166dbc325SMimi Zoharconfig EVM 26341e62bSChristoph Jaeger bool "EVM support" 3a3aef94bSDmitry Kasatkin select KEYS 4a3aef94bSDmitry Kasatkin select ENCRYPTED_KEYS 566dbc325SMimi Zohar select CRYPTO_HMAC 666dbc325SMimi Zohar select CRYPTO_SHA1 7*5feeb611SMatthew Garrett select CRYPTO_HASH_INFO 866dbc325SMimi Zohar default n 966dbc325SMimi Zohar help 1066dbc325SMimi Zohar EVM protects a file's security extended attributes against 1166dbc325SMimi Zohar integrity attacks. 1266dbc325SMimi Zohar 1366dbc325SMimi Zohar If you are unsure how to answer this question, answer N. 1474de6684SDmitry Kasatkin 15d3b33679SDmitry Kasatkinconfig EVM_ATTR_FSUUID 16d3b33679SDmitry Kasatkin bool "FSUUID (version 2)" 17d3b33679SDmitry Kasatkin default y 1874de6684SDmitry Kasatkin depends on EVM 1974de6684SDmitry Kasatkin help 20d3b33679SDmitry Kasatkin Include filesystem UUID for HMAC calculation. 21d3b33679SDmitry Kasatkin 22d3b33679SDmitry Kasatkin Default value is 'selected', which is former version 2. 23d3b33679SDmitry Kasatkin if 'not selected', it is former version 1 2474de6684SDmitry Kasatkin 2574de6684SDmitry Kasatkin WARNING: changing the HMAC calculation method or adding 2674de6684SDmitry Kasatkin additional info to the calculation, requires existing EVM 2774de6684SDmitry Kasatkin labeled file systems to be relabeled. 28d3b33679SDmitry Kasatkin 293e38df56SDmitry Kasatkinconfig EVM_EXTRA_SMACK_XATTRS 303e38df56SDmitry Kasatkin bool "Additional SMACK xattrs" 313e38df56SDmitry Kasatkin depends on EVM && SECURITY_SMACK 323e38df56SDmitry Kasatkin default n 333e38df56SDmitry Kasatkin help 343e38df56SDmitry Kasatkin Include additional SMACK xattrs for HMAC calculation. 353e38df56SDmitry Kasatkin 363e38df56SDmitry Kasatkin In addition to the original security xattrs (eg. security.selinux, 373e38df56SDmitry Kasatkin security.SMACK64, security.capability, and security.ima) included 383e38df56SDmitry Kasatkin in the HMAC calculation, enabling this option includes newly defined 393e38df56SDmitry Kasatkin Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and 403e38df56SDmitry Kasatkin security.SMACK64MMAP. 413e38df56SDmitry Kasatkin 423e38df56SDmitry Kasatkin WARNING: changing the HMAC calculation method or adding 433e38df56SDmitry Kasatkin additional info to the calculation, requires existing EVM 443e38df56SDmitry Kasatkin labeled file systems to be relabeled. 453e38df56SDmitry Kasatkin 46fa516b66SMatthew Garrettconfig EVM_ADD_XATTRS 47fa516b66SMatthew Garrett bool "Add additional EVM extended attributes at runtime" 48fa516b66SMatthew Garrett depends on EVM 49fa516b66SMatthew Garrett default n 50fa516b66SMatthew Garrett help 51fa516b66SMatthew Garrett Allow userland to provide additional xattrs for HMAC calculation. 52fa516b66SMatthew Garrett 53fa516b66SMatthew Garrett When this option is enabled, root can add additional xattrs to the 54fa516b66SMatthew Garrett list used by EVM by writing them into 55fa516b66SMatthew Garrett /sys/kernel/security/integrity/evm/evm_xattrs. 56fa516b66SMatthew Garrett 572ce523ebSDmitry Kasatkinconfig EVM_LOAD_X509 582ce523ebSDmitry Kasatkin bool "Load an X509 certificate onto the '.evm' trusted keyring" 5905d3884bSArnd Bergmann depends on EVM && INTEGRITY_TRUSTED_KEYRING 602ce523ebSDmitry Kasatkin default n 612ce523ebSDmitry Kasatkin help 622ce523ebSDmitry Kasatkin Load an X509 certificate onto the '.evm' trusted keyring. 632ce523ebSDmitry Kasatkin 642ce523ebSDmitry Kasatkin This option enables X509 certificate loading from the kernel 652ce523ebSDmitry Kasatkin onto the '.evm' trusted keyring. A public key can be used to 662ce523ebSDmitry Kasatkin verify EVM integrity starting from the 'init' process. 672ce523ebSDmitry Kasatkin 682ce523ebSDmitry Kasatkinconfig EVM_X509_PATH 692ce523ebSDmitry Kasatkin string "EVM X509 certificate path" 702ce523ebSDmitry Kasatkin depends on EVM_LOAD_X509 712ce523ebSDmitry Kasatkin default "/etc/keys/x509_evm.der" 722ce523ebSDmitry Kasatkin help 732ce523ebSDmitry Kasatkin This option defines X509 certificate path. 74