Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
66dbc325 | 2 | config EVM |
6341e62b | 3 | bool "EVM support" |
a3aef94b DK |
4 | select KEYS |
5 | select ENCRYPTED_KEYS | |
66dbc325 | 6 | select CRYPTO_HMAC |
66dbc325 | 7 | select CRYPTO_SHA1 |
5feeb611 | 8 | select CRYPTO_HASH_INFO |
75a323e6 | 9 | select SECURITY_PATH |
66dbc325 MZ |
10 | default n |
11 | help | |
12 | EVM protects a file's security extended attributes against | |
13 | integrity attacks. | |
14 | ||
15 | If you are unsure how to answer this question, answer N. | |
74de6684 | 16 | |
d3b33679 DK |
17 | config EVM_ATTR_FSUUID |
18 | bool "FSUUID (version 2)" | |
19 | default y | |
74de6684 | 20 | depends on EVM |
74de6684 | 21 | help |
d3b33679 DK |
22 | Include filesystem UUID for HMAC calculation. |
23 | ||
24 | Default value is 'selected', which is former version 2. | |
25 | if 'not selected', it is former version 1 | |
74de6684 | 26 | |
d3b33679 | 27 | WARNING: changing the HMAC calculation method or adding |
74de6684 | 28 | additional info to the calculation, requires existing EVM |
d3b33679 DK |
29 | labeled file systems to be relabeled. |
30 | ||
3e38df56 DK |
31 | config EVM_EXTRA_SMACK_XATTRS |
32 | bool "Additional SMACK xattrs" | |
33 | depends on EVM && SECURITY_SMACK | |
34 | default n | |
35 | help | |
36 | Include additional SMACK xattrs for HMAC calculation. | |
37 | ||
38 | In addition to the original security xattrs (eg. security.selinux, | |
39 | security.SMACK64, security.capability, and security.ima) included | |
40 | in the HMAC calculation, enabling this option includes newly defined | |
41 | Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and | |
42 | security.SMACK64MMAP. | |
43 | ||
44 | WARNING: changing the HMAC calculation method or adding | |
45 | additional info to the calculation, requires existing EVM | |
46 | labeled file systems to be relabeled. | |
47 | ||
fa516b66 MG |
48 | config EVM_ADD_XATTRS |
49 | bool "Add additional EVM extended attributes at runtime" | |
50 | depends on EVM | |
51 | default n | |
52 | help | |
53 | Allow userland to provide additional xattrs for HMAC calculation. | |
54 | ||
55 | When this option is enabled, root can add additional xattrs to the | |
56 | list used by EVM by writing them into | |
57 | /sys/kernel/security/integrity/evm/evm_xattrs. | |
58 | ||
2ce523eb DK |
59 | config EVM_LOAD_X509 |
60 | bool "Load an X509 certificate onto the '.evm' trusted keyring" | |
05d3884b | 61 | depends on EVM && INTEGRITY_TRUSTED_KEYRING |
2ce523eb DK |
62 | default n |
63 | help | |
64 | Load an X509 certificate onto the '.evm' trusted keyring. | |
65 | ||
66 | This option enables X509 certificate loading from the kernel | |
67 | onto the '.evm' trusted keyring. A public key can be used to | |
90f6f691 ES |
68 | verify EVM integrity starting from the 'init' process. The |
69 | key must have digitalSignature usage set. | |
2ce523eb DK |
70 | |
71 | config EVM_X509_PATH | |
72 | string "EVM X509 certificate path" | |
73 | depends on EVM_LOAD_X509 | |
74 | default "/etc/keys/x509_evm.der" | |
75 | help | |
76 | This option defines X509 certificate path. |