1 # SPDX-License-Identifier: GPL-2.0-only 2 config EVM 3 bool "EVM support" 4 select KEYS 5 select ENCRYPTED_KEYS 6 select CRYPTO_HMAC 7 select CRYPTO_SHA1 8 select CRYPTO_HASH_INFO 9 select SECURITY_PATH 10 default n 11 help 12 EVM protects a file's security extended attributes against 13 integrity attacks. 14 15 If you are unsure how to answer this question, answer N. 16 17 config EVM_ATTR_FSUUID 18 bool "FSUUID (version 2)" 19 default y 20 depends on EVM 21 help 22 Include filesystem UUID for HMAC calculation. 23 24 Default value is 'selected', which is former version 2. 25 if 'not selected', it is former version 1 26 27 WARNING: changing the HMAC calculation method or adding 28 additional info to the calculation, requires existing EVM 29 labeled file systems to be relabeled. 30 31 config EVM_EXTRA_SMACK_XATTRS 32 bool "Additional SMACK xattrs" 33 depends on EVM && SECURITY_SMACK 34 default n 35 help 36 Include additional SMACK xattrs for HMAC calculation. 37 38 In addition to the original security xattrs (eg. security.selinux, 39 security.SMACK64, security.capability, and security.ima) included 40 in the HMAC calculation, enabling this option includes newly defined 41 Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and 42 security.SMACK64MMAP. 43 44 WARNING: changing the HMAC calculation method or adding 45 additional info to the calculation, requires existing EVM 46 labeled file systems to be relabeled. 47 48 config EVM_ADD_XATTRS 49 bool "Add additional EVM extended attributes at runtime" 50 depends on EVM 51 default n 52 help 53 Allow userland to provide additional xattrs for HMAC calculation. 54 55 When this option is enabled, root can add additional xattrs to the 56 list used by EVM by writing them into 57 /sys/kernel/security/integrity/evm/evm_xattrs. 58 59 config EVM_LOAD_X509 60 bool "Load an X509 certificate onto the '.evm' trusted keyring" 61 depends on EVM && INTEGRITY_TRUSTED_KEYRING 62 default n 63 help 64 Load an X509 certificate onto the '.evm' trusted keyring. 65 66 This option enables X509 certificate loading from the kernel 67 onto the '.evm' trusted keyring. A public key can be used to 68 verify EVM integrity starting from the 'init' process. The 69 key must have digitalSignature usage set. 70 71 config EVM_X509_PATH 72 string "EVM X509 certificate path" 73 depends on EVM_LOAD_X509 74 default "/etc/keys/x509_evm.der" 75 help 76 This option defines X509 certificate path.
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.