xref: /openbmc/linux/security/integrity/evm/Kconfig (revision 8a5aaf97)
1config EVM
2	bool "EVM support"
3	select KEYS
4	select ENCRYPTED_KEYS
5	select CRYPTO_HMAC
6	select CRYPTO_SHA1
7	select CRYPTO_HASH_INFO
8	default n
9	help
10	  EVM protects a file's security extended attributes against
11	  integrity attacks.
12
13	  If you are unsure how to answer this question, answer N.
14
15config EVM_ATTR_FSUUID
16	bool "FSUUID (version 2)"
17	default y
18	depends on EVM
19	help
20	  Include filesystem UUID for HMAC calculation.
21
22	  Default value is 'selected', which is former version 2.
23	  if 'not selected', it is former version 1
24
25	  WARNING: changing the HMAC calculation method or adding
26	  additional info to the calculation, requires existing EVM
27	  labeled file systems to be relabeled.
28
29config EVM_EXTRA_SMACK_XATTRS
30	bool "Additional SMACK xattrs"
31	depends on EVM && SECURITY_SMACK
32	default n
33	help
34	  Include additional SMACK xattrs for HMAC calculation.
35
36	  In addition to the original security xattrs (eg. security.selinux,
37	  security.SMACK64, security.capability, and security.ima) included
38	  in the HMAC calculation, enabling this option includes newly defined
39	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
40	  security.SMACK64MMAP.
41
42	  WARNING: changing the HMAC calculation method or adding
43	  additional info to the calculation, requires existing EVM
44	  labeled file systems to be relabeled.
45
46config EVM_ADD_XATTRS
47	bool "Add additional EVM extended attributes at runtime"
48	depends on EVM
49	default n
50	help
51	  Allow userland to provide additional xattrs for HMAC calculation.
52
53	  When this option is enabled, root can add additional xattrs to the
54	  list used by EVM by writing them into
55	  /sys/kernel/security/integrity/evm/evm_xattrs.
56
57config EVM_LOAD_X509
58	bool "Load an X509 certificate onto the '.evm' trusted keyring"
59	depends on EVM && INTEGRITY_TRUSTED_KEYRING
60	default n
61	help
62	   Load an X509 certificate onto the '.evm' trusted keyring.
63
64	   This option enables X509 certificate loading from the kernel
65	   onto the '.evm' trusted keyring.  A public key can be used to
66	   verify EVM integrity starting from the 'init' process.
67
68config EVM_X509_PATH
69	string "EVM X509 certificate path"
70	depends on EVM_LOAD_X509
71	default "/etc/keys/x509_evm.der"
72	help
73	   This option defines X509 certificate path.
74