1 # IBM Integrity Measurement Architecture
4 bool "Integrity Measurement Architecture(IMA)"
12 select CRYPTO_HASH_INFO
13 select TCG_TPM if HAS_IOMEM && !UML
14 select TCG_TIS if TCG_TPM && X86
15 select TCG_IBMVTPM if TCG_TPM && PPC64
17 The Trusted Computing Group(TCG) runtime Integrity
18 Measurement Architecture(IMA) maintains a list of hash
19 values of executables and other sensitive system files,
20 as they are read or executed. If an attacker manages
21 to change the contents of an important system file
22 being measured, we can tell.
24 If your system has a TPM chip, then IMA also maintains
25 an aggregate integrity value over this list inside the
26 TPM hardware, so that the TPM can prove to a third party
27 whether or not critical system files have been modified.
28 Read <http://www.usenix.org/events/sec04/tech/sailer.html>
29 to learn more about IMA.
32 config IMA_MEASURE_PCR_IDX
38 IMA_MEASURE_PCR_IDX determines the TPM PCR register index
39 that IMA uses to maintain the integrity aggregate of the
40 measurement list. If unsure, use the default 10.
44 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
47 Disabling this option will disregard LSM based policy rules.
50 prompt "Default template"
51 default IMA_NG_TEMPLATE
54 Select the default IMA measurement template.
56 The original 'ima' measurement list template contains a
57 hash, defined as 20 bytes, and a null terminated pathname,
58 limited to 255 characters. The 'ima-ng' measurement list
59 template permits both larger hash digests and longer
64 config IMA_NG_TEMPLATE
65 bool "ima-ng (default)"
68 config IMA_DEFAULT_TEMPLATE
71 default "ima" if IMA_TEMPLATE
72 default "ima-ng" if IMA_NG_TEMPLATE
75 prompt "Default integrity hash algorithm"
76 default IMA_DEFAULT_HASH_SHA1
79 Select the default hash algorithm used for the measurement
80 list, integrity appraisal and audit log. The compiled default
81 hash algorithm can be overwritten using the kernel command
82 line 'ima_hash=' option.
84 config IMA_DEFAULT_HASH_SHA1
86 depends on CRYPTO_SHA1
88 config IMA_DEFAULT_HASH_SHA256
90 depends on CRYPTO_SHA256 && !IMA_TEMPLATE
92 config IMA_DEFAULT_HASH_SHA512
94 depends on CRYPTO_SHA512 && !IMA_TEMPLATE
96 config IMA_DEFAULT_HASH_WP512
98 depends on CRYPTO_WP512 && !IMA_TEMPLATE
101 config IMA_DEFAULT_HASH
104 default "sha1" if IMA_DEFAULT_HASH_SHA1
105 default "sha256" if IMA_DEFAULT_HASH_SHA256
106 default "sha512" if IMA_DEFAULT_HASH_SHA512
107 default "wp512" if IMA_DEFAULT_HASH_WP512
110 bool "Appraise integrity measurements"
114 This option enables local measurement integrity appraisal.
115 It requires the system to be labeled with a security extended
116 attribute containing the file hash measurement. To protect
117 the security extended attributes from offline attack, enable
120 For more information on integrity appraisal refer to:
121 <http://linux-ima.sourceforge.net>