1What: security/evm 2Date: March 2011 3Contact: Mimi Zohar <zohar@us.ibm.com> 4Description: 5 EVM protects a file's security extended attributes(xattrs) 6 against integrity attacks. The initial method maintains an 7 HMAC-sha1 value across the extended attributes, storing the 8 value as the extended attribute 'security.evm'. 9 10 EVM supports two classes of security.evm. The first is 11 an HMAC-sha1 generated locally with a 12 trusted/encrypted key stored in the Kernel Key 13 Retention System. The second is a digital signature 14 generated either locally or remotely using an 15 asymmetric key. These keys are loaded onto root's 16 keyring using keyctl, and EVM is then enabled by 17 echoing a value to <securityfs>/evm: 18 19 1: enable HMAC validation and creation 20 2: enable digital signature validation 21 3: enable HMAC and digital signature validation and HMAC 22 creation 23 24 Further writes will be blocked if HMAC support is enabled or 25 if bit 32 is set: 26 27 echo 0x80000002 ><securityfs>/evm 28 29 will enable digital signature validation and block 30 further writes to <securityfs>/evm. 31 32 Until this is done, EVM can not create or validate the 33 'security.evm' xattr, but returns INTEGRITY_UNKNOWN. 34 Loading keys and signaling EVM should be done as early 35 as possible. Normally this is done in the initramfs, 36 which has already been measured as part of the trusted 37 boot. For more information on creating and loading 38 existing trusted/encrypted keys, refer to: 39 40 Documentation/security/keys/trusted-encrypted.rst. Both dracut 41 (via 97masterkey and 98integrity) and systemd (via 42 core/ima-setup) have support for loading keys at boot 43 time. 44