Merge tag 'integrity-v6.6-fix' of... (cb84fb87) · Commits · EulixOS / Software / Kernel

security/integrity/ima/Kconfig

+8 −14

Original line number	Diff line number	Diff line
		@@ -29,9 +29,11 @@ config IMA
		to learn more about IMA.
		If unsure, say N.

		if IMA

		config IMA_KEXEC
		bool "Enable carrying the IMA measurement list across a soft boot"
		depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
		depends on TCG_TPM && HAVE_IMA_KEXEC
		default n
		help
		TPM PCRs are only reset on a hard reboot. In order to validate
		@@ -43,7 +45,6 @@ config IMA_KEXEC

		config IMA_MEASURE_PCR_IDX
		int
		depends on IMA
		range 8 14
		default 10
		help
		@@ -53,7 +54,7 @@ config IMA_MEASURE_PCR_IDX

		config IMA_LSM_RULES
		bool
		depends on IMA && AUDIT && (SECURITY_SELINUX \|\| SECURITY_SMACK \|\| SECURITY_APPARMOR)
		depends on AUDIT && (SECURITY_SELINUX \|\| SECURITY_SMACK \|\| SECURITY_APPARMOR)
		default y
		help
		Disabling this option will disregard LSM based policy rules.
		@@ -61,7 +62,6 @@ config IMA_LSM_RULES
		choice
		prompt "Default template"
		default IMA_NG_TEMPLATE
		depends on IMA
		help
		Select the default IMA measurement template.

		@@ -80,14 +80,12 @@ endchoice

		config IMA_DEFAULT_TEMPLATE
		string
		depends on IMA
		default "ima-ng" if IMA_NG_TEMPLATE
		default "ima-sig" if IMA_SIG_TEMPLATE

		choice
		prompt "Default integrity hash algorithm"
		default IMA_DEFAULT_HASH_SHA1
		depends on IMA
		help
		Select the default hash algorithm used for the measurement
		list, integrity appraisal and audit log. The compiled default
		@@ -117,7 +115,6 @@ endchoice

		config IMA_DEFAULT_HASH
		string
		depends on IMA
		default "sha1" if IMA_DEFAULT_HASH_SHA1
		default "sha256" if IMA_DEFAULT_HASH_SHA256
		default "sha512" if IMA_DEFAULT_HASH_SHA512
		@@ -126,7 +123,6 @@ config IMA_DEFAULT_HASH

		config IMA_WRITE_POLICY
		bool "Enable multiple writes to the IMA policy"
		depends on IMA
		default n
		help
		IMA policy can now be updated multiple times. The new rules get
		@@ -137,7 +133,6 @@ config IMA_WRITE_POLICY

		config IMA_READ_POLICY
		bool "Enable reading back the current IMA policy"
		depends on IMA
		default y if IMA_WRITE_POLICY
		default n if !IMA_WRITE_POLICY
		help
		@@ -147,7 +142,6 @@ config IMA_READ_POLICY

		config IMA_APPRAISE
		bool "Appraise integrity measurements"
		depends on IMA
		default n
		help
		This option enables local measurement integrity appraisal.
		@@ -269,7 +263,7 @@ config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
		config IMA_BLACKLIST_KEYRING
		bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
		depends on SYSTEM_TRUSTED_KEYRING
		depends on IMA_TRUSTED_KEYRING
		depends on INTEGRITY_TRUSTED_KEYRING
		default n
		help
		This option creates an IMA blacklist keyring, which contains all
		@@ -279,7 +273,7 @@ config IMA_BLACKLIST_KEYRING

		config IMA_LOAD_X509
		bool "Load X509 certificate onto the '.ima' trusted keyring"
		depends on IMA_TRUSTED_KEYRING
		depends on INTEGRITY_TRUSTED_KEYRING
		default n
		help
		File signature verification is based on the public keys
		@@ -304,7 +298,6 @@ config IMA_APPRAISE_SIGNED_INIT

		config IMA_MEASURE_ASYMMETRIC_KEYS
		bool
		depends on IMA
		depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
		default y

		@@ -323,7 +316,8 @@ config IMA_SECURE_AND_OR_TRUSTED_BOOT

		config IMA_DISABLE_HTABLE
		bool "Disable htable to allow measurement of duplicate records"
		depends on IMA
		default n
		help
		This option disables htable to allow measurement of duplicate records.

		endif