projects / linux-2.6-block.git / blame
| Commit | Line | Data |
|---|---|---|
| ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| 66dbc325 | 2 | config EVM |
| 6341e62b | 3 | bool "EVM support" |
| a3aef94b DK |
4 | select KEYS |
| 5 | select ENCRYPTED_KEYS | |
| 66dbc325 | 6 | select CRYPTO_HMAC |
| 66dbc325 | 7 | select CRYPTO_SHA1 |
| 5feeb611 | 8 | select CRYPTO_HASH_INFO |
| 75a323e6 | 9 | select SECURITY_PATH |
| 66dbc325 MZ |
10 | default n |
| 11 | help | |
| 12 | EVM protects a file's security extended attributes against | |
| 13 | integrity attacks. | |
| 14 | ||
| 15 | If you are unsure how to answer this question, answer N. | |
| 74de6684 | 16 | |
| d3b33679 DK |
17 | config EVM_ATTR_FSUUID |
| 18 | bool "FSUUID (version 2)" | |
| 19 | default y | |
| 74de6684 | 20 | depends on EVM |
| 74de6684 | 21 | help |
| d3b33679 DK |
22 | Include filesystem UUID for HMAC calculation. |
| 23 | ||
| 24 | Default value is 'selected', which is former version 2. | |
| 25 | if 'not selected', it is former version 1 | |
| 74de6684 | 26 | |
| d3b33679 | 27 | WARNING: changing the HMAC calculation method or adding |
| 74de6684 | 28 | additional info to the calculation, requires existing EVM |
| d3b33679 DK |
29 | labeled file systems to be relabeled. |
| 30 | ||
| 3e38df56 DK |
31 | config EVM_EXTRA_SMACK_XATTRS |
| 32 | bool "Additional SMACK xattrs" | |
| 33 | depends on EVM && SECURITY_SMACK | |
| 34 | default n | |
| 35 | help | |
| 36 | Include additional SMACK xattrs for HMAC calculation. | |
| 37 | ||
| 38 | In addition to the original security xattrs (eg. security.selinux, | |
| 39 | security.SMACK64, security.capability, and security.ima) included | |
| 40 | in the HMAC calculation, enabling this option includes newly defined | |
| 41 | Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and | |
| 42 | security.SMACK64MMAP. | |
| 43 | ||
| 44 | WARNING: changing the HMAC calculation method or adding | |
| 45 | additional info to the calculation, requires existing EVM | |
| 46 | labeled file systems to be relabeled. | |
| 47 | ||
| fa516b66 MG |
48 | config EVM_ADD_XATTRS |
| 49 | bool "Add additional EVM extended attributes at runtime" | |
| 50 | depends on EVM | |
| 51 | default n | |
| 52 | help | |
| 53 | Allow userland to provide additional xattrs for HMAC calculation. | |
| 54 | ||
| 55 | When this option is enabled, root can add additional xattrs to the | |
| 56 | list used by EVM by writing them into | |
| 57 | /sys/kernel/security/integrity/evm/evm_xattrs. | |
| 58 | ||
| 2ce523eb DK |
59 | config EVM_LOAD_X509 |
| 60 | bool "Load an X509 certificate onto the '.evm' trusted keyring" | |
| 05d3884b | 61 | depends on EVM && INTEGRITY_TRUSTED_KEYRING |
| 2ce523eb DK |
62 | default n |
| 63 | help | |
| 64 | Load an X509 certificate onto the '.evm' trusted keyring. | |
| 65 | ||
| 66 | This option enables X509 certificate loading from the kernel | |
| 67 | onto the '.evm' trusted keyring. A public key can be used to | |
| 90f6f691 ES |
68 | verify EVM integrity starting from the 'init' process. The |
| 69 | key must have digitalSignature usage set. | |
| 2ce523eb DK |
70 | |
| 71 | config EVM_X509_PATH | |
| 72 | string "EVM X509 certificate path" | |
| 73 | depends on EVM_LOAD_X509 | |
| 74 | default "/etc/keys/x509_evm.der" | |
| 75 | help | |
| 76 | This option defines X509 certificate path. |