@@ -34,12 +34,12 @@ config IMA_KEXEC
depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
default n
help
- TPM PCRs are only reset on a hard reboot. In order to validate
- a TPM's quote after a soft boot, the IMA measurement list of the
- running kernel must be saved and restored on boot.
+ TPM PCRs are only reset on a hard reboot. In order to validate
+ a TPM's quote after a soft boot, the IMA measurement list of the
+ running kernel must be saved and restored on boot.
- Depending on the IMA policy, the measurement list can grow to
- be very large.
+ Depending on the IMA policy, the measurement list can grow to
+ be very large.
config IMA_MEASURE_PCR_IDX
int
@@ -91,10 +91,10 @@ choice
default IMA_DEFAULT_HASH_SHA1
depends on IMA
help
- Select the default hash algorithm used for the measurement
- list, integrity appraisal and audit log. The compiled default
- hash algorithm can be overwritten using the kernel command
- line 'ima_hash=' option.
+ Select the default hash algorithm used for the measurement
+ list, integrity appraisal and audit log. The compiled default
+ hash algorithm can be overwritten using the kernel command
+ line 'ima_hash=' option.
config IMA_DEFAULT_HASH_SHA1
bool "SHA1 (default)"
@@ -138,9 +138,9 @@ config IMA_READ_POLICY
default y if IMA_WRITE_POLICY
default n if !IMA_WRITE_POLICY
help
- It is often useful to be able to read back the IMA policy. It is
- even more important after introducing CONFIG_IMA_WRITE_POLICY.
- This option allows the root user to see the current policy rules.
+ It is often useful to be able to read back the IMA policy. It is
+ even more important after introducing CONFIG_IMA_WRITE_POLICY.
+ This option allows the root user to see the current policy rules.
config IMA_APPRAISE
bool "Appraise integrity measurements"
@@ -158,12 +158,12 @@ config IMA_APPRAISE
If unsure, say N.
config IMA_ARCH_POLICY
- bool "Enable loading an IMA architecture specific policy"
- depends on KEXEC_VERIFY_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
- default n
- help
- This option enables loading an IMA architecture specific policy
- based on run time secure boot flags.
+ bool "Enable loading an IMA architecture specific policy"
+ depends on KEXEC_VERIFY_SIG || IMA_APPRAISE && INTEGRITY_ASYMMETRIC_KEYS
+ default n
+ help
+ This option enables loading an IMA architecture specific policy
+ based on run time secure boot flags.
config IMA_APPRAISE_BUILD_POLICY
bool "IMA build time configured policy rules"
@@ -238,10 +238,10 @@ config IMA_TRUSTED_KEYRING
select INTEGRITY_TRUSTED_KEYRING
default y
help
- This option requires that all keys added to the .ima
- keyring be signed by a key on the system trusted keyring.
+ This option requires that all keys added to the .ima
+ keyring be signed by a key on the system trusted keyring.
- This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
+ This option is deprecated in favor of INTEGRITY_TRUSTED_KEYRING
config IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY
bool "Permit keys validly signed by a built-in or secondary CA cert (EXPERIMENTAL)"
@@ -266,32 +266,32 @@ config IMA_BLACKLIST_KEYRING
depends on IMA_TRUSTED_KEYRING
default n
help
- This option creates an IMA blacklist keyring, which contains all
- revoked IMA keys. It is consulted before any other keyring. If
- the search is successful the requested operation is rejected and
- an error is returned to the caller.
+ This option creates an IMA blacklist keyring, which contains all
+ revoked IMA keys. It is consulted before any other keyring. If
+ the search is successful the requested operation is rejected and
+ an error is returned to the caller.
config IMA_LOAD_X509
bool "Load X509 certificate onto the '.ima' trusted keyring"
depends on IMA_TRUSTED_KEYRING
default n
help
- File signature verification is based on the public keys
- loaded on the .ima trusted keyring. These public keys are
- X509 certificates signed by a trusted key on the
- .system keyring. This option enables X509 certificate
- loading from the kernel onto the '.ima' trusted keyring.
+ File signature verification is based on the public keys
+ loaded on the .ima trusted keyring. These public keys are
+ X509 certificates signed by a trusted key on the
+ .system keyring. This option enables X509 certificate
+ loading from the kernel onto the '.ima' trusted keyring.
config IMA_X509_PATH
string "IMA X509 certificate path"
depends on IMA_LOAD_X509
default "/etc/keys/x509_ima.der"
help
- This option defines IMA X509 certificate path.
+ This option defines IMA X509 certificate path.
config IMA_APPRAISE_SIGNED_INIT
bool "Require signed user-space initialization"
depends on IMA_LOAD_X509
default n
help
- This option requires user-space init to be signed.
+ This option requires user-space init to be signed.
Formatting of Kconfig files doesn't look so pretty, so let the Great White Handkerchief come around and clean it up. Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net> --- security/integrity/ima/Kconfig | 64 +++++++++++++++++++++--------------------- 1 file changed, 32 insertions(+), 32 deletions(-)