~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/ABI/testing/evm

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/ABI/testing/evm (Version linux-6.12-rc7) and /Documentation/ABI/testing/evm (Version linux-3.10.108)


  1 What:           /sys/kernel/security/evm       !!   1 What:           security/evm
  2 What:           /sys/kernel/security/*/evm     << 
  3 Date:           March 2011                          2 Date:           March 2011
  4 Contact:        Mimi Zohar <zohar@us.ibm.com>        3 Contact:        Mimi Zohar <zohar@us.ibm.com>
  5 Description:                                        4 Description:
  6                 EVM protects a file's security      5                 EVM protects a file's security extended attributes(xattrs)
  7                 against integrity attacks. The      6                 against integrity attacks. The initial method maintains an
  8                 HMAC-sha1 value across the ext      7                 HMAC-sha1 value across the extended attributes, storing the
  9                 value as the extended attribut      8                 value as the extended attribute 'security.evm'.
 10                                                     9 
 11                 EVM supports two classes of se !!  10                 EVM depends on the Kernel Key Retention System to provide it
 12                 an HMAC-sha1 generated locally !!  11                 with a trusted/encrypted key for the HMAC-sha1 operation.
 13                 trusted/encrypted key stored i !!  12                 The key is loaded onto the root's keyring using keyctl.  Until
 14                 Retention System. The second i !!  13                 EVM receives notification that the key has been successfully
 15                 generated either locally or re !!  14                 loaded onto the keyring (echo 1 > <securityfs>/evm), EVM
 16                 asymmetric key. These keys are !!  15                 can not create or validate the 'security.evm' xattr, but
 17                 keyring using keyctl, and EVM  !!  16                 returns INTEGRITY_UNKNOWN.  Loading the key and signaling EVM
 18                 echoing a value to <securityfs !!  17                 should be done as early as possible.  Normally this is done
 19                 following bits:                !!  18                 in the initramfs, which has already been measured as part
 20                                                !!  19                 of the trusted boot.  For more information on creating and
 21                 ===       ==================== !!  20                 loading existing trusted/encrypted keys, refer to:
 22                 Bit       Effect               !!  21                 Documentation/keys-trusted-encrypted.txt.  (A sample dracut
 23                 ===       ==================== !!  22                 patch, which loads the trusted/encrypted key and enables
 24                 0         Enable HMAC validati !!  23                 EVM, is available from http://linux-ima.sourceforge.net/#EVM.)
 25                 1         Enable digital signa << 
 26                 2         Permit modification  << 
 27                           runtime. Not support << 
 28                           creation is enabled  << 
 29                 31        Disable further runt << 
 30                 ===       ==================== << 
 31                                                << 
 32                 For example::                  << 
 33                                                << 
 34                   echo 1 ><securityfs>/evm     << 
 35                                                << 
 36                 will enable HMAC validation an << 
 37                                                << 
 38                 ::                             << 
 39                                                << 
 40                   echo 0x80000003 ><securityfs << 
 41                                                << 
 42                 will enable HMAC and digital s << 
 43                 HMAC creation and disable all  << 
 44                                                << 
 45                 ::                             << 
 46                                                << 
 47                   echo 0x80000006 ><securityfs << 
 48                                                << 
 49                 will enable digital signature  << 
 50                 modification of EVM-protected  << 
 51                 disable all further modificati << 
 52                 deprecated in favor of::       << 
 53                                                << 
 54                   echo 0x80000002 ><securityfs << 
 55                                                << 
 56                 as the outstanding issues that << 
 57                 signatures have been solved.   << 
 58                                                << 
 59                 Echoing a value is additive, t << 
 60                 existing initialization flags. << 
 61                                                << 
 62                 For example, after::           << 
 63                                                << 
 64                   echo 2 ><securityfs>/evm     << 
 65                                                << 
 66                 another echo can be performed: << 
 67                                                << 
 68                   echo 1 ><securityfs>/evm     << 
 69                                                << 
 70                 and the resulting value will b << 
 71                                                << 
 72                 Note that once an HMAC key has << 
 73                 be possible to enable metadata << 
 74                 HMAC key has been loaded will  << 
 75                 For example, if the current va << 
 76                                                << 
 77                   echo 1 ><securityfs>/evm     << 
 78                                                << 
 79                 will set the new value to 3 (4 << 
 80                                                << 
 81                 Loading an HMAC key is the onl << 
 82                 modification.                  << 
 83                                                << 
 84                 Until key loading has been sig << 
 85                 or validate the 'security.evm' << 
 86                 INTEGRITY_UNKNOWN.  Loading ke << 
 87                 should be done as early as pos << 
 88                 done in the initramfs, which h << 
 89                 as part of the trusted boot.   << 
 90                 creating and loading existing  << 
 91                 refer to:                      << 
 92                 Documentation/security/keys/tr << 
 93                 dracut (via 97masterkey and 98 << 
 94                 core/ima-setup) have support f << 
 95                 time.                          << 
 96                                                << 
 97 What:           /sys/kernel/security/*/evm/evm << 
 98 Date:           April 2018                     << 
 99 Contact:        Matthew Garrett <mjg59@google.c << 
100 Description:                                   << 
101                 Shows the set of extended attr << 
102                 validate the EVM signature, an << 
103                 to be added at runtime. Any si << 
104                 additional attributes are adde << 
105                 additional attributes) will on << 
106                 additional attributes are conf << 
107                 a single period (.) will lock  << 
108                 modification.                  << 
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php