forked from Minki/linux
f381c27222
Move the inode integrity data(iint) management up to the integrity directory in order to share the iint among the different integrity models. Changelog: - don't define MAX_DIGEST_SIZE - rename several globally visible 'ima_' prefixed functions, structs, locks, etc to 'integrity_' - replace '20' with SHA1_DIGEST_SIZE - reflect location change in appropriate Kconfig and Makefiles - remove unnecessary initialization of iint_initialized to 0 - rebased on current ima_iint.c - define integrity_iint_store/lock as static There should be no other functional changes. Signed-off-by: Mimi Zohar <zohar@us.ibm.com> Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
57 lines
1.7 KiB
Plaintext
57 lines
1.7 KiB
Plaintext
# IBM Integrity Measurement Architecture
|
|
#
|
|
config IMA
|
|
bool "Integrity Measurement Architecture(IMA)"
|
|
depends on SECURITY
|
|
select INTEGRITY
|
|
select SECURITYFS
|
|
select CRYPTO
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_MD5
|
|
select CRYPTO_SHA1
|
|
select TCG_TPM if !S390
|
|
select TCG_TIS if TCG_TPM
|
|
help
|
|
The Trusted Computing Group(TCG) runtime Integrity
|
|
Measurement Architecture(IMA) maintains a list of hash
|
|
values of executables and other sensitive system files,
|
|
as they are read or executed. If an attacker manages
|
|
to change the contents of an important system file
|
|
being measured, we can tell.
|
|
|
|
If your system has a TPM chip, then IMA also maintains
|
|
an aggregate integrity value over this list inside the
|
|
TPM hardware, so that the TPM can prove to a third party
|
|
whether or not critical system files have been modified.
|
|
Read <http://www.usenix.org/events/sec04/tech/sailer.html>
|
|
to learn more about IMA.
|
|
If unsure, say N.
|
|
|
|
config IMA_MEASURE_PCR_IDX
|
|
int
|
|
depends on IMA
|
|
range 8 14
|
|
default 10
|
|
help
|
|
IMA_MEASURE_PCR_IDX determines the TPM PCR register index
|
|
that IMA uses to maintain the integrity aggregate of the
|
|
measurement list. If unsure, use the default 10.
|
|
|
|
config IMA_AUDIT
|
|
bool
|
|
depends on IMA
|
|
default y
|
|
help
|
|
This option adds a kernel parameter 'ima_audit', which
|
|
allows informational auditing messages to be enabled
|
|
at boot. If this option is selected, informational integrity
|
|
auditing messages can be enabled with 'ima_audit=1' on
|
|
the kernel command line.
|
|
|
|
config IMA_LSM_RULES
|
|
bool
|
|
depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
|
|
default y
|
|
help
|
|
Disabling this option will disregard LSM based policy rules.
|