^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) # SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) # IBM Integrity Measurement Architecture
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) config IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) bool "Integrity Measurement Architecture(IMA)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) select SECURITYFS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) select CRYPTO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) select CRYPTO_HMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) select CRYPTO_SHA1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) select CRYPTO_HASH_INFO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) select TCG_TPM if HAS_IOMEM && !UML
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) select TCG_TIS if TCG_TPM && X86
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) select TCG_CRB if TCG_TPM && ACPI
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) select INTEGRITY_AUDIT if AUDIT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) The Trusted Computing Group(TCG) runtime Integrity
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) Measurement Architecture(IMA) maintains a list of hash
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) values of executables and other sensitive system files,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) as they are read or executed. If an attacker manages
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) to change the contents of an important system file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) being measured, we can tell.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) If your system has a TPM chip, then IMA also maintains
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) an aggregate integrity value over this list inside the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) TPM hardware, so that the TPM can prove to a third party
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) whether or not critical system files have been modified.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) Read <https://www.usenix.org/events/sec04/tech/sailer.html>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) to learn more about IMA.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) If unsure, say N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) config IMA_KEXEC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) bool "Enable carrying the IMA measurement list across a soft boot"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) TPM PCRs are only reset on a hard reboot. In order to validate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) a TPM's quote after a soft boot, the IMA measurement list of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) running kernel must be saved and restored on boot.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) Depending on the IMA policy, the measurement list can grow to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) be very large.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) config IMA_MEASURE_PCR_IDX
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) int
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) range 8 14
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) default 10
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) IMA_MEASURE_PCR_IDX determines the TPM PCR register index
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) that IMA uses to maintain the integrity aggregate of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) measurement list. If unsure, use the default 10.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) config IMA_LSM_RULES
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) bool
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) Disabling this option will disregard LSM based policy rules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) choice
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) prompt "Default template"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) default IMA_NG_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) Select the default IMA measurement template.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) The original 'ima' measurement list template contains a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) hash, defined as 20 bytes, and a null terminated pathname,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) limited to 255 characters. The 'ima-ng' measurement list
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) template permits both larger hash digests and longer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) pathnames.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) config IMA_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) bool "ima"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) config IMA_NG_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) bool "ima-ng (default)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) config IMA_SIG_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) bool "ima-sig"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) endchoice
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) config IMA_DEFAULT_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) default "ima" if IMA_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) default "ima-ng" if IMA_NG_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) default "ima-sig" if IMA_SIG_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) choice
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) prompt "Default integrity hash algorithm"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) default IMA_DEFAULT_HASH_SHA1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) Select the default hash algorithm used for the measurement
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) list, integrity appraisal and audit log. The compiled default
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) hash algorithm can be overwritten using the kernel command
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) line 'ima_hash=' option.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) config IMA_DEFAULT_HASH_SHA1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) bool "SHA1 (default)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) depends on CRYPTO_SHA1=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) config IMA_DEFAULT_HASH_SHA256
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) bool "SHA256"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) config IMA_DEFAULT_HASH_SHA512
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) bool "SHA512"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) config IMA_DEFAULT_HASH_WP512
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) bool "WP512"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) depends on CRYPTO_WP512=y && !IMA_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) config IMA_DEFAULT_HASH_SM3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) bool "SM3"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) depends on CRYPTO_SM3=y && !IMA_TEMPLATE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) endchoice
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) config IMA_DEFAULT_HASH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) string
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) default "sha1" if IMA_DEFAULT_HASH_SHA1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) default "sha256" if IMA_DEFAULT_HASH_SHA256
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) default "sha512" if IMA_DEFAULT_HASH_SHA512
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) default "wp512" if IMA_DEFAULT_HASH_WP512
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) default "sm3" if IMA_DEFAULT_HASH_SM3
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) config IMA_WRITE_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) bool "Enable multiple writes to the IMA policy"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) IMA policy can now be updated multiple times. The new rules get
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) appended to the original policy. Have in mind that the rules are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) scanned in FIFO order so be careful when you design and add new ones.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) If unsure, say N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) config IMA_READ_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) bool "Enable reading back the current IMA policy"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) default y if IMA_WRITE_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) default n if !IMA_WRITE_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) It is often useful to be able to read back the IMA policy. It is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) even more important after introducing CONFIG_IMA_WRITE_POLICY.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) This option allows the root user to see the current policy rules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) config IMA_APPRAISE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) bool "Appraise integrity measurements"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) This option enables local measurement integrity appraisal.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) It requires the system to be labeled with a security extended
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) attribute containing the file hash measurement. To protect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) the security extended attributes from offline attack, enable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) and configure EVM.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) For more information on integrity appraisal refer to:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) <http://linux-ima.sourceforge.net>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) If unsure, say N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) config IMA_ARCH_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) bool "Enable loading an IMA architecture specific policy"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) && INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) This option enables loading an IMA architecture specific policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) based on run time secure boot flags.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) config IMA_APPRAISE_BUILD_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) bool "IMA build time configured policy rules"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) This option defines an IMA appraisal policy at build time, which
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) is enforced at run time without having to specify a builtin
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) policy name on the boot command line. The build time appraisal
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) policy rules persist after loading a custom policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) Depending on the rules configured, this policy may require kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) modules, firmware, the kexec kernel image, and/or the IMA policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) to be signed. Unsigned files might prevent the system from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) booting or applications from working properly.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) config IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) bool "Appraise firmware signatures"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) depends on IMA_APPRAISE_BUILD_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) This option defines a policy requiring all firmware to be signed,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) including the regulatory.db. If both this option and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) CFG80211_REQUIRE_SIGNED_REGDB are enabled, then both signature
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) verification methods are necessary.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) config IMA_APPRAISE_REQUIRE_KEXEC_SIGS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) bool "Appraise kexec kernel image signatures"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) depends on IMA_APPRAISE_BUILD_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) Enabling this rule will require all kexec'ed kernel images to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) be signed and verified by a public key on the trusted IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) Kernel image signatures can not be verified by the original
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) kexec_load syscall. Enabling this rule will prevent its
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) usage.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) config IMA_APPRAISE_REQUIRE_MODULE_SIGS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) bool "Appraise kernel modules signatures"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) depends on IMA_APPRAISE_BUILD_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) Enabling this rule will require all kernel modules to be signed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) and verified by a public key on the trusted IMA keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) Kernel module signatures can only be verified by IMA-appraisal,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) via the finit_module syscall. Enabling this rule will prevent
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) the usage of the init_module syscall.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) config IMA_APPRAISE_REQUIRE_POLICY_SIGS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) bool "Appraise IMA policy signature"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) depends on IMA_APPRAISE_BUILD_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) Enabling this rule will require the IMA policy to be signed and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) and verified by a key on the trusted IMA keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) config IMA_APPRAISE_BOOTPARAM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) bool "ima_appraise boot parameter"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) depends on IMA_APPRAISE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) This option enables the different "ima_appraise=" modes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) (eg. fix, log) from the boot command line.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) config IMA_APPRAISE_MODSIG
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) bool "Support module-style signatures for appraisal"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) depends on IMA_APPRAISE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) depends on INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) select PKCS7_MESSAGE_PARSER
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) select MODULE_SIG_FORMAT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) Adds support for signatures appended to files. The format of the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) appended signature is the same used for signed kernel modules.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) The modsig keyword can be used in the IMA policy to allow a hook
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) to accept such signatures.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) config IMA_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) bool "Require all keys on the .ima keyring be signed (deprecated)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) depends on INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) select INTEGRITY_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) This option requires that all keys added to the .ima
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) keyring be signed by a key on the system trusted keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) depends on SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) depends on SECONDARY_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) depends on INTEGRITY_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) select INTEGRITY_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) Keys may be added to the IMA or IMA blacklist keyrings, if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) key is validly signed by a CA cert in the system built-in or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) secondary trusted keyrings.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) Intermediate keys between those the kernel has compiled in and the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) IMA keys to be added may be added to the system secondary keyring,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) provided they are validly signed by a key already resident in the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) built-in or secondary trusted keyrings.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) config IMA_BLACKLIST_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) depends on SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) depends on IMA_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) This option creates an IMA blacklist keyring, which contains all
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) revoked IMA keys. It is consulted before any other keyring. If
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290) the search is successful the requested operation is rejected and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) an error is returned to the caller.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) config IMA_LOAD_X509
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) bool "Load X509 certificate onto the '.ima' trusted keyring"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) depends on IMA_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) File signature verification is based on the public keys
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) loaded on the .ima trusted keyring. These public keys are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) X509 certificates signed by a trusted key on the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) .system keyring. This option enables X509 certificate
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) loading from the kernel onto the '.ima' trusted keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) config IMA_X509_PATH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) string "IMA X509 certificate path"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) depends on IMA_LOAD_X509
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) default "/etc/keys/x509_ima.der"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) This option defines IMA X509 certificate path.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) config IMA_APPRAISE_SIGNED_INIT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) bool "Require signed user-space initialization"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) depends on IMA_LOAD_X509
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) This option requires user-space init to be signed.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) config IMA_MEASURE_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) bool
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320) depends on IMA
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) config IMA_QUEUE_EARLY_BOOT_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) bool
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) depends on IMA_MEASURE_ASYMMETRIC_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) depends on SYSTEM_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) config IMA_SECURE_AND_OR_TRUSTED_BOOT
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) bool
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) depends on IMA_ARCH_POLICY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) This option is selected by architectures to enable secure and/or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) trusted boot based on IMA runtime policies.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags