Sopenharmony_ci	   This option defines IMA X509 certificate path.
29162306a36Sopenharmony_ci
29262306a36Sopenharmony_ciconfig IMA_APPRAISE_SIGNED_INIT
29362306a36Sopenharmony_ci	bool "Require signed user-space initialization"
29462306a36Sopenharmony_ci	depends on IMA_LOAD_X509
29562306a36Sopenharmony_ci	default n
29662306a36Sopenharmony_ci	help
29762306a36Sopenharmony_ci	   This option requires user-space init to be signed.
29862306a36Sopenharmony_ci
29962306a36Sopenharmony_ciconfig IMA_MEASURE_ASYMMETRIC_KEYS
30062306a36Sopenharmony_ci	bool
30162306a36Sopenharmony_ci	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
30262306a36Sopenharmony_ci	default y
30362306a36Sopenharmony_ci
30462306a36Sopenharmony_ciconfig IMA_QUEUE_EARLY_BOOT_KEYS
30562306a36Sopenharmony_ci	bool
30662306a36Sopenharmony_ci	depends on IMA_MEASURE_ASYMMETRIC_KEYS
30762306a36Sopenharmony_ci	depends on SYSTEM_TRUSTED_KEYRING
30862306a36Sopenharmony_ci	default y
30962306a36Sopenharmony_ci
31062306a36Sopenharmony_ciconfig IMA_SECURE_AND_OR_TRUSTED_BOOT
31162306a36Sopenharmony_ci       bool
31262306a36Sopenharmony_ci       depends on IMA_ARCH_POLICY
31362306a36Sopenharmony_ci       help
31462306a36Sopenharmony_ci          This option is selected by architectures to enable secure and/or
31562306a36Sopenharmony_ci          trusted boot based on IMA runtime policies.
31662306a36Sopenharmony_ci
31762306a36Sopenharmony_ciconfig IMA_DISABLE_HTABLE
31862306a36Sopenharmony_ci	bool "Disable htable to allow measurement of duplicate records"
31962306a36Sopenharmony_ci	default n
32062306a36Sopenharmony_ci	help
32162306a36Sopenharmony_ci	   This option disables htable to allow measurement of duplicate records.
32262306a36Sopenharmony_ci
32362306a36Sopenharmony_ciendif
324