1 files changed, 64 insertions, 0 deletions
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 39196abaff0d..81a27971d884 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -9,6 +9,7 @@ config IMA
        select CRYPTO_HMAC
        select CRYPTO_MD5
        select CRYPTO_SHA1
+        select CRYPTO_HASH_INFO
        select TCG_TPM if HAS_IOMEM && !UML
        select TCG_TIS if TCG_TPM && X86
        select TCG_IBMVTPM if TCG_TPM && PPC64
@@ -45,6 +46,69 @@ config IMA_LSM_RULES
        help
          Disabling this option will disregard LSM based policy rules.
+choice
+        prompt "Default template"
+        default IMA_NG_TEMPLATE
+        depends on IMA
+        help
+          Select the default IMA measurement template.
+          The original 'ima' measurement list template contains a
+          hash, defined as 20 bytes, and a null terminated pathname,
+          limited to 255 characters.  The 'ima-ng' measurement list
+          template permits both larger hash digests and longer
+          pathnames.
+        config IMA_TEMPLATE
+                bool "ima"
+        config IMA_NG_TEMPLATE
+                bool "ima-ng (default)"
+        config IMA_SIG_TEMPLATE
+                bool "ima-sig"
+endchoice
+config IMA_DEFAULT_TEMPLATE
+        string
+        depends on IMA
+        default "ima" if IMA_TEMPLATE
+        default "ima-ng" if IMA_NG_TEMPLATE
+        default "ima-sig" if IMA_SIG_TEMPLATE
+choice
+        prompt "Default integrity hash algorithm"
+        default IMA_DEFAULT_HASH_SHA1
+        depends on IMA
+        help
+           Select the default hash algorithm used for the measurement
+           list, integrity appraisal and audit log.  The compiled default
+           hash algorithm can be overwritten using the kernel command
+           line 'ima_hash=' option.
+        config IMA_DEFAULT_HASH_SHA1
+                bool "SHA1 (default)"
+                depends on CRYPTO_SHA1
+        config IMA_DEFAULT_HASH_SHA256
+                bool "SHA256"
+                depends on CRYPTO_SHA256 && !IMA_TEMPLATE
+        config IMA_DEFAULT_HASH_SHA512
+                bool "SHA512"
+                depends on CRYPTO_SHA512 && !IMA_TEMPLATE
+        config IMA_DEFAULT_HASH_WP512
+                bool "WP512"
+                depends on CRYPTO_WP512 && !IMA_TEMPLATE
+endchoice
+config IMA_DEFAULT_HASH
+        string
+        depends on IMA
+        default "sha1" if IMA_DEFAULT_HASH_SHA1
+        default "sha256" if IMA_DEFAULT_HASH_SHA256
+        default "sha512" if IMA_DEFAULT_HASH_SHA512
+        default "wp512" if IMA_DEFAULT_HASH_WP512
 config IMA_APPRAISE
        bool "Appraise integrity measurements"
        depends on IMA

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 39196abaff0d..81a27971d884 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig
@@ -9,6 +9,7 @@ config IMA
9	select CRYPTO_HMAC	9	select CRYPTO_HMAC
10	select CRYPTO_MD5	10	select CRYPTO_MD5
11	select CRYPTO_SHA1	11	select CRYPTO_SHA1
		12	select CRYPTO_HASH_INFO
12	select TCG_TPM if HAS_IOMEM && !UML	13	select TCG_TPM if HAS_IOMEM && !UML
13	select TCG_TIS if TCG_TPM && X86	14	select TCG_TIS if TCG_TPM && X86
14	select TCG_IBMVTPM if TCG_TPM && PPC64	15	select TCG_IBMVTPM if TCG_TPM && PPC64
@@ -45,6 +46,69 @@ config IMA_LSM_RULES
45	help	46	help
46	Disabling this option will disregard LSM based policy rules.	47	Disabling this option will disregard LSM based policy rules.
47		48
		49	choice
		50	prompt "Default template"
		51	default IMA_NG_TEMPLATE
		52	depends on IMA
		53	help
		54	Select the default IMA measurement template.
		55
		56	The original 'ima' measurement list template contains a
		57	hash, defined as 20 bytes, and a null terminated pathname,
		58	limited to 255 characters. The 'ima-ng' measurement list
		59	template permits both larger hash digests and longer
		60	pathnames.
		61
		62	config IMA_TEMPLATE
		63	bool "ima"
		64	config IMA_NG_TEMPLATE
		65	bool "ima-ng (default)"
		66	config IMA_SIG_TEMPLATE
		67	bool "ima-sig"
		68	endchoice
		69
		70	config IMA_DEFAULT_TEMPLATE
		71	string
		72	depends on IMA
		73	default "ima" if IMA_TEMPLATE
		74	default "ima-ng" if IMA_NG_TEMPLATE
		75	default "ima-sig" if IMA_SIG_TEMPLATE
		76
		77	choice
		78	prompt "Default integrity hash algorithm"
		79	default IMA_DEFAULT_HASH_SHA1
		80	depends on IMA
		81	help
		82	Select the default hash algorithm used for the measurement
		83	list, integrity appraisal and audit log. The compiled default
		84	hash algorithm can be overwritten using the kernel command
		85	line 'ima_hash=' option.
		86
		87	config IMA_DEFAULT_HASH_SHA1
		88	bool "SHA1 (default)"
		89	depends on CRYPTO_SHA1
		90
		91	config IMA_DEFAULT_HASH_SHA256
		92	bool "SHA256"
		93	depends on CRYPTO_SHA256 && !IMA_TEMPLATE
		94
		95	config IMA_DEFAULT_HASH_SHA512
		96	bool "SHA512"
		97	depends on CRYPTO_SHA512 && !IMA_TEMPLATE
		98
		99	config IMA_DEFAULT_HASH_WP512
		100	bool "WP512"
		101	depends on CRYPTO_WP512 && !IMA_TEMPLATE
		102	endchoice
		103
		104	config IMA_DEFAULT_HASH
		105	string
		106	depends on IMA
		107	default "sha1" if IMA_DEFAULT_HASH_SHA1
		108	default "sha256" if IMA_DEFAULT_HASH_SHA256
		109	default "sha512" if IMA_DEFAULT_HASH_SHA512
		110	default "wp512" if IMA_DEFAULT_HASH_WP512
		111
48	config IMA_APPRAISE	112	config IMA_APPRAISE
49	bool "Appraise integrity measurements"	113	bool "Appraise integrity measurements"
50	depends on IMA	114	depends on IMA