109 lines
2.7 KiB
Plaintext
109 lines
2.7 KiB
Plaintext
# Task Integrity Verifier
|
|
|
|
config FIVE
|
|
bool "File Based Task Integrity Verifier (FIVE)(based on IMA)"
|
|
depends on INTEGRITY && DM_VERITY && BLK_DEV_LOOP
|
|
select CRYPTO
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_SHA1_ARM64_CE if ARM64_CRYPTO && KERNEL_MODE_NEON
|
|
select CRYPTO_HASH_INFO
|
|
select INTEGRITY_SIGNATURE
|
|
select INTEGRITY_ASYMMETRIC_KEYS
|
|
default n
|
|
help
|
|
File Based Task Integrity Verifier (FIVE) maintains
|
|
signatures of executables and other sensitive system files,
|
|
as they are read or executed. If an attacker manages
|
|
to change the contents of an important system file
|
|
being measured, we can tell.
|
|
|
|
config FIVE_GKI_10
|
|
bool "GKI 1.0 compatible version of FIVE"
|
|
depends on FIVE
|
|
default n
|
|
help
|
|
Build GKI 1.0 compatible version of FIVE
|
|
|
|
config FIVE_GKI_20
|
|
bool "GKI 2.0 compatible version of FIVE"
|
|
depends on FIVE
|
|
default n
|
|
help
|
|
Build GKI 2.0 compatible version of FIVE
|
|
|
|
config FIVE_DEBUG
|
|
bool "FIVE Debug mode"
|
|
depends on FIVE
|
|
default n
|
|
help
|
|
Enable the debug mode in the FIVE
|
|
|
|
config FIVE_CERT_ENG
|
|
string "FIVE certificate to verify signatures for eng binary"
|
|
depends on FIVE_DEBUG
|
|
default "x509_five_eng.der"
|
|
help
|
|
Path to CERT which will be built-in to eng binary
|
|
|
|
config FIVE_CERT_USER
|
|
string "FIVE certificate to verify signatures for user binary"
|
|
depends on FIVE
|
|
default "x509_five_user.der"
|
|
help
|
|
Path to CERT which will be built-in to user binary
|
|
|
|
choice
|
|
prompt "Default integrity hash algorithm"
|
|
depends on FIVE
|
|
default FIVE_DEFAULT_HASH_SHA1
|
|
help
|
|
Select the default hash algorithm used for the measurement
|
|
list, integrity appraisal and audit log.
|
|
|
|
config FIVE_DEFAULT_HASH_SHA1
|
|
bool "SHA1 (default)"
|
|
depends on CRYPTO_SHA1
|
|
|
|
config FIVE_DEFAULT_HASH_SHA256
|
|
bool "SHA256"
|
|
depends on CRYPTO_SHA256
|
|
|
|
config FIVE_DEFAULT_HASH_SHA512
|
|
bool "SHA512"
|
|
depends on CRYPTO_SHA512
|
|
|
|
config FIVE_DEFAULT_HASH_WP512
|
|
bool "WP512"
|
|
depends on CRYPTO_WP512
|
|
endchoice
|
|
|
|
config FIVE_DEFAULT_HASH
|
|
string
|
|
depends on FIVE
|
|
default "sha1" if FIVE_DEFAULT_HASH_SHA1
|
|
default "sha256" if FIVE_DEFAULT_HASH_SHA256
|
|
default "sha512" if FIVE_DEFAULT_HASH_SHA512
|
|
default "wp512" if FIVE_DEFAULT_HASH_WP512
|
|
|
|
config FIVE_TRUSTED_KEYRING
|
|
bool "Require all keys on the .five keyring be signed"
|
|
depends on FIVE && SYSTEM_TRUSTED_KEYRING
|
|
default y
|
|
help
|
|
This option requires that all keys added to the .five
|
|
keyring be signed by a key on the system trusted keyring.
|
|
|
|
config FIVE_PA_FEATURE
|
|
bool "Process authenticator"
|
|
depends on FIVE && !PROCA
|
|
default y
|
|
help
|
|
Enable Process Authenticator related code
|
|
|
|
config FIVE_AUDIT_VERBOSE
|
|
bool "FIVE verbose audit logs"
|
|
depends on FIVE_DEBUG
|
|
default n
|
|
help
|
|
Enable verbose audit logs.
|