Linux/Documentation/ABI/testing/evm

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

1 What: /sys/kernel/security/evm !! 1 What: security/evm 2 What: /sys/kernel/security/*/evm << 3 Date: March 2011 2 Date: March 2011 4 Contact: Mimi Zohar <zohar@us.ibm.com> 3 Contact: Mimi Zohar <zohar@us.ibm.com> 5 Description: 4 Description: 6 EVM protects a file's security 5 EVM protects a file's security extended attributes(xattrs) 7 against integrity attacks. The 6 against integrity attacks. The initial method maintains an 8 HMAC-sha1 value across the ext 7 HMAC-sha1 value across the extended attributes, storing the 9 value as the extended attribut 8 value as the extended attribute 'security.evm'. 10 9 11 EVM supports two classes of se !! 10 EVM depends on the Kernel Key Retention System to provide it 12 an HMAC-sha1 generated locally !! 11 with a trusted/encrypted key for the HMAC-sha1 operation. 13 trusted/encrypted key stored i !! 12 The key is loaded onto the root's keyring using keyctl. Until 14 Retention System. The second i !! 13 EVM receives notification that the key has been successfully 15 generated either locally or re !! 14 loaded onto the keyring (echo 1 > <securityfs>/evm), EVM 16 asymmetric key. These keys are !! 15 can not create or validate the 'security.evm' xattr, but 17 keyring using keyctl, and EVM !! 16 returns INTEGRITY_UNKNOWN. Loading the key and signaling EVM 18 echoing a value to <securityfs !! 17 should be done as early as possible. Normally this is done 19 following bits: !! 18 in the initramfs, which has already been measured as part 20 !! 19 of the trusted boot. For more information on creating and 21 === ==================== !! 20 loading existing trusted/encrypted keys, refer to: 22 Bit Effect !! 21 Documentation/keys-trusted-encrypted.txt. (A sample dracut 23 === ==================== !! 22 patch, which loads the trusted/encrypted key and enables 24 0 Enable HMAC validati !! 23 EVM, is available from http://linux-ima.sourceforge.net/#EVM.) 25 1 Enable digital signa << 26 2 Permit modification << 27 runtime. Not support << 28 creation is enabled << 29 31 Disable further runt << 30 === ==================== << 31 << 32 For example:: << 33 << 34 echo 1 ><securityfs>/evm << 35 << 36 will enable HMAC validation an << 37 << 38 :: << 39 << 40 echo 0x80000003 ><securityfs << 41 << 42 will enable HMAC and digital s << 43 HMAC creation and disable all << 44 << 45 :: << 46 << 47 echo 0x80000006 ><securityfs << 48 << 49 will enable digital signature << 50 modification of EVM-protected << 51 disable all further modificati << 52 deprecated in favor of:: << 53 << 54 echo 0x80000002 ><securityfs << 55 << 56 as the outstanding issues that << 57 signatures have been solved. << 58 << 59 Echoing a value is additive, t << 60 existing initialization flags. << 61 << 62 For example, after:: << 63 << 64 echo 2 ><securityfs>/evm << 65 << 66 another echo can be performed: << 67 << 68 echo 1 ><securityfs>/evm << 69 << 70 and the resulting value will b << 71 << 72 Note that once an HMAC key has << 73 be possible to enable metadata << 74 HMAC key has been loaded will << 75 For example, if the current va << 76 << 77 echo 1 ><securityfs>/evm << 78 << 79 will set the new value to 3 (4 << 80 << 81 Loading an HMAC key is the onl << 82 modification. << 83 << 84 Until key loading has been sig << 85 or validate the 'security.evm' << 86 INTEGRITY_UNKNOWN. Loading ke << 87 should be done as early as pos << 88 done in the initramfs, which h << 89 as part of the trusted boot. << 90 creating and loading existing << 91 refer to: << 92 Documentation/security/keys/tr << 93 dracut (via 97masterkey and 98 << 94 core/ima-setup) have support f << 95 time. << 96 << 97 What: /sys/kernel/security/*/evm/evm << 98 Date: April 2018 << 99 Contact: Matthew Garrett <mjg59@google.c << 100 Description: << 101 Shows the set of extended attr << 102 validate the EVM signature, an << 103 to be added at runtime. Any si << 104 additional attributes are adde << 105 additional attributes) will on << 106 additional attributes are conf << 107 a single period (.) will lock << 108 modification. <<

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

TOMOYO Linux Cross Reference
Linux/Documentation/ABI/testing/evm

Diff markup

Differences between /Documentation/ABI/testing/evm (Version linux-6.12-rc7) and /Documentation/ABI/testing/evm (Version linux-4.14.336)

TOMOYO Linux Cross Reference Linux/Documentation/ABI/testing/evm

Diff markup

Differences between /Documentation/ABI/testing/evm (Version linux-6.12-rc7) and /Documentation/ABI/testing/evm (Version linux-4.14.336)

TOMOYO Linux Cross Reference
Linux/Documentation/ABI/testing/evm