Skip to content

Latest commit

 

History

History
1202 lines (807 loc) · 32.6 KB

ima-configuration.rst

File metadata and controls

1202 lines (807 loc) · 32.6 KB
Raw

IMA Configuration

Kernel Support

IMA is now compiled in by most distros. See the build flag CONFIG_IMA. Known distros are:

  • Fedora
  • CentOS
  • RHEL
  • Ubuntu
  • Debian
  • Alpine
  • OpenSuse
  • AltLinux
  • Gentoo

Configuration takes three forms:

  • kernel-configuration-options
  • boot-command-line-arguments
  • custom-policy

Kernel Configuration Options

Linux kernel configuration options, passed to the compiler, determine how the kernel image is built.

The location of the kernel configuration file is either /boot or /lib/modules/kernel-version/.

The state of a build flag can be viewed with, e.g.,

cat /boot/config-`uname -r` | grep IMA_WRITE_POLICY

The boolean values are

  • "=y" if compiled statically into the kernel
  • "=m" if compiled in as a kernel module
  • "is not set" if that setting was commented out
  • not listed is the same as commented out

Relevant build flags are in https://github.com/torvalds/linux/blob/master/security/integrity/ima/Kconfig

general-build-flags:

  • config-integrity
  • config-ima
  • config-ima-write-policy
  • config-ima-read-policy
  • config-ima-default-hash
  • config-fs-verity

compiled-in-policies:

  • config-ima-arch-policy
  • config-ima-appraise-build-policy
  • config-ima-appraise-require-firmware-sigs
  • config-ima-appraise-require-kexec-sigs
  • config-ima-appraise-require-module-sigs
  • config-ima-appraise-require-policy-sigs

measure:

  • config-ima-default-template
  • config-ima-measure-pcr-idx
  • config-ima-kexec
  • config-ima-disable-htable
  • config-ima-measure-asymmetric-keys
  • config-ima-lsm-rules
  • config-ima-queue-early-boot-keys

appraise:

  • config-ima-appraise
  • config-ima-appraise-bootparam
  • config-ima-appraise-modsig
  • config-ima-trusted-keyring
  • config-integrity-signature
  • config-integrity-asymmetric-keys
  • config-ima-appraise-signed-init
  • config-system-blacklist-keyring
  • config-load-uefi-keys
  • config-load-ipl-keys
  • config-load-ppc-keys

evm-build-flags:

  • config-evm
  • config-encrypted-keys
  • config-user-decrypted-data
  • config-trusted-keys
  • config-evm-add-xattrs
  • config-evm-extra-smack-xattrs

keyring-configuration:

  • config-secondary-trusted-keyring
  • config-integrity-platform-keyring
  • config-integrity-machine-keyring
  • config-integrity-ca-machine-keyring

General

CONFIG_INTEGRITY

This boolean enables the integrity subsystem, which includes the Integrity Measurement Architecture (IMA), Extended Verification Module (EVM), the IMA-appraisal extension, the digital signature verification extension and audit measurement log support.

Each of these components can be enabled/disabled separately. Refer to the individual components for additional details.

  • IMA - see config-ima.
  • EVM - see config-evm.
  • IMA Appraisal Hash verification - see config-ima-appraise
  • IMA Appraisal Digital Signature Verification - see config-integrity-signature.
  • audit measurement log support.

CONFIG_IMA

This boolean enables IMA.

CONFIG_IMA_WRITE_POLICY

This boolean enables multiple appends to the custom IMA policy. See runtime-custom-policy.

CONFIG_IMA_READ_POLICY

This boolean enables reading the current IMA policy. See reading-policies. This option allows the root user to see the current policy rules.

If the boolean is false, either the policy file will not exist or the policy file will exist but the mode bits will not permit a read.

CONFIG_IMA_DEFAULT_HASH

This string specifies the file data hash algorithm for measurement, appraisal, and audit. It is overridden by the boot-command-line-arguments ima-hash specifier. Both can be overridden by the hash used for the file signature algorithm.

Supported values are:

  • sha1
  • sha256
  • sha512
  • wp512
  • sm3

CONFIG_FS_VERITY

This boolean enables fs-verity read-only file-based authenticity protection.

Compiled-In Policies

Build flags can specify appraisal policy rules that are present at run time if the boot-command-line-arguments are not used.

These are:

  • config-ima-arch-policy
  • config-ima-appraise-build-policy
  • config-ima-appraise-require-firmware-sigs
  • config-ima-appraise-require-kexec-sigs
  • config-ima-appraise-require-module-sigs
  • config-ima-appraise-require-policy-sigs

The rules determined by config-ima-arch-policy persist - are not replaced. The other flags determine rules that can be replaced.

CONFIG_IMA_ARCH_POLICY

This boolean enables compiled-in architecture specific policy rules. If enabled, it loads its IMA appraise rules before other compiled-in or built-in command line appraise rules, so they cannot be overridden. They persist. I.e., they cannot be replaced by a boot-time-custom-policy or runtime-custom-policy, which might otherwise remove these rules.

Secure boot must appraise the entire boot software stack through the kernel. This includes the kernel kexec image and kernel modules. The kernel configuration includes a method using CONFIG_KEXEC_SIG and CONFIG_MODULE_SIG. If either is not enabled, IMA verifies (appraises) the signatures.

That is, if CONFIG_KEXEC_SIG is true, the kernel will require and verify the signature over the kernel image. If false, CONFIG_IMA_ARCH_POLICY will add an IMA appraise func-kexec-kernel-check rule.

If CONFIG_MODULE_SIG is true, the kernel will verify a kernel module appended signature. If false, CONFIG_IMA_ARCH_POLICY will add an IMA appraise func-module-check rule.

In addition to the appraise rules, CONFIG_IMA_ARCH_POLICY always adds trusted boot measure rules for arm-and-x86 UEFI based platforms.

These policy rules are based on the firmware boot status (e.g. arm-and-x86 UEFI secure boot, powerpc secure boot and trusted boot). See secure-boot-state for a method of determining whether secure and/or trusted boot is enabled.

ARM and x86

Warning

FIXME test this

If UEFI secure boot is enabled:

If CONFIG_KEXEC_SIG is false, CONFIG_IMA_ARCH_POLICY adds this rule to appraise the kernel:

appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig

If CONFIG_MODULE_SIG is false, CONFIG_IMA_ARCH_POLICY adds this rule to appraise kernel modules:

appraise func=MODULE_CHECK appraise_type=imasig

Regardless of those configuration flags, CONFIG_IMA_ARCH_POLICY adds these rules to measure the kernel and kernel modules. It does not differentiate between secure and trusted boot.

measure func=KEXEC_KERNEL_CHECK
measure func=MODULE_CHECK
PowerPC

If firmware secure boot is enabled, CONFIG_IMA_ARCH_POLICY adds this rule:

appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig

and if CONFIG_MODULE_SIG is false, CONFIG_IMA_ARCH_POLICY adds this rule

appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig

If only trusted boot is enabled, CONFIG_IMA_ARCH_POLICY adds these rules:

measure func=KEXEC_KERNEL_CHECK
measure func=MODULE_CHECK

If both firmware secure boot and trusted boot are enabled, CONFIG_IMA_ARCH_POLICY adds these rules:

measure func=KEXEC_KERNEL_CHECK template=ima-modsig
measure func=MODULE_CHECK template=ima-modsig
appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig

and if CONFIG_MODULE_SIG is false, CONFIG_IMA_ARCH_POLICY adds this rule

appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig

CONFIG_MODULE_SIG

This boolean enables an alternative method (not IMA) for validating

appended signatures.

See config-ima-arch-policy.

CONFIG_IMA_APPRAISE_BUILD_POLICY

This boolean enables compiled-in IMA policy rules. They are effective at runtime without needing an ima-policy on the boot command line. It loads its IMA appraise rules before other compiled-in or built-in command line appraise rules. Unlike config-ima-arch-policy, these rules can be replaced by a boot-time-custom-policy or runtime-custom-policy.

If enabled config-ima-appraise-require-firmware-sigs, config-ima-appraise-require-kexec-sigs, config-ima-appraise-require-module-sigs, and config-ima-appraise-require-policy-sigs determine the policy rules.

An alternative to the compiled-in policy rules is ima-policy-secure-boot on the boot command line.

CONFIG_IMA_APPRAISE_REQUIRE_FIRMWARE_SIGS

This boolean enables a policy rule to appraise firmware. config-ima-appraise-build-policy enables this flag.

It requires all firmware to be signed. See func and appraise-type.

appraise func=FIRMWARE_CHECK appraise_type=imasig

CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS

This boolean enables a policy rule to appraise kexec'ed kernel images. config-ima-appraise-build-policy enables this flag.

It requires all kexec'ed kernel images to be signed and verified by a public key on the trusted IMA keyring. See func and appraise-type.

appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig

CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS

This boolean enables a policy rule to appraise kernel module signatures. config-ima-appraise-build-policy enables this flag.

It requires all kernel modules to be signed and verified by a public key on the trusted IMA keyring. See func and appraise-type.

appraise func=MODULE_CHECK appraise_type=imasig

CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS

This boolean enables a policy rule to appraise IMA policy signatures. config-ima-appraise-build-policy enables this flag.

It requires the IMA policy to be signed and verified by a key on the trusted IMA keyring.See func, appraise-type, and custom-policy.

appraise func=POLICY_CHECK appraise_type=imasig

Measure

The configuration flags affecting measurement are below. See policy-rule-order.

  • config-ima-default-template
  • config-ima-measure-pcr-idx
  • config-ima-kexec
  • config-ima-disable-htable
  • config-ima-measure-asymmetric-keys
  • config-ima-lsm-rules
  • config-ima-queue-early-boot-keys

CONFIG_IMA_DEFAULT_TEMPLATE

This string sets the default value for the ima-event-log built-in-templates, which specifies the IMA event log format.

The default value can be globally overridden by the boot-command-line-arguments template-specifiers. They can be overridden for a measurement by a policy-syntax template.

The value depends upon the kernel release. A typical value is ima-ng or ima-sig.

CONFIG_IMA_MEASURE_PCR_IDX

This decimal number sets the PCR index used by IMA. The default is 10.

See also the policy rule pcr-value.

CONFIG_IMA_KEXEC

This boolean enables carrying the IMA measurement list across a kexec soft boot.

TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft boot, the IMA measurement list of the running kernel must be saved and restored after the soft boot.

Depending on the IMA policy, the measurement list can grow to be very large.

CONFIG_IMA_DISABLE_HTABLE

This boolean affects measurement behavior. In detail, there are three factors:

  1. IMA status booleans, which indicate that the file has been opened for change since the last IMA measurement
  2. The IMA hash table, which tracks files already measured
  3. This kernel configuration flag CONFIG_IMA_DISABLE_HTABLE

The boolean is based on iversion for filesystems mounted with iversion. Without iversion, it is assumed that the file changed.

NOTE: So that IMA will process the same hash again when seen in different contexts, there are several boolean status bits:

  • ima_file
  • ima_mmap
  • ima_bprm
  • ima_read
  • ima_cred
  • evm

Warning

Add a definition of each status bit. Add cross references. How can the status bits be read?

In kernels that do not implement CONFIG_IMA_DISABLE_HTABLE, or if CONFIG_IMA_DISABLE_HTABLE is false, if the status is true and the file hash is not in the hash table, the file is measured. If the status is false (not changed) or the hash is in the hash table (already measured), the file is not measured.

The action is different if CONFIG_IMA_DISABLE_HTABLE is true. In this case, if the status is true, the file is measured, even if the hash is already in the hash table.

The intent of CONFIG_IMA_DISABLE_HTABLE true is to record the case where a file changed, but changed back before it triggered a measure policy. For example, if a file changed from hash1 to hash2 to hash1, three events would be measured. If CONFIG_IMA_DISABLE_HTABLE was false, the third event would not be measured, since hash1 was already in the hash table. An attester, in the latter case, would think the file was still in the hash2 state.

CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS

This boolean enables measuring asymmetric keys when the key is loaded onto a keyring. IMA policy rules can either measure keys loaded onto any keyring or only measure keys loaded onto keyrings specified through the keyrings-condition condition.

Examples:

  • measure keys loaded onto any keyring

    measure func=KEY_CHECK

  • measure keys loaded onto the dot-ima keyring only for the root user

    measure func=KEY_CHECK uid=0 keyrings=.ima

  • measure keys on the dot-builtin-trusted-keys and dot-ima keyrings into a different PCR

    measure func=KEY_CHECK keyrings=".builtin_trusted_keys|.ima" pcr=11

CONFIG_IMA_LSM_RULES

This boolean enables policy rules containing LSM labels.

See obj-user-equals, obj-role-equals, obj-type-equals, subj-user-equals, subj-role-equals , and subj-type-equals for the policy rule syntax.

If this boolean is disabled, a policy containing these policy rules will be rejected. See runtime-custom-policy.

CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS

built-in-policy-rules do not have rules to measure keys added to keyrings. I.e., they do not have a func-key-check rule.

When this boolean is set, keys added to keyrings at boot are queued. When a custom-policy with a func-key-check rule is specified, the queue is replayed so that each key can be measured.

Appraise

The configuration flags affecting appraisal are below. See policy-rule-order.

  • config-ima-appraise
  • config-ima-appraise-bootparam
  • config-ima-appraise-modsig
  • config-ima-trusted-keyring
  • config-integrity-signature
  • config-integrity-asymmetric-keys
  • config-ima-appraise-signed-init
  • config-system-blacklist-keyring
  • config-load-uefi-keys
  • config-load-ipl-keys
  • config-load-ppc-keys

CONFIG_IMA_APPRAISE

This boolean enables verifying local file integrity.

The default is enforce mode. See config-ima-appraise-bootparam and ima-appraise for options.

See also config-evm.

CONFIG_IMA_APPRAISE_BOOTPARAM

This boolean allows the different ima-appraise modes to be specified on the boot command line.

False prevents disabling enforce mode on the boot command line for a production system.

True allows enforce mode to be disabled on the boot command line for debug or fixing hashes.

CONFIG_IMA_APPRAISE_MODSIG

This boolean adds support for signatures appended to files. The format of the appended signature is the same as that used for signed kernel modules. The modsig keyword can be as used in the IMA policy to allow a hook to accept such signatures.

See the policy rule appraise-type modsig.

CONFIG_IMA_TRUSTED_KEYRING

This boolean enables use of the trusted dot-ima and dot-evm keyrings, as opposed to the _ima and _evm keyrings.

CONFIG_INTEGRITY_SIGNATURE

This boolean enables signature verification. See config-integrity-asymmetric-keys.

CONFIG_INTEGRITY_ASYMMETRIC_KEYS

This boolean enables asymmetric key verification using asymmetric keys on the keyrings.

See also config-integrity-signature.

CONFIG_IMA_APPRAISE_SIGNED_INIT

This boolean causes the built-in ima-policy-appraise-tcb to load a policy rule requiring all root owned files be signed, as opposed to being hashed.

CONFIG_SYSTEM_BLACKLIST_KEYRING

When this boolean is set, the dot-blacklist keyring is checked before keys can be loaded onto keyrings.

CONFIG_LOAD_UEFI_KEYS

When this boolean is set, the dot-platform keyring is provisioned with keys from the UEFI DB and the dot-blacklist keyring is provisioned with keys from the UEFI DBX.

CONFIG_LOAD_IPL_KEYS

When this boolean is set, the dot-platform keyring and the dot-blacklist keyring are provisioned for S390.

CONFIG_LOAD_PPC_KEYS

When this boolean is set, the dot-platform keyring and the dot-blacklist keyring are provisioned for POWER.

EVM Build Flags

The configuration flags affecting EVM are below:

  • config-evm
  • config-encrypted-keys
  • config-user-decrypted-data
  • config-trusted-keys
  • config-evm-add-xattrs
  • config-evm-extra-smack-xattrs

CONFIG_EVM

This boolean enables EVM appraisal of extended attributes and file meta-data.

See extended-verification-module.

CONFIG_ENCRYPTED_KEYS

This tristate enables evm-hmac.

It can be set to either 'y (built in to the kernel) or m if compiled as a kernel module. y is desired.

CONFIG_USER_DECRYPTED_DATA

This boolean permits the user to instantiate the evm-hmac encrypted key with user-provided decrypted data using keyctl.

If not set, the kernel uses a random number.

It requires config-encrypted-keys.

See https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted.html

Warning

Add an example of keyctl.

CONFIG_TRUSTED_KEYS

This tristate enables the generation and load of a evm-hmac master key. This is a trusted key type.

It can be set to either 'y (built in to the kernel) or m if compiled as a kernel module. y is desired.

It requires config-encrypted-keys.

See https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted.html

CONFIG_EVM_ADD_XATTRS

This boolean permits the user to add additional EVM extended attributes (xattrs) at runtime.

When this option is enabled, root can add additional xattrs to the list used by EVM by writing them into /sys/kernel/security/integrity/evm/evm_xattrs.

See extended-verification-module for the default list.

CONFIG_EVM_EXTRA_SMACK_XATTRS

This boolean adds additional SMACK EVM extended attributes (xattrs) for the HMAC calculation. It adds:

  • security.SMACK64EXEC
  • security.SMACK64TRANSMUTE
  • security.SMACK64MMAP

Keyring Configuration

The configuration flags affecting trusted keyrings are:

  • config-secondary-trusted-keyring
  • config-integrity-platform-keyring
  • config-integrity-machine-keyring
  • config-integrity-ca-machine-keyring
  • config-integrity-ca-machine-keyring-max

CONFIG_SECONDARY_TRUSTED_KEYRING

This boolean enables the dot-secondary-trusted-keys keyring to which extra keys may be added, provided those keys are not on a deny list and are vouched for by a key built into the kernel, a key on the dot-machine keyring, or a key already in the dot-secondary-trusted-keys keyring.

CONFIG_INTEGRITY_PLATFORM_KEYRING

This boolean enables the dot-platform keyring.

CONFIG_INTEGRITY_MACHINE_KEYRING

When this boolean is set, registered machine owner key certificates are loaded by default on the dot-machine keyring.

When it is clear, registered machine owner key certificates are loaded on the dot-platform keyring.

Note that this boolean is only supported for MOK keys on UEFI.

config-integrity-ca-machine-keyring and config-integrity-ca-machine-keyring-max can override the default.

CONFIG_INTEGRITY_CA_MACHINE_KEYRING

When this boolean is set, registered MOK key signing certificates (X.509 CA bit and keyCertSign true) are loaded on the dot-machine keyring. Others go on the dot-platform keyring.

See also config-integrity-ca-machine-keyring-max.

Distribution Stat e
Ubuntu 23 not set

----------------------Fedora 39 set

CONFIG_INTEGRITY_CA_MACHINE_KEYRING_MAX

When this boolean is set, registered MOK key signing CA certificates (X.509 CA bit and keyCertSign true, and digitalSignature false) are loaded on the dot-machine keyring. Others go on the dot-platform keyring.

This boolean overrides config-integrity-ca-machine-keyring.

Distribution Stat e
Ubuntu 23 not set

----------------------Fedora 39 set

Boot Command Line Arguments

These boot command line arguments can be added on the boot command line.

  • ima-hash
  • ima-policy
  • ima-appraise
  • ima-template
  • ima-canonical-fmt
  • ima-template-fmt

Hash Specifiers

ima_hash

The ima_hash= argument specifies the file data hash algorithm used. It overrides the config-ima-default-hash algorithm.

  • measurement - the ima-event-log - template-data-fields
    • d-ng and d-ngv2 hash algorithm
  • appraisal - the hash algorithm used to calculate and verify hashes
  • audit - the hash algorithm used for audit log entries

Supported values are:

  • md5 supported only for ima-template =ima
  • sha1 ima-template =ima default
  • sha224
  • sha256 default
  • sha384
  • sha512
  • rmd128
  • rmd160
  • rmd256
  • rmd320
  • wp256
  • wp384
  • wp512
  • tgr128
  • tgr160
  • tgr192
  • sm3
  • streebog256
  • streebog512

If ima-template is ima, only md5 and sha1 are supported.

The values are taken from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/crypto/hash_info.c.

Policy Specifiers

ima_policy

The ima_policy= argument specifies boot time IMA policy rules. There are several built-in-policy-rules. Selecting an IMA built-in policy uses those formats. See built-in-policy-rules for their effect.

The command line arguments ima_tcb and ima_appraise_tcb are deprecated in favor of ima-policy-tcb and ima-policy-appraise-tcb.

Multiple ima_policy specifiers can be used. Their policies are concatenated. The order is hard coded as shown in the below list.

The supported measure values for ima_policy= are:

  1. ima-policy-tcb - measure rules
  2. ima-policy-critical-data - measure rules

The supported appraise values for ima_policy= are:

  1. ima-policy-secure-boot
  2. ima-policy-appraise-tcb
  3. ima-policy-fail-securely

The two ways of using multiple specifiers are:

  • Recommended - Multiple ima_policy= statements. For example:
ima_policy=tcb ima_policy=critical_data
  • Alternate - Multiple specifiers using this divider line format. For example
ima_policy="tcb|critical_data"

This divider line format requires the terms to be in ". One can either edit the boot command line interactively or edit the grub boot file, e.g., /boot/loader/entries on Fedora. The grubby --args= method must escape the " characters in a shell dependent way.

Appraise Specifiers

ima_appraise

The ima_appraise= argument can change the default enforce appraise mode.

Note: The mode can only be changed if secure boot in the UEFI firmware is disabled. If UEFI secure boot is enabled, the default enforce cannot be changed. See built-in-policy-rules. This is not the same as the ima-policy-secure-boot command line argument.

This command line argument is only available if config-ima-appraise-bootparam is set.

This specifies the effect of the policy rule appraise action. The four values are:

  • enforce causes IMA to appraise files . Access is denied to the appraised file if the stored hash is missing or does not match the collected value.
  • log is similar to enforce except access is not denied but only logged to /var/log/audit/audit.log.
  • off disables all appraisal. The stored hashes aren't checked or logged. New stored hashes are not generated or updated.

  • fix enables the IMA repair mode. The stored hash reference value of a protected file can be created or updated. The file hash is (re)calculated and stored.

    fix is often used on first boot. This will allow the system to boot up even when no (or wrong) hashes are registered.

    fix only creates and updates hashes on files that would otherwise be appraised. If using a custom IMA policy, that policy must be loaded first. If neither ima-policy-appraise-tcb nor a custom policy is loaded, the default policy is to not appraise anything, and fix will have no effect. Additionally, this process may need to be repeated if there's a change in the IMA policy.

    fix only updates hashes on files that have no signatures. It cannot create a file signature.

A typical procedure for adding file data hashes and meta-data HMAC is:

  • boot first in fix mode

  • open for read all files that will be appraised

    Example

    find / -fstype ext4 -type f -uid 0 -exec dd if='{}' of=/dev/null count=0 status=none \;

  • When done, the stored hash value should show as an extended attribute:

    Example

    getfattr -m - -d /sbin/init
# file: sbin/init
security.ima=0sAXr7Qmun5mkGDS286oZxCpdGEuKT
security.selinux="system_u:object_r:init_exec_t"

  • reboot in appraise mode

    The system should now run with appraisal enabled, causing the system to validate the hash against the stored value before using it. If it doesn't match, then the file is not loaded and any access will be denied.

Note: Appraisal can be verified by booting with ima_appraise= off , changing the contents of a root-owned file (or the value of the extended attribute), and rebooting with ima_appraise= enforce.

evm

The evm argument can take one value, evm=fix. It requires ima-appraise =fix.

It has the same effect as ima-appraise =fix, but updates the evm-hmac.

Template Specifiers

ima_template

The ima_template= argument specifies boot time ima-event-log built-in-templates. There are several built-in-templates. See built-in-templates for their effect.

Custom templates described in template-data-fields are not supported. Some may work, but their use is deprecated. Use ima-template-fmt to specify custom templates.

The default value is compiled in as CONFIG_IMA_DEFAULT_TEMPLATE. The supported values for ima_template= are:

  • ima
  • ima-ng
  • ima-sig
  • ima-buf
  • ima-modsig
  • ima-ngv2
  • ima-sigv2
  • (evm-sig) - While this is currently allowed, it is not recommended because it would apply to items that are not files with EVM signature attributes.

ima_canonical_fmt

The ima_canonical_fmt option sets the canonical format for the binary runtime measurements, instead of host native format.

It forces the event log to store all integral values as little endian on big endian machines.

Recommendation:

This option is suggested on all big endian machines, since a verifier may not be written to handle big endian event logs.

It is strongly suggested on a big endian machine that may receive a kexec(), since the event log may otherwise be a mix of big and little endian measurements.

Warning

FIXME Test this

ima_template_fmt

As an alternative to the built-in templates, a custom template can be specified using the fields from template-data-fields, concatenated using the | character.

Use ima-template to specify the built-in-templates.