summaryrefslogtreecommitdiff
path: root/Documentation
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/ABI/testing/ima_policy8
-rw-r--r--Documentation/admin-guide/kernel-parameters.txt21
2 files changed, 22 insertions, 7 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index bb0f9a135e21..e76432b9954d 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -34,9 +34,10 @@ Description:
fsuuid:= file system UUID (e.g 8bcbe394-4f13-4144-be8e-5aa9ea2ce2f6)
uid:= decimal value
euid:= decimal value
- fowner:=decimal value
+ fowner:= decimal value
lsm: are LSM specific
option: appraise_type:= [imasig]
+ pcr:= decimal value
default policy:
# PROC_SUPER_MAGIC
@@ -96,3 +97,8 @@ Description:
Smack:
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
+
+ Example of measure rules using alternate PCRs:
+
+ measure func=KEXEC_KERNEL_CHECK pcr=4
+ measure func=KEXEC_INITRAMFS_CHECK pcr=5
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 3b335c1f8441..f24ee1c99412 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1501,12 +1501,21 @@
in crypto/hash_info.h.
ima_policy= [IMA]
- The builtin measurement policy to load during IMA
- setup. Specyfing "tcb" as the value, measures all
- programs exec'd, files mmap'd for exec, and all files
- opened with the read mode bit set by either the
- effective uid (euid=0) or uid=0.
- Format: "tcb"
+ The builtin policies to load during IMA setup.
+ Format: "tcb | appraise_tcb | secure_boot"
+
+ The "tcb" policy measures all programs exec'd, files
+ mmap'd for exec, and all files opened with the read
+ mode bit set by either the effective uid (euid=0) or
+ uid=0.
+
+ The "appraise_tcb" policy appraises the integrity of
+ all files owned by root. (This is the equivalent
+ of ima_appraise_tcb.)
+
+ The "secure_boot" policy appraises the integrity
+ of files (eg. kexec kernel image, kernel modules,
+ firmware, policy, etc) based on file signatures.
ima_tcb [IMA] Deprecated. Use ima_policy= instead.
Load a policy which meets the needs of the Trusted