c7c8bb237f
In preparation of supporting more hash algorithms with larger hash sizes needed for signature verification, this patch replaces the 20 byte sized digest, with a more flexible structure. The new structure includes the hash algorithm, digest size, and digest. Changelog: - recalculate filedata hash for the measurement list, if the signature hash digest size is greater than 20 bytes. - use generic HASH_ALGO_ - make ima_calc_file_hash static - scripts lindent and checkpatch fixes Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
63 lines
1.9 KiB
Plaintext
63 lines
1.9 KiB
Plaintext
# IBM Integrity Measurement Architecture
|
|
#
|
|
config IMA
|
|
bool "Integrity Measurement Architecture(IMA)"
|
|
depends on SECURITY
|
|
select INTEGRITY
|
|
select SECURITYFS
|
|
select CRYPTO
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_MD5
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_HASH_INFO
|
|
select TCG_TPM if HAS_IOMEM && !UML
|
|
select TCG_TIS if TCG_TPM && X86
|
|
select TCG_IBMVTPM if TCG_TPM && PPC64
|
|
help
|
|
The Trusted Computing Group(TCG) runtime Integrity
|
|
Measurement Architecture(IMA) maintains a list of hash
|
|
values of executables and other sensitive system files,
|
|
as they are read or executed. If an attacker manages
|
|
to change the contents of an important system file
|
|
being measured, we can tell.
|
|
|
|
If your system has a TPM chip, then IMA also maintains
|
|
an aggregate integrity value over this list inside the
|
|
TPM hardware, so that the TPM can prove to a third party
|
|
whether or not critical system files have been modified.
|
|
Read <http://www.usenix.org/events/sec04/tech/sailer.html>
|
|
to learn more about IMA.
|
|
If unsure, say N.
|
|
|
|
config IMA_MEASURE_PCR_IDX
|
|
int
|
|
depends on IMA
|
|
range 8 14
|
|
default 10
|
|
help
|
|
IMA_MEASURE_PCR_IDX determines the TPM PCR register index
|
|
that IMA uses to maintain the integrity aggregate of the
|
|
measurement list. If unsure, use the default 10.
|
|
|
|
config IMA_LSM_RULES
|
|
bool
|
|
depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
|
|
default y
|
|
help
|
|
Disabling this option will disregard LSM based policy rules.
|
|
|
|
config IMA_APPRAISE
|
|
bool "Appraise integrity measurements"
|
|
depends on IMA
|
|
default n
|
|
help
|
|
This option enables local measurement integrity appraisal.
|
|
It requires the system to be labeled with a security extended
|
|
attribute containing the file hash measurement. To protect
|
|
the security extended attributes from offline attack, enable
|
|
and configure EVM.
|
|
|
|
For more information on integrity appraisal refer to:
|
|
<http://linux-ima.sourceforge.net>
|
|
If unsure, say N.
|