166dbc325SMimi Zoharconfig EVM 26341e62bSChristoph Jaeger bool "EVM support" 3a3aef94bSDmitry Kasatkin select KEYS 4a3aef94bSDmitry Kasatkin select ENCRYPTED_KEYS 566dbc325SMimi Zohar select CRYPTO_HMAC 666dbc325SMimi Zohar select CRYPTO_SHA1 766dbc325SMimi Zohar default n 866dbc325SMimi Zohar help 966dbc325SMimi Zohar EVM protects a file's security extended attributes against 1066dbc325SMimi Zohar integrity attacks. 1166dbc325SMimi Zohar 1266dbc325SMimi Zohar If you are unsure how to answer this question, answer N. 1374de6684SDmitry Kasatkin 14d3b33679SDmitry Kasatkinconfig EVM_ATTR_FSUUID 15d3b33679SDmitry Kasatkin bool "FSUUID (version 2)" 16d3b33679SDmitry Kasatkin default y 1774de6684SDmitry Kasatkin depends on EVM 1874de6684SDmitry Kasatkin help 19d3b33679SDmitry Kasatkin Include filesystem UUID for HMAC calculation. 20d3b33679SDmitry Kasatkin 21d3b33679SDmitry Kasatkin Default value is 'selected', which is former version 2. 22d3b33679SDmitry Kasatkin if 'not selected', it is former version 1 2374de6684SDmitry Kasatkin 2474de6684SDmitry Kasatkin WARNING: changing the HMAC calculation method or adding 2574de6684SDmitry Kasatkin additional info to the calculation, requires existing EVM 2674de6684SDmitry Kasatkin labeled file systems to be relabeled. 27d3b33679SDmitry Kasatkin 283e38df56SDmitry Kasatkinconfig EVM_EXTRA_SMACK_XATTRS 293e38df56SDmitry Kasatkin bool "Additional SMACK xattrs" 303e38df56SDmitry Kasatkin depends on EVM && SECURITY_SMACK 313e38df56SDmitry Kasatkin default n 323e38df56SDmitry Kasatkin help 333e38df56SDmitry Kasatkin Include additional SMACK xattrs for HMAC calculation. 343e38df56SDmitry Kasatkin 353e38df56SDmitry Kasatkin In addition to the original security xattrs (eg. security.selinux, 363e38df56SDmitry Kasatkin security.SMACK64, security.capability, and security.ima) included 373e38df56SDmitry Kasatkin in the HMAC calculation, enabling this option includes newly defined 383e38df56SDmitry Kasatkin Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and 393e38df56SDmitry Kasatkin security.SMACK64MMAP. 403e38df56SDmitry Kasatkin 413e38df56SDmitry Kasatkin WARNING: changing the HMAC calculation method or adding 423e38df56SDmitry Kasatkin additional info to the calculation, requires existing EVM 433e38df56SDmitry Kasatkin labeled file systems to be relabeled. 443e38df56SDmitry Kasatkin 452ce523ebSDmitry Kasatkinconfig EVM_LOAD_X509 462ce523ebSDmitry Kasatkin bool "Load an X509 certificate onto the '.evm' trusted keyring" 47*05d3884bSArnd Bergmann depends on EVM && INTEGRITY_TRUSTED_KEYRING 482ce523ebSDmitry Kasatkin default n 492ce523ebSDmitry Kasatkin help 502ce523ebSDmitry Kasatkin Load an X509 certificate onto the '.evm' trusted keyring. 512ce523ebSDmitry Kasatkin 522ce523ebSDmitry Kasatkin This option enables X509 certificate loading from the kernel 532ce523ebSDmitry Kasatkin onto the '.evm' trusted keyring. A public key can be used to 542ce523ebSDmitry Kasatkin verify EVM integrity starting from the 'init' process. 552ce523ebSDmitry Kasatkin 562ce523ebSDmitry Kasatkinconfig EVM_X509_PATH 572ce523ebSDmitry Kasatkin string "EVM X509 certificate path" 582ce523ebSDmitry Kasatkin depends on EVM_LOAD_X509 592ce523ebSDmitry Kasatkin default "/etc/keys/x509_evm.der" 602ce523ebSDmitry Kasatkin help 612ce523ebSDmitry Kasatkin This option defines X509 certificate path. 62