Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: be055b2f89
Branches Tags
linux-vybrid_pu...
/
security
/
integrity
/
ima
/
Kconfig

Kconfig 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. # IBM Integrity Measurement Architecture
    2. 

  2. #
    3. 

  3. config IMA
    4. 

  4. 	bool "Integrity Measurement Architecture(IMA)"
    5. 

  5. 	depends on SECURITY
    6. 

  6. 	select INTEGRITY
    7. 

  7. 	select SECURITYFS
    8. 

  8. 	select CRYPTO
    9. 

  9. 	select CRYPTO_HMAC
    10. 

  10. 	select CRYPTO_MD5
    11. 

  11. 	select CRYPTO_SHA1
    12. 

  12. 	select TCG_TPM if HAS_IOMEM && !UML
    13. 

  13. 	select TCG_TIS if TCG_TPM && X86
    14. 

  14. 	select TCG_IBMVTPM if TCG_TPM && PPC64
    15. 

  15. 	help
    16. 

  16. 	  The Trusted Computing Group(TCG) runtime Integrity
    17. 

  17. 	  Measurement Architecture(IMA) maintains a list of hash
    18. 

  18. 	  values of executables and other sensitive system files,
    19. 

  19. 	  as they are read or executed. If an attacker manages
    20. 

  20. 	  to change the contents of an important system file
    21. 

  21. 	  being measured, we can tell.
    22. 

  22. 

  23. 	  If your system has a TPM chip, then IMA also maintains
    24. 

  24. 	  an aggregate integrity value over this list inside the
    25. 

  25. 	  TPM hardware, so that the TPM can prove to a third party
    26. 

  26. 	  whether or not critical system files have been modified.
    27. 

  27. 	  Read <http://www.usenix.org/events/sec04/tech/sailer.html>
    28. 

  28. 	  to learn more about IMA.
    29. 

  29. 	  If unsure, say N.
    30. 

  30. 

  31. config IMA_MEASURE_PCR_IDX
    32. 

  32. 	int
    33. 

  33. 	depends on IMA
    34. 

  34. 	range 8 14
    35. 

  35. 	default 10
    36. 

  36. 	help
    37. 

  37. 	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
    38. 

  38. 	  that IMA uses to maintain the integrity aggregate of the
    39. 

  39. 	  measurement list.  If unsure, use the default 10.
    40. 

  40. 

  41. config IMA_AUDIT
    42. 

  42. 	bool "Enables auditing support"
    43. 

  43. 	depends on IMA
    44. 

  44. 	depends on AUDIT
    45. 

  45. 	default y
    46. 

  46. 	help
    47. 

  47. 	  This option adds a kernel parameter 'ima_audit', which
    48. 

  48. 	  allows informational auditing messages to be enabled
    49. 

  49. 	  at boot.  If this option is selected, informational integrity
    50. 

  50. 	  auditing messages can be enabled with 'ima_audit=1' on
    51. 

  51. 	  the kernel command line.
    52. 

  52. 

  53. config IMA_LSM_RULES
    54. 

  54. 	bool
    55. 

  55. 	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
    56. 

  56. 	default y
    57. 

  57. 	help
    58. 

  58. 	  Disabling this option will disregard LSM based policy rules.
    59. 

  59. 

  60. config IMA_APPRAISE
    61. 

  61. 	bool "Appraise integrity measurements"
    62. 

  62. 	depends on IMA
    63. 

  63. 	default n
    64. 

  64. 	help
    65. 

  65. 	  This option enables local measurement integrity appraisal.
    66. 

  66. 	  It requires the system to be labeled with a security extended
    67. 

  67. 	  attribute containing the file hash measurement.  To protect
    68. 

  68. 	  the security extended attributes from offline attack, enable
    69. 

  69. 	  and configure EVM.
    70. 

  70. 

  71. 	  For more information on integrity appraisal refer to:
    72. 

  72. 	  <http://linux-ima.sourceforge.net>
    73. 

  73. 	  If unsure, say N.
    74.