Mimi Zohar | 3323eec9 | 2009-02-04 09:06:58 -0500 | [diff] [blame] | 1 | # IBM Integrity Measurement Architecture |
| 2 | # |
| 3 | config IMA |
| 4 | bool "Integrity Measurement Architecture(IMA)" |
| 5 | depends on ACPI |
| 6 | select SECURITYFS |
| 7 | select CRYPTO |
| 8 | select CRYPTO_HMAC |
| 9 | select CRYPTO_MD5 |
| 10 | select CRYPTO_SHA1 |
| 11 | select TCG_TPM |
| 12 | select TCG_TIS |
| 13 | help |
| 14 | The Trusted Computing Group(TCG) runtime Integrity |
| 15 | Measurement Architecture(IMA) maintains a list of hash |
| 16 | values of executables and other sensitive system files, |
| 17 | as they are read or executed. If an attacker manages |
| 18 | to change the contents of an important system file |
| 19 | being measured, we can tell. |
| 20 | |
| 21 | If your system has a TPM chip, then IMA also maintains |
| 22 | an aggregate integrity value over this list inside the |
| 23 | TPM hardware, so that the TPM can prove to a third party |
| 24 | whether or not critical system files have been modified. |
| 25 | Read <http://www.usenix.org/events/sec04/tech/sailer.html> |
| 26 | to learn more about IMA. |
| 27 | If unsure, say N. |
| 28 | |
| 29 | config IMA_MEASURE_PCR_IDX |
| 30 | int |
| 31 | depends on IMA |
| 32 | range 8 14 |
| 33 | default 10 |
| 34 | help |
| 35 | IMA_MEASURE_PCR_IDX determines the TPM PCR register index |
| 36 | that IMA uses to maintain the integrity aggregate of the |
| 37 | measurement list. If unsure, use the default 10. |
| 38 | |
| 39 | config IMA_AUDIT |
| 40 | bool |
| 41 | depends on IMA |
| 42 | default y |
| 43 | help |
| 44 | This option adds a kernel parameter 'ima_audit', which |
| 45 | allows informational auditing messages to be enabled |
| 46 | at boot. If this option is selected, informational integrity |
| 47 | auditing messages can be enabled with 'ima_audit=1' on |
| 48 | the kernel command line. |
| 49 | |
Mimi Zohar | 4af4662 | 2009-02-04 09:07:00 -0500 | [diff] [blame^] | 50 | config IMA_LSM_RULES |
| 51 | bool |
| 52 | depends on IMA && (SECURITY_SELINUX || SECURITY_SMACK) |
| 53 | default y |
| 54 | help |
| 55 | Disabling this option will disregard LSM based policy rules |