security/integrity/ima/Kconfig

Source file repositories/reference/linux-study-clean/security/integrity/ima/Kconfig

File Facts

System
Linux kernel
Corpus path
security/integrity/ima/Kconfig
Extension
[no extension]
Size
11499 bytes
Lines
351
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: build/configuration rule
Status
atlas-only

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

# SPDX-License-Identifier: GPL-2.0-only
# IBM Integrity Measurement Architecture
#
config IMA
	bool "Integrity Measurement Architecture(IMA)"
	select SECURITYFS
	select CRYPTO
	select CRYPTO_HMAC
	select CRYPTO_SHA1
	select CRYPTO_HASH_INFO
	select SECURITY_PATH
	select TCG_TPM if HAS_IOMEM
	select TCG_TIS if TCG_TPM && X86
	select TCG_CRB if TCG_TPM && ACPI
	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
	select INTEGRITY_AUDIT if AUDIT
	help
	  The Trusted Computing Group(TCG) runtime Integrity
	  Measurement Architecture(IMA) maintains a list of hash
	  values of executables and other sensitive system files,
	  as they are read or executed. If an attacker manages
	  to change the contents of an important system file
	  being measured, we can tell.

	  If your system has a TPM chip, then IMA also maintains
	  an aggregate integrity value over this list inside the
	  TPM hardware, so that the TPM can prove to a third party
	  whether or not critical system files have been modified.
	  Read <https://www.usenix.org/events/sec04/tech/sailer.html>
	  to learn more about IMA.
	  If unsure, say N.

if IMA

config IMA_KEXEC
	bool "Enable carrying the IMA measurement list across a soft boot"
	depends on TCG_TPM && HAVE_IMA_KEXEC
	default n
	help
	   TPM PCRs are only reset on a hard reboot.  In order to validate
	   a TPM's quote after a soft boot, the IMA measurement list of the
	   running kernel must be saved and restored on boot.

	   Depending on the IMA policy, the measurement list can grow to
	   be very large.

config IMA_MEASURE_PCR_IDX
	int
	range 8 14
	default 10
	help
	  IMA_MEASURE_PCR_IDX determines the TPM PCR register index
	  that IMA uses to maintain the integrity aggregate of the
	  measurement list.  If unsure, use the default 10.

config IMA_LSM_RULES
	bool
	depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
	default y
	help
	  Disabling this option will disregard LSM based policy rules.

choice
	prompt "Default template"
	default IMA_NG_TEMPLATE
	help
	  Select the default IMA measurement template.

	  The original 'ima' measurement list template contains a
	  hash, defined as 20 bytes, and a null terminated pathname,

Annotation

Implementation Notes