xref: /openbmc/linux/security/integrity/evm/Kconfig (revision d2999e1b)
1config EVM
2	boolean "EVM support"
3	depends on SECURITY
4	select KEYS
5	select ENCRYPTED_KEYS
6	select CRYPTO_HMAC
7	select CRYPTO_SHA1
8	default n
9	help
10	  EVM protects a file's security extended attributes against
11	  integrity attacks.
12
13	  If you are unsure how to answer this question, answer N.
14
15if EVM
16
17menu "EVM options"
18
19config EVM_ATTR_FSUUID
20	bool "FSUUID (version 2)"
21	default y
22	depends on EVM
23	help
24	  Include filesystem UUID for HMAC calculation.
25
26	  Default value is 'selected', which is former version 2.
27	  if 'not selected', it is former version 1
28
29	  WARNING: changing the HMAC calculation method or adding
30	  additional info to the calculation, requires existing EVM
31	  labeled file systems to be relabeled.
32
33config EVM_EXTRA_SMACK_XATTRS
34	bool "Additional SMACK xattrs"
35	depends on EVM && SECURITY_SMACK
36	default n
37	help
38	  Include additional SMACK xattrs for HMAC calculation.
39
40	  In addition to the original security xattrs (eg. security.selinux,
41	  security.SMACK64, security.capability, and security.ima) included
42	  in the HMAC calculation, enabling this option includes newly defined
43	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
44	  security.SMACK64MMAP.
45
46	  WARNING: changing the HMAC calculation method or adding
47	  additional info to the calculation, requires existing EVM
48	  labeled file systems to be relabeled.
49
50endmenu
51
52endif
53