write in 30M

hc

2024-02-20 ea08eeccae9297f7aabd2ef7f0c2517ac4549acc

 kernel/security/integrity/ima/Kconfig
..
..
@@ -8,7 +8,7 @@
8
8
 	select CRYPTO_HMAC
9
9
 	select CRYPTO_SHA1
10
10
 	select CRYPTO_HASH_INFO
11
-	select TCG_TPM if HAS_IOMEM && !UML
11
+	select TCG_TPM if HAS_IOMEM
12
12
 	select TCG_TIS if TCG_TPM && X86
13
13
 	select TCG_CRB if TCG_TPM && ACPI
14
14
 	select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES
..
..
@@ -29,9 +29,11 @@
29
29
 	  to learn more about IMA.
30
30
 	  If unsure, say N.
31
31
 
32
+if IMA
33
+
32
34
 config IMA_KEXEC
33
35
 	bool "Enable carrying the IMA measurement list across a soft boot"
34
-	depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
36
+	depends on TCG_TPM && HAVE_IMA_KEXEC
35
37
 	default n
36
38
 	help
37
39
 	   TPM PCRs are only reset on a hard reboot.  In order to validate
..
..
@@ -43,7 +45,6 @@
43
45
 
44
46
 config IMA_MEASURE_PCR_IDX
45
47
 	int
46
-	depends on IMA
47
48
 	range 8 14
48
49
 	default 10
49
50
 	help
..
..
@@ -53,7 +54,7 @@
53
54
 
54
55
 config IMA_LSM_RULES
55
56
 	bool
56
-	depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
57
+	depends on AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
57
58
 	default y
58
59
 	help
59
60
 	  Disabling this option will disregard LSM based policy rules.
..
..
@@ -61,7 +62,6 @@
61
62
 choice
62
63
 	prompt "Default template"
63
64
 	default IMA_NG_TEMPLATE
64
-	depends on IMA
65
65
 	help
66
66
 	  Select the default IMA measurement template.
67
67
 
..
..
@@ -80,14 +80,12 @@
80
80
 
81
81
 config IMA_DEFAULT_TEMPLATE
82
82
 	string
83
-	depends on IMA
84
83
 	default "ima-ng" if IMA_NG_TEMPLATE
85
84
 	default "ima-sig" if IMA_SIG_TEMPLATE
86
85
 
87
86
 choice
88
87
 	prompt "Default integrity hash algorithm"
89
88
 	default IMA_DEFAULT_HASH_SHA1
90
-	depends on IMA
91
89
 	help
92
90
 	   Select the default hash algorithm used for the measurement
93
91
 	   list, integrity appraisal and audit log.  The compiled default
..
..
@@ -117,7 +115,6 @@
117
115
 
118
116
 config IMA_DEFAULT_HASH
119
117
 	string
120
-	depends on IMA
121
118
 	default "sha1" if IMA_DEFAULT_HASH_SHA1
122
119
 	default "sha256" if IMA_DEFAULT_HASH_SHA256
123
120
 	default "sha512" if IMA_DEFAULT_HASH_SHA512
..
..
@@ -126,7 +123,6 @@
126
123
 
127
124
 config IMA_WRITE_POLICY
128
125
 	bool "Enable multiple writes to the IMA policy"
129
-	depends on IMA
130
126
 	default n
131
127
 	help
132
128
 	  IMA policy can now be updated multiple times.  The new rules get
..
..
@@ -137,7 +133,6 @@
137
133
 
138
134
 config IMA_READ_POLICY
139
135
 	bool "Enable reading back the current IMA policy"
140
-	depends on IMA
141
136
 	default y if IMA_WRITE_POLICY
142
137
 	default n if !IMA_WRITE_POLICY
143
138
 	help
..
..
@@ -147,7 +142,6 @@
147
142
 
148
143
 config IMA_APPRAISE
149
144
 	bool "Appraise integrity measurements"
150
-	depends on IMA
151
145
 	default n
152
146
 	help
153
147
 	  This option enables local measurement integrity appraisal.
..
..
@@ -248,18 +242,6 @@
248
242
 	   The modsig keyword can be used in the IMA policy to allow a hook
249
243
 	   to accept such signatures.
250
244
 
251
-config IMA_TRUSTED_KEYRING
252
-	bool "Require all keys on the .ima keyring be signed (deprecated)"
253
-	depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
254
-	depends on INTEGRITY_ASYMMETRIC_KEYS
255
-	select INTEGRITY_TRUSTED_KEYRING
256
-	default y
257
-	help
258
-	   This option requires that all keys added to the .ima
259
-	   keyring be signed by a key on the system trusted keyring.
260
-
261
-	   This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
262
-
263
245
 config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
264
246
 	bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
265
247
 	depends on SYSTEM_TRUSTED_KEYRING
..
..
@@ -280,7 +262,7 @@
280
262
 config IMA_BLACKLIST_KEYRING
281
263
 	bool "Create IMA machine owner blacklist keyrings (EXPERIMENTAL)"
282
264
 	depends on SYSTEM_TRUSTED_KEYRING
283
-	depends on IMA_TRUSTED_KEYRING
265
+	depends on INTEGRITY_TRUSTED_KEYRING
284
266
 	default n
285
267
 	help
286
268
 	   This option creates an IMA blacklist keyring, which contains all
..
..
@@ -290,7 +272,7 @@
290
272
 
291
273
 config IMA_LOAD_X509
292
274
 	bool "Load X509 certificate onto the '.ima' trusted keyring"
293
-	depends on IMA_TRUSTED_KEYRING
275
+	depends on INTEGRITY_TRUSTED_KEYRING
294
276
 	default n
295
277
 	help
296
278
 	   File signature verification is based on the public keys
..
..
@@ -315,7 +297,6 @@
315
297
 
316
298
 config IMA_MEASURE_ASYMMETRIC_KEYS
317
299
 	bool
318
-	depends on IMA
319
300
 	depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
320
301
 	default y
321
302
 
..
..
@@ -331,3 +312,5 @@
331
312
        help
332
313
           This option is selected by architectures to enable secure and/or
333
314
           trusted boot based on IMA runtime policies.
315
+
316
+endif