| blob | 39196abaff0d69d7d600ecd53847ba62b8cebed1 |
1 # IBM Integrity Measurement Architecture
2 #
3 config IMA
4 bool "Integrity Measurement Architecture(IMA)"
5 depends on SECURITY
6 select INTEGRITY
7 select SECURITYFS
8 select CRYPTO
9 select CRYPTO_HMAC
10 select CRYPTO_MD5
11 select CRYPTO_SHA1
12 select TCG_TPM if HAS_IOMEM && !UML
13 select TCG_TIS if TCG_TPM && X86
14 select TCG_IBMVTPM if TCG_TPM && PPC64
15 help
16 The Trusted Computing Group(TCG) runtime Integrity
17 Measurement Architecture(IMA) maintains a list of hash
18 values of executables and other sensitive system files,
19 as they are read or executed. If an attacker manages
20 to change the contents of an important system file
21 being measured, we can tell.
23 If your system has a TPM chip, then IMA also maintains
24 an aggregate integrity value over this list inside the
25 TPM hardware, so that the TPM can prove to a third party
26 whether or not critical system files have been modified.
27 Read <http://www.usenix.org/events/sec04/tech/sailer.html>
28 to learn more about IMA.
29 If unsure, say N.
31 config IMA_MEASURE_PCR_IDX
32 int
33 depends on IMA
34 range 8 14
35 default 10
36 help
37 IMA_MEASURE_PCR_IDX determines the TPM PCR register index
38 that IMA uses to maintain the integrity aggregate of the
39 measurement list. If unsure, use the default 10.
41 config IMA_LSM_RULES
42 bool
43 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
44 default y
45 help
46 Disabling this option will disregard LSM based policy rules.
48 config IMA_APPRAISE
49 bool "Appraise integrity measurements"
50 depends on IMA
51 default n
52 help
53 This option enables local measurement integrity appraisal.
54 It requires the system to be labeled with a security extended
55 attribute containing the file hash measurement. To protect
56 the security extended attributes from offline attack, enable
57 and configure EVM.
59 For more information on integrity appraisal refer to:
60 <http://linux-ima.sourceforge.net>
61 If unsure, say N.