Lines Matching +full:default +full:- +full:on
1 # SPDX-License-Identifier: GPL-2.0-only
34 depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
35 default n
37 TPM PCRs are only reset on a hard reboot. In order to validate
39 running kernel must be saved and restored on boot.
41 Depending on the IMA policy, the measurement list can grow to
46 depends on IMA
48 default 10
52 measurement list. If unsure, use the default 10.
56 depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK || SECURITY_APPARMOR)
57 default y
62 prompt "Default template"
63 default IMA_NG_TEMPLATE
64 depends on IMA
66 Select the default IMA measurement template.
70 limited to 255 characters. The 'ima-ng' measurement list
77 bool "ima-ng (default)"
79 bool "ima-sig"
84 depends on IMA
85 default "ima" if IMA_TEMPLATE
86 default "ima-ng" if IMA_NG_TEMPLATE
87 default "ima-sig" if IMA_SIG_TEMPLATE
90 prompt "Default integrity hash algorithm"
91 default IMA_DEFAULT_HASH_SHA1
92 depends on IMA
94 Select the default hash algorithm used for the measurement
95 list, integrity appraisal and audit log. The compiled default
100 bool "SHA1 (default)"
101 depends on CRYPTO_SHA1=y
105 depends on CRYPTO_SHA256=y && !IMA_TEMPLATE
109 depends on CRYPTO_SHA512=y && !IMA_TEMPLATE
113 depends on CRYPTO_WP512=y && !IMA_TEMPLATE
117 depends on CRYPTO_SM3=y && !IMA_TEMPLATE
122 depends on IMA
123 default "sha1" if IMA_DEFAULT_HASH_SHA1
124 default "sha256" if IMA_DEFAULT_HASH_SHA256
125 default "sha512" if IMA_DEFAULT_HASH_SHA512
126 default "wp512" if IMA_DEFAULT_HASH_WP512
127 default "sm3" if IMA_DEFAULT_HASH_SM3
131 depends on IMA
132 default n
142 depends on IMA
143 default y if IMA_WRITE_POLICY
144 default n if !IMA_WRITE_POLICY
152 depends on IMA
153 default n
161 For more information on integrity appraisal refer to:
162 <http://linux-ima.sourceforge.net>
167 depends on (KEXEC_SIG && IMA) || IMA_APPRAISE \
169 default n
172 based on run time secure boot flags.
176 depends on IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
177 default n
181 policy name on the boot command line. The build time appraisal
184 Depending on the rules configured, this policy may require kernel
191 depends on IMA_APPRAISE_BUILD_POLICY
192 default n
201 depends on IMA_APPRAISE_BUILD_POLICY
202 default n
205 be signed and verified by a public key on the trusted IMA
214 depends on IMA_APPRAISE_BUILD_POLICY
215 default n
218 and verified by a public key on the trusted IMA keyring.
220 Kernel module signatures can only be verified by IMA-appraisal,
226 depends on IMA_APPRAISE_BUILD_POLICY
227 default n
230 and verified by a key on the trusted IMA keyring.
234 depends on IMA_APPRAISE
235 default y
241 bool "Support module-style signatures for appraisal"
242 depends on IMA_APPRAISE
243 depends on INTEGRITY_ASYMMETRIC_KEYS
246 default n
254 bool "Require all keys on the .ima keyring be signed (deprecated)"
255 depends on IMA_APPRAISE && SYSTEM_TRUSTED_KEYRING
256 depends on INTEGRITY_ASYMMETRIC_KEYS
258 default y
261 keyring be signed by a key on the system trusted keyring.
266 bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
267 depends on SYSTEM_TRUSTED_KEYRING
268 depends on SECONDARY_TRUSTED_KEYRING
269 depends on INTEGRITY_ASYMMETRIC_KEYS
271 default n
274 key is validly signed by a CA cert in the system built-in or
280 built-in or secondary trusted keyrings.
284 depends on SYSTEM_TRUSTED_KEYRING
285 depends on IMA_TRUSTED_KEYRING
286 default n
295 depends on IMA_TRUSTED_KEYRING
296 default n
298 File signature verification is based on the public keys
299 loaded on the .ima trusted keyring. These public keys are
300 X509 certificates signed by a trusted key on the
306 depends on IMA_LOAD_X509
307 default "/etc/keys/x509_ima.der"
312 bool "Require signed user-space initialization"
313 depends on IMA_LOAD_X509
314 default n
316 This option requires user-space init to be signed.
320 depends on IMA
321 depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
322 default y
326 depends on IMA_MEASURE_ASYMMETRIC_KEYS
327 depends on SYSTEM_TRUSTED_KEYRING
328 default y
332 depends on IMA_ARCH_POLICY
335 trusted boot based on IMA runtime policies.
339 depends on IMA
340 default n