xref: /openbmc/linux/security/integrity/evm/Kconfig (revision 3e38df56e6ef736f3ab516664697b55caa8f3238) 
166dbc325SMimi Zoharconfig EVM
266dbc325SMimi Zohar	boolean "EVM support"
3a3aef94bSDmitry Kasatkin	depends on SECURITY
4a3aef94bSDmitry Kasatkin	select KEYS
5a3aef94bSDmitry Kasatkin	select ENCRYPTED_KEYS
666dbc325SMimi Zohar	select CRYPTO_HMAC
766dbc325SMimi Zohar	select CRYPTO_SHA1
866dbc325SMimi Zohar	default n
966dbc325SMimi Zohar	help
1066dbc325SMimi Zohar	  EVM protects a file's security extended attributes against
1166dbc325SMimi Zohar	  integrity attacks.
1266dbc325SMimi Zohar
1366dbc325SMimi Zohar	  If you are unsure how to answer this question, answer N.
1474de6684SDmitry Kasatkin
15d3b33679SDmitry Kasatkinif EVM
16d3b33679SDmitry Kasatkin
17d3b33679SDmitry Kasatkinmenu "EVM options"
18d3b33679SDmitry Kasatkin
19d3b33679SDmitry Kasatkinconfig EVM_ATTR_FSUUID
20d3b33679SDmitry Kasatkin	bool "FSUUID (version 2)"
21d3b33679SDmitry Kasatkin	default y
2274de6684SDmitry Kasatkin	depends on EVM
2374de6684SDmitry Kasatkin	help
24d3b33679SDmitry Kasatkin	  Include filesystem UUID for HMAC calculation.
25d3b33679SDmitry Kasatkin
26d3b33679SDmitry Kasatkin	  Default value is 'selected', which is former version 2.
27d3b33679SDmitry Kasatkin	  if 'not selected', it is former version 1
2874de6684SDmitry Kasatkin
2974de6684SDmitry Kasatkin	  WARNING: changing the HMAC calculation method or adding
3074de6684SDmitry Kasatkin	  additional info to the calculation, requires existing EVM
3174de6684SDmitry Kasatkin	  labeled file systems to be relabeled.
32d3b33679SDmitry Kasatkin
33*3e38df56SDmitry Kasatkinconfig EVM_EXTRA_SMACK_XATTRS
34*3e38df56SDmitry Kasatkin	bool "Additional SMACK xattrs"
35*3e38df56SDmitry Kasatkin	depends on EVM && SECURITY_SMACK
36*3e38df56SDmitry Kasatkin	default n
37*3e38df56SDmitry Kasatkin	help
38*3e38df56SDmitry Kasatkin	  Include additional SMACK xattrs for HMAC calculation.
39*3e38df56SDmitry Kasatkin
40*3e38df56SDmitry Kasatkin	  In addition to the original security xattrs (eg. security.selinux,
41*3e38df56SDmitry Kasatkin	  security.SMACK64, security.capability, and security.ima) included
42*3e38df56SDmitry Kasatkin	  in the HMAC calculation, enabling this option includes newly defined
43*3e38df56SDmitry Kasatkin	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
44*3e38df56SDmitry Kasatkin	  security.SMACK64MMAP.
45*3e38df56SDmitry Kasatkin
46*3e38df56SDmitry Kasatkin	  WARNING: changing the HMAC calculation method or adding
47*3e38df56SDmitry Kasatkin	  additional info to the calculation, requires existing EVM
48*3e38df56SDmitry Kasatkin	  labeled file systems to be relabeled.
49*3e38df56SDmitry Kasatkin
50d3b33679SDmitry Kasatkinendmenu
51d3b33679SDmitry Kasatkin
52d3b33679SDmitry Kasatkinendif
53