diff options
| author | David S. Miller <davem@davemloft.net> | 2009-03-26 15:23:24 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-03-26 15:23:24 -0700 |
| commit | 08abe18af1f78ee80c3c3a5ac47c3e0ae0beadf6 (patch) | |
| tree | 2be39bf8942edca1bcec735145e144a682ca9cd3 /security/integrity/ima/Kconfig | |
| parent | f0de70f8bb56952f6e016a65a8a8d006918f5bf6 (diff) | |
| parent | 0384e2959127a56d0640505d004d8dd92f9c29f5 (diff) | |
Merge branch 'master' of /home/davem/src/GIT/linux-2.6/
Conflicts:
drivers/net/wimax/i2400m/usb-notif.c
Diffstat (limited to 'security/integrity/ima/Kconfig')
| -rw-r--r-- | security/integrity/ima/Kconfig | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig new file mode 100644 index 00000000000..53d9764e8f0 --- /dev/null +++ b/security/integrity/ima/Kconfig @@ -0,0 +1,55 @@ +# IBM Integrity Measurement Architecture +# +config IMA + bool "Integrity Measurement Architecture(IMA)" + depends on ACPI + select SECURITYFS + select CRYPTO + select CRYPTO_HMAC + select CRYPTO_MD5 + select CRYPTO_SHA1 + select TCG_TPM + select TCG_TIS + help + The Trusted Computing Group(TCG) runtime Integrity + Measurement Architecture(IMA) maintains a list of hash + values of executables and other sensitive system files, + as they are read or executed. If an attacker manages + to change the contents of an important system file + being measured, we can tell. + + If your system has a TPM chip, then IMA also maintains + an aggregate integrity value over this list inside the + TPM hardware, so that the TPM can prove to a third party + whether or not critical system files have been modified. + Read <http://www.usenix.org/events/sec04/tech/sailer.html> + to learn more about IMA. + If unsure, say N. + +config IMA_MEASURE_PCR_IDX + int + depends on IMA + range 8 14 + default 10 + help + IMA_MEASURE_PCR_IDX determines the TPM PCR register index + that IMA uses to maintain the integrity aggregate of the + measurement list. If unsure, use the default 10. + +config IMA_AUDIT + bool + depends on IMA + default y + help + This option adds a kernel parameter 'ima_audit', which + allows informational auditing messages to be enabled + at boot. If this option is selected, informational integrity + auditing messages can be enabled with 'ima_audit=1' on + the kernel command line. + +config IMA_LSM_RULES + bool + depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK) + default y + help + Disabling this option will disregard LSM based policy rules. |