xref: /openbmc/linux/security/integrity/evm/Kconfig (revision ba61bb17) 
1config EVM
2	bool "EVM support"
3	select KEYS
4	select ENCRYPTED_KEYS
5	select CRYPTO_HMAC
6	select CRYPTO_SHA1
7	default n
8	help
9	  EVM protects a file's security extended attributes against
10	  integrity attacks.
11
12	  If you are unsure how to answer this question, answer N.
13
14config EVM_ATTR_FSUUID
15	bool "FSUUID (version 2)"
16	default y
17	depends on EVM
18	help
19	  Include filesystem UUID for HMAC calculation.
20
21	  Default value is 'selected', which is former version 2.
22	  if 'not selected', it is former version 1
23
24	  WARNING: changing the HMAC calculation method or adding
25	  additional info to the calculation, requires existing EVM
26	  labeled file systems to be relabeled.
27
28config EVM_EXTRA_SMACK_XATTRS
29	bool "Additional SMACK xattrs"
30	depends on EVM && SECURITY_SMACK
31	default n
32	help
33	  Include additional SMACK xattrs for HMAC calculation.
34
35	  In addition to the original security xattrs (eg. security.selinux,
36	  security.SMACK64, security.capability, and security.ima) included
37	  in the HMAC calculation, enabling this option includes newly defined
38	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
39	  security.SMACK64MMAP.
40
41	  WARNING: changing the HMAC calculation method or adding
42	  additional info to the calculation, requires existing EVM
43	  labeled file systems to be relabeled.
44
45config EVM_ADD_XATTRS
46	bool "Add additional EVM extended attributes at runtime"
47	depends on EVM
48	default n
49	help
50	  Allow userland to provide additional xattrs for HMAC calculation.
51
52	  When this option is enabled, root can add additional xattrs to the
53	  list used by EVM by writing them into
54	  /sys/kernel/security/integrity/evm/evm_xattrs.
55
56config EVM_LOAD_X509
57	bool "Load an X509 certificate onto the '.evm' trusted keyring"
58	depends on EVM && INTEGRITY_TRUSTED_KEYRING
59	default n
60	help
61	   Load an X509 certificate onto the '.evm' trusted keyring.
62
63	   This option enables X509 certificate loading from the kernel
64	   onto the '.evm' trusted keyring.  A public key can be used to
65	   verify EVM integrity starting from the 'init' process.
66
67config EVM_X509_PATH
68	string "EVM X509 certificate path"
69	depends on EVM_LOAD_X509
70	default "/etc/keys/x509_evm.der"
71	help
72	   This option defines X509 certificate path.
73