Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial

[deliverable/linux.git] / security / integrity / ima / Kconfig

# IBM Integrity Measurement Architecture
#
config IMA
        bool "Integrity Measurement Architecture(IMA)"
        select SECURITYFS
        select CRYPTO
        select CRYPTO_HMAC
        select CRYPTO_MD5
        select CRYPTO_SHA1
        select CRYPTO_HASH_INFO
        select TCG_TPM if HAS_IOMEM && !UML
        select TCG_TIS if TCG_TPM && X86
        select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
        help
          The Trusted Computing Group(TCG) runtime Integrity
          Measurement Architecture(IMA) maintains a list of hash
          values of executables and other sensitive system files,
          as they are read or executed. If an attacker manages
          to change the contents of an important system file
          being measured, we can tell.

          If your system has a TPM chip, then IMA also maintains
          an aggregate integrity value over this list inside the
          TPM hardware, so that the TPM can prove to a third party
          whether or not critical system files have been modified.
          Read <http://www.usenix.org/events/sec04/tech/sailer.html>
          to learn more about IMA.
          If unsure, say N.

config IMA_MEASURE_PCR_IDX
        int
        depends on IMA
        range 8 14
        default 10
        help
          IMA_MEASURE_PCR_IDX determines the TPM PCR register index
          that IMA uses to maintain the integrity aggregate of the
          measurement list.  If unsure, use the default 10.

config IMA_LSM_RULES
        bool
        depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
        default y
        help
          Disabling this option will disregard LSM based policy rules.

choice
        prompt "Default template"
        default IMA_NG_TEMPLATE
        depends on IMA
        help
          Select the default IMA measurement template.

          The original 'ima' measurement list template contains a
          hash, defined as 20 bytes, and a null terminated pathname,
          limited to 255 characters.  The 'ima-ng' measurement list
          template permits both larger hash digests and longer
          pathnames.

        config IMA_TEMPLATE
                bool "ima"
        config IMA_NG_TEMPLATE
                bool "ima-ng (default)"
        config IMA_SIG_TEMPLATE
                bool "ima-sig"
endchoice

config IMA_DEFAULT_TEMPLATE
        string
        depends on IMA
        default "ima" if IMA_TEMPLATE
        default "ima-ng" if IMA_NG_TEMPLATE
        default "ima-sig" if IMA_SIG_TEMPLATE

choice
        prompt "Default integrity hash algorithm"
        default IMA_DEFAULT_HASH_SHA1
        depends on IMA
        help
           Select the default hash algorithm used for the measurement
           list, integrity appraisal and audit log.  The compiled default
           hash algorithm can be overwritten using the kernel command
           line 'ima_hash=' option.

        config IMA_DEFAULT_HASH_SHA1
                bool "SHA1 (default)"
                depends on CRYPTO_SHA1

        config IMA_DEFAULT_HASH_SHA256
                bool "SHA256"
                depends on CRYPTO_SHA256 && !IMA_TEMPLATE

        config IMA_DEFAULT_HASH_SHA512
                bool "SHA512"
                depends on CRYPTO_SHA512 && !IMA_TEMPLATE

        config IMA_DEFAULT_HASH_WP512
                bool "WP512"
                depends on CRYPTO_WP512 && !IMA_TEMPLATE
endchoice

config IMA_DEFAULT_HASH
        string
        depends on IMA
        default "sha1" if IMA_DEFAULT_HASH_SHA1
        default "sha256" if IMA_DEFAULT_HASH_SHA256
        default "sha512" if IMA_DEFAULT_HASH_SHA512
        default "wp512" if IMA_DEFAULT_HASH_WP512

config IMA_WRITE_POLICY
        bool "Enable multiple writes to the IMA policy"
        depends on IMA
        default n
        help
          IMA policy can now be updated multiple times.  The new rules get
          appended to the original policy.  Have in mind that the rules are
          scanned in FIFO order so be careful when you design and add new ones.

          If unsure, say N.

config IMA_READ_POLICY
        bool "Enable reading back the current IMA policy"
        depends on IMA
        default y if IMA_WRITE_POLICY
        default n if !IMA_WRITE_POLICY
        help
           It is often useful to be able to read back the IMA policy.  It is
           even more important after introducing CONFIG_IMA_WRITE_POLICY.
           This option allows the root user to see the current policy rules.

config IMA_APPRAISE
        bool "Appraise integrity measurements"
        depends on IMA
        default n
        help
          This option enables local measurement integrity appraisal.
          It requires the system to be labeled with a security extended
          attribute containing the file hash measurement.  To protect
          the security extended attributes from offline attack, enable
          and configure EVM.

          For more information on integrity appraisal refer to:
          <http://linux-ima.sourceforge.net>
          If unsure, say N.

config IMA_TRUSTED_KEYRING
        bool "Require all keys on the .ima keyring be signed (deprecated)"
        depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
        depends on INTEGRITY_ASYMMETRIC_KEYS
        select INTEGRITY_TRUSTED_KEYRING
        default y
        help
           This option requires that all keys added to the .ima
           keyring be signed by a key on the system trusted keyring.

           This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING

config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
        bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
        depends on SYSTEM_TRUSTED_KEYRING
        depends on SECONDARY_TRUSTED_KEYRING
        depends on INTEGRITY_ASYMMETRIC_KEYS
        select INTEGRITY_TRUSTED_KEYRING
        default n
        help
          Keys may be added to the IMA or IMA blacklist keyrings, if the
          key is validly signed by a CA cert in the system built-in or
          secondary trusted keyrings.

          Intermediate keys between those the kernel has compiled in and the
          IMA keys to be added may be added to the system secondary keyring,
          provided they are validly signed by a key already resident in the
          built-in or secondary trusted keyrings.

config IMA_BLACKLIST_KEYRING
        bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
        depends on SYSTEM_TRUSTED_KEYRING
        depends on IMA_TRUSTED_KEYRING
        default n
        help
           This option creates an IMA blacklist keyring, which contains all
           revoked IMA keys.  It is consulted before any other keyring.  If
           the search is successful the requested operation is rejected and
           an error is returned to the caller.

config IMA_LOAD_X509
        bool "Load X509 certificate onto the '.ima' trusted keyring"
        depends on IMA_TRUSTED_KEYRING
        default n
        help
           File signature verification is based on the public keys
           loaded on the .ima trusted keyring. These public keys are
           X509 certificates signed by a trusted key on the
           .system keyring.  This option enables X509 certificate
           loading from the kernel onto the '.ima' trusted keyring.

config IMA_X509_PATH
        string "IMA X509 certificate path"
        depends on IMA_LOAD_X509
        default "/etc/keys/x509_ima.der"
        help
           This option defines IMA X509 certificate path.

config IMA_APPRAISE_SIGNED_INIT
        bool "Require signed user-space initialization"
        depends on IMA_LOAD_X509
        default n
        help
           This option requires user-space init to be signed.