Lines Matching +full:default +full:- +full:on
1 # SPDX-License-Identifier: GPL-2.0-only
35 depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
36 default n
38 TPM PCRs are only reset on a hard reboot. In order to validate
40 running kernel must be saved and restored on boot.
42 Depending on the IMA policy, the measurement list can grow to
47 depends on IMA
49 default 10
53 measurement list. If unsure, use the default 10.
57 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
58 default y
63 prompt "Default template"
64 default IMA_NG_TEMPLATE
65 depends on IMA
67 Select the default IMA measurement template.
71 limited to 255 characters. The 'ima-ng' measurement list
78 bool "ima-ng (default)"
80 bool "ima-sig"
85 depends on IMA
86 default "ima" if IMA_TEMPLATE
87 default "ima-ng" if IMA_NG_TEMPLATE
88 default "ima-sig" if IMA_SIG_TEMPLATE
91 prompt "Default integrity hash algorithm"
92 default IMA_DEFAULT_HASH_SHA1
93 depends on IMA
95 Select the default hash algorithm used for the measurement
96 list, integrity appraisal and audit log. The compiled default
101 bool "SHA1 (default)"
102 depends on CRYPTO_SHA1=y
106 depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
110 depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
114 depends on CRYPTO_WP512=y && !IMA_TEMPLATE
118 depends on CRYPTO_SM3=y && !IMA_TEMPLATE
123 depends on IMA
124 default "sha1" if IMA_DEFAULT_HASH_SHA1
125 default "sha256" if IMA_DEFAULT_HASH_SHA256
126 default "sha512" if IMA_DEFAULT_HASH_SHA512
127 default "wp512" if IMA_DEFAULT_HASH_WP512
128 default "sm3" if IMA_DEFAULT_HASH_SM3
132 depends on IMA
133 default n
143 depends on IMA
144 default y if IMA_WRITE_POLICY
145 default n if !IMA_WRITE_POLICY
153 depends on IMA
154 default n
162 For more information on integrity appraisal refer to:
163 <http://linux-ima.sourceforge.net>
168 depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
170 default n
173 based on run time secure boot flags.
177 depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
178 default n
182 policy name on the boot command line. The build time appraisal
185 Depending on the rules configured, this policy may require kernel
192 depends on IMA_APPRAISE_BUILD_POLICY
193 default n
202 depends on IMA_APPRAISE_BUILD_POLICY
203 default n
206 be signed and verified by a public key on the trusted IMA
215 depends on IMA_APPRAISE_BUILD_POLICY
216 default n
219 and verified by a public key on the trusted IMA keyring.
221 Kernel module signatures can only be verified by IMA-appraisal,
227 depends on IMA_APPRAISE_BUILD_POLICY
228 default n
231 and verified by a key on the trusted IMA keyring.
235 depends on IMA_APPRAISE
236 default y
242 bool "Support module-style signatures for appraisal"
243 depends on IMA_APPRAISE
244 depends on INTEGRITY_ASYMMETRIC_KEYS
247 default n
255 bool "Require all keys on the .ima keyring be signed (deprecated)"
256 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
257 depends on INTEGRITY_ASYMMETRIC_KEYS
259 default y
262 keyring be signed by a key on the system trusted keyring.
267 bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
268 depends on SYSTEM_TRUSTED_KEYRING
269 depends on SECONDARY_TRUSTED_KEYRING
270 depends on INTEGRITY_ASYMMETRIC_KEYS
272 default n
275 key is validly signed by a CA cert in the system built-in or
281 built-in or secondary trusted keyrings.
285 depends on SYSTEM_TRUSTED_KEYRING
286 depends on IMA_TRUSTED_KEYRING
287 default n
296 depends on IMA_TRUSTED_KEYRING
297 default n
299 File signature verification is based on the public keys
300 loaded on the .ima trusted keyring. These public keys are
301 X509 certificates signed by a trusted key on the
307 depends on IMA_LOAD_X509
308 default "/etc/keys/x509_ima.der"
313 bool "Require signed user-space initialization"
314 depends on IMA_LOAD_X509
315 default n
317 This option requires user-space init to be signed.
321 depends on IMA
322 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
323 default y
327 depends on IMA_MEASURE_ASYMMETRIC_KEYS
328 depends on SYSTEM_TRUSTED_KEYRING
329 default y
333 depends on IMA_ARCH_POLICY
336 trusted boot based on IMA runtime policies.