On 2/14/18 11:18 AM, Matthias Gerstner wrote:
Hi,
I'm currently evaluating the IMA (Integrity Measurement Architecture) for the security team. This is basically enabled in our current Leap and SLE-12 kernels but not in Tumbleweed.
For harmonization and because I'd like to test IMA with a current kernel on Tumbleweed, could you please enable the following kernel configuration options:
CONFIG_IMA=y CONFIG_IMA_READ_POLICY=y CONFIG_IMA_APPRAISE=y CONFIG_IMA_APPRAISE_BOOTPARAM=y CONFIG_IMA_NG_TEMPLATE=y CONFIG_IMA_DEFAULT_TEMPLATE="ima-ng" CONFIG_IMA_DEFAULT_HASH="sha256" CONFIG_IMA_DEFAULT_HASH_SHA256=y CONFIG_EVM=y CONFIG_EVM_ATTR_FSUUID=y
But *without* CONFIG_IMA_TRUSTED_KEYRING and CONFIG_INTEGRITY_TRUSTED_KEYRING (those don't make sense as long as we have no possibility to sign third party keys). See bnc#1075517.
For more information about what IMA does I've written up documentation in https://en.opensuse.org/SDB:Ima_evm.
Hi Matthias - I'm looking at integrating this. It looks like this is an older list of config options. I'm getting questions on: IMA_WRITE_POLICY EVM_LOAD_X509 What should these be? -Jeff -- Jeff Mahoney SUSE Labs