xref: /openbmc/linux/security/integrity/evm/Kconfig (revision c900529f3d9161bfde5cca0754f83b4d3c3e0220) 
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
266dbc325SMimi Zoharconfig EVM
36341e62bSChristoph Jaeger	bool "EVM support"
4a3aef94bSDmitry Kasatkin	select KEYS
5a3aef94bSDmitry Kasatkin	select ENCRYPTED_KEYS
666dbc325SMimi Zohar	select CRYPTO_HMAC
766dbc325SMimi Zohar	select CRYPTO_SHA1
85feeb611SMatthew Garrett	select CRYPTO_HASH_INFO
966dbc325SMimi Zohar	default n
1066dbc325SMimi Zohar	help
1166dbc325SMimi Zohar	  EVM protects a file's security extended attributes against
1266dbc325SMimi Zohar	  integrity attacks.
1366dbc325SMimi Zohar
1466dbc325SMimi Zohar	  If you are unsure how to answer this question, answer N.
1574de6684SDmitry Kasatkin
16d3b33679SDmitry Kasatkinconfig EVM_ATTR_FSUUID
17d3b33679SDmitry Kasatkin	bool "FSUUID (version 2)"
18d3b33679SDmitry Kasatkin	default y
1974de6684SDmitry Kasatkin	depends on EVM
2074de6684SDmitry Kasatkin	help
21d3b33679SDmitry Kasatkin	  Include filesystem UUID for HMAC calculation.
22d3b33679SDmitry Kasatkin
23d3b33679SDmitry Kasatkin	  Default value is 'selected', which is former version 2.
24d3b33679SDmitry Kasatkin	  if 'not selected', it is former version 1
2574de6684SDmitry Kasatkin
2674de6684SDmitry Kasatkin	  WARNING: changing the HMAC calculation method or adding
2774de6684SDmitry Kasatkin	  additional info to the calculation, requires existing EVM
2874de6684SDmitry Kasatkin	  labeled file systems to be relabeled.
29d3b33679SDmitry Kasatkin
303e38df56SDmitry Kasatkinconfig EVM_EXTRA_SMACK_XATTRS
313e38df56SDmitry Kasatkin	bool "Additional SMACK xattrs"
323e38df56SDmitry Kasatkin	depends on EVM && SECURITY_SMACK
333e38df56SDmitry Kasatkin	default n
343e38df56SDmitry Kasatkin	help
353e38df56SDmitry Kasatkin	  Include additional SMACK xattrs for HMAC calculation.
363e38df56SDmitry Kasatkin
373e38df56SDmitry Kasatkin	  In addition to the original security xattrs (eg. security.selinux,
383e38df56SDmitry Kasatkin	  security.SMACK64, security.capability, and security.ima) included
393e38df56SDmitry Kasatkin	  in the HMAC calculation, enabling this option includes newly defined
403e38df56SDmitry Kasatkin	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
413e38df56SDmitry Kasatkin	  security.SMACK64MMAP.
423e38df56SDmitry Kasatkin
433e38df56SDmitry Kasatkin	  WARNING: changing the HMAC calculation method or adding
443e38df56SDmitry Kasatkin	  additional info to the calculation, requires existing EVM
453e38df56SDmitry Kasatkin	  labeled file systems to be relabeled.
463e38df56SDmitry Kasatkin
47fa516b66SMatthew Garrettconfig EVM_ADD_XATTRS
48fa516b66SMatthew Garrett	bool "Add additional EVM extended attributes at runtime"
49fa516b66SMatthew Garrett	depends on EVM
50fa516b66SMatthew Garrett	default n
51fa516b66SMatthew Garrett	help
52fa516b66SMatthew Garrett	  Allow userland to provide additional xattrs for HMAC calculation.
53fa516b66SMatthew Garrett
54fa516b66SMatthew Garrett	  When this option is enabled, root can add additional xattrs to the
55fa516b66SMatthew Garrett	  list used by EVM by writing them into
56fa516b66SMatthew Garrett	  /sys/kernel/security/integrity/evm/evm_xattrs.
57fa516b66SMatthew Garrett
582ce523ebSDmitry Kasatkinconfig EVM_LOAD_X509
592ce523ebSDmitry Kasatkin	bool "Load an X509 certificate onto the '.evm' trusted keyring"
6005d3884bSArnd Bergmann	depends on EVM && INTEGRITY_TRUSTED_KEYRING
612ce523ebSDmitry Kasatkin	default n
622ce523ebSDmitry Kasatkin	help
632ce523ebSDmitry Kasatkin	   Load an X509 certificate onto the '.evm' trusted keyring.
642ce523ebSDmitry Kasatkin
652ce523ebSDmitry Kasatkin	   This option enables X509 certificate loading from the kernel
662ce523ebSDmitry Kasatkin	   onto the '.evm' trusted keyring.  A public key can be used to
67*90f6f691SEric Snowberg	   verify EVM integrity starting from the 'init' process. The
68*90f6f691SEric Snowberg	   key must have digitalSignature usage set.
692ce523ebSDmitry Kasatkin
702ce523ebSDmitry Kasatkinconfig EVM_X509_PATH
712ce523ebSDmitry Kasatkin	string "EVM X509 certificate path"
722ce523ebSDmitry Kasatkin	depends on EVM_LOAD_X509
732ce523ebSDmitry Kasatkin	default "/etc/keys/x509_evm.der"
742ce523ebSDmitry Kasatkin	help
752ce523ebSDmitry Kasatkin	   This option defines X509 certificate path.
76