[linux-2.6-block.git] / security / integrity / evm / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
config EVM
	bool "EVM support"
	select KEYS
	select ENCRYPTED_KEYS
	select CRYPTO_HMAC
	select CRYPTO_SHA1
	select CRYPTO_HASH_INFO
	select SECURITY_PATH
	default n
	help
	  EVM protects a file's security extended attributes against
	  integrity attacks.

	  If you are unsure how to answer this question, answer N.

config EVM_ATTR_FSUUID
	bool "FSUUID (version 2)"
	default y
	depends on EVM
	help
	  Include filesystem UUID for HMAC calculation.

	  Default value is 'selected', which is former version 2.
	  if 'not selected', it is former version 1

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing EVM
	  labeled file systems to be relabeled.

config EVM_EXTRA_SMACK_XATTRS
	bool "Additional SMACK xattrs"
	depends on EVM && SECURITY_SMACK
	default n
	help
	  Include additional SMACK xattrs for HMAC calculation.

	  In addition to the original security xattrs (eg. security.selinux,
	  security.SMACK64, security.capability, and security.ima) included
	  in the HMAC calculation, enabling this option includes newly defined
	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
	  security.SMACK64MMAP.

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing EVM
	  labeled file systems to be relabeled.

config EVM_ADD_XATTRS
	bool "Add additional EVM extended attributes at runtime"
	depends on EVM
	default n
	help
	  Allow userland to provide additional xattrs for HMAC calculation.

	  When this option is enabled, root can add additional xattrs to the
	  list used by EVM by writing them into
	  /sys/kernel/security/integrity/evm/evm_xattrs.

config EVM_LOAD_X509
	bool "Load an X509 certificate onto the '.evm' trusted keyring"
	depends on EVM && INTEGRITY_TRUSTED_KEYRING
	default n
	help
	   Load an X509 certificate onto the '.evm' trusted keyring.

	   This option enables X509 certificate loading from the kernel
	   onto the '.evm' trusted keyring.  A public key can be used to
	   verify EVM integrity starting from the 'init' process. The
	   key must have digitalSignature usage set.

config EVM_X509_PATH
	string "EVM X509 certificate path"
	depends on EVM_LOAD_X509
	default "/etc/keys/x509_evm.der"
	help
	   This option defines X509 certificate path.
Commit	Line	Data
	1	# SPDX-License-Identifier: GPL-2.0-only
	2	config EVM
	3	bool "EVM support"
	4	select KEYS
	5	select ENCRYPTED_KEYS
	6	select CRYPTO_HMAC
	7	select CRYPTO_SHA1
	8	select CRYPTO_HASH_INFO
	9	select SECURITY_PATH
	10	default n
	11	help
	12	EVM protects a file's security extended attributes against
	13	integrity attacks.
	14
	15	If you are unsure how to answer this question, answer N.
	16
	17	config EVM_ATTR_FSUUID
	18	bool "FSUUID (version 2)"
	19	default y
	20	depends on EVM
	21	help
	22	Include filesystem UUID for HMAC calculation.
	23
	24	Default value is 'selected', which is former version 2.
	25	if 'not selected', it is former version 1
	26
	27	WARNING: changing the HMAC calculation method or adding
	28	additional info to the calculation, requires existing EVM
	29	labeled file systems to be relabeled.
	30
	31	config EVM_EXTRA_SMACK_XATTRS
	32	bool "Additional SMACK xattrs"
	33	depends on EVM && SECURITY_SMACK
	34	default n
	35	help
	36	Include additional SMACK xattrs for HMAC calculation.
	37
	38	In addition to the original security xattrs (eg. security.selinux,
	39	security.SMACK64, security.capability, and security.ima) included
	40	in the HMAC calculation, enabling this option includes newly defined
	41	Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
	42	security.SMACK64MMAP.
	43
	44	WARNING: changing the HMAC calculation method or adding
	45	additional info to the calculation, requires existing EVM
	46	labeled file systems to be relabeled.
	47
	48	config EVM_ADD_XATTRS
	49	bool "Add additional EVM extended attributes at runtime"
	50	depends on EVM
	51	default n
	52	help
	53	Allow userland to provide additional xattrs for HMAC calculation.
	54
	55	When this option is enabled, root can add additional xattrs to the
	56	list used by EVM by writing them into
	57	/sys/kernel/security/integrity/evm/evm_xattrs.
	58
	59	config EVM_LOAD_X509
	60	bool "Load an X509 certificate onto the '.evm' trusted keyring"
	61	depends on EVM && INTEGRITY_TRUSTED_KEYRING
	62	default n
	63	help
	64	Load an X509 certificate onto the '.evm' trusted keyring.
	65
	66	This option enables X509 certificate loading from the kernel
	67	onto the '.evm' trusted keyring. A public key can be used to
	68	verify EVM integrity starting from the 'init' process. The
	69	key must have digitalSignature usage set.
	70
	71	config EVM_X509_PATH
	72	string "EVM X509 certificate path"
	73	depends on EVM_LOAD_X509
	74	default "/etc/keys/x509_evm.der"
	75	help
	76	This option defines X509 certificate path.