~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/Documentation/ABI/testing/evm

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /Documentation/ABI/testing/evm (Version linux-6.12-rc7) and /Documentation/ABI/testing/evm (Version unix-v6-master)


  1 What:           /sys/kernel/security/evm          
  2 What:           /sys/kernel/security/*/evm        
  3 Date:           March 2011                        
  4 Contact:        Mimi Zohar <zohar@us.ibm.com>      
  5 Description:                                      
  6                 EVM protects a file's security    
  7                 against integrity attacks. The    
  8                 HMAC-sha1 value across the ext    
  9                 value as the extended attribut    
 10                                                   
 11                 EVM supports two classes of se    
 12                 an HMAC-sha1 generated locally    
 13                 trusted/encrypted key stored i    
 14                 Retention System. The second i    
 15                 generated either locally or re    
 16                 asymmetric key. These keys are    
 17                 keyring using keyctl, and EVM     
 18                 echoing a value to <securityfs    
 19                 following bits:                   
 20                                                   
 21                 ===       ====================    
 22                 Bit       Effect                  
 23                 ===       ====================    
 24                 0         Enable HMAC validati    
 25                 1         Enable digital signa    
 26                 2         Permit modification     
 27                           runtime. Not support    
 28                           creation is enabled     
 29                 31        Disable further runt    
 30                 ===       ====================    
 31                                                   
 32                 For example::                     
 33                                                   
 34                   echo 1 ><securityfs>/evm        
 35                                                   
 36                 will enable HMAC validation an    
 37                                                   
 38                 ::                                
 39                                                   
 40                   echo 0x80000003 ><securityfs    
 41                                                   
 42                 will enable HMAC and digital s    
 43                 HMAC creation and disable all     
 44                                                   
 45                 ::                                
 46                                                   
 47                   echo 0x80000006 ><securityfs    
 48                                                   
 49                 will enable digital signature     
 50                 modification of EVM-protected     
 51                 disable all further modificati    
 52                 deprecated in favor of::          
 53                                                   
 54                   echo 0x80000002 ><securityfs    
 55                                                   
 56                 as the outstanding issues that    
 57                 signatures have been solved.      
 58                                                   
 59                 Echoing a value is additive, t    
 60                 existing initialization flags.    
 61                                                   
 62                 For example, after::              
 63                                                   
 64                   echo 2 ><securityfs>/evm        
 65                                                   
 66                 another echo can be performed:    
 67                                                   
 68                   echo 1 ><securityfs>/evm        
 69                                                   
 70                 and the resulting value will b    
 71                                                   
 72                 Note that once an HMAC key has    
 73                 be possible to enable metadata    
 74                 HMAC key has been loaded will     
 75                 For example, if the current va    
 76                                                   
 77                   echo 1 ><securityfs>/evm        
 78                                                   
 79                 will set the new value to 3 (4    
 80                                                   
 81                 Loading an HMAC key is the onl    
 82                 modification.                     
 83                                                   
 84                 Until key loading has been sig    
 85                 or validate the 'security.evm'    
 86                 INTEGRITY_UNKNOWN.  Loading ke    
 87                 should be done as early as pos    
 88                 done in the initramfs, which h    
 89                 as part of the trusted boot.      
 90                 creating and loading existing     
 91                 refer to:                         
 92                 Documentation/security/keys/tr    
 93                 dracut (via 97masterkey and 98    
 94                 core/ima-setup) have support f    
 95                 time.                             
 96                                                   
 97 What:           /sys/kernel/security/*/evm/evm    
 98 Date:           April 2018                        
 99 Contact:        Matthew Garrett <mjg59@google.c    
100 Description:                                      
101                 Shows the set of extended attr    
102                 validate the EVM signature, an    
103                 to be added at runtime. Any si    
104                 additional attributes are adde    
105                 additional attributes) will on    
106                 additional attributes are conf    
107                 a single period (.) will lock     
108                 modification.                     
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php