| # SPDX-License-Identifier: GPL-2.0-only |
| config EVM |
| bool "EVM support" |
| select KEYS |
| select ENCRYPTED_KEYS |
| select CRYPTO_HMAC |
| select CRYPTO_SHA1 |
| select CRYPTO_HASH_INFO |
| default n |
| help |
| EVM protects a file's security extended attributes against |
| integrity attacks. |
| |
| If you are unsure how to answer this question, answer N. |
| |
| config EVM_ATTR_FSUUID |
| bool "FSUUID (version 2)" |
| default y |
| depends on EVM |
| help |
| Include filesystem UUID for HMAC calculation. |
| |
| Default value is 'selected', which is former version 2. |
| if 'not selected', it is former version 1 |
| |
| WARNING: changing the HMAC calculation method or adding |
| additional info to the calculation, requires existing EVM |
| labeled file systems to be relabeled. |
| |
| config EVM_EXTRA_SMACK_XATTRS |
| bool "Additional SMACK xattrs" |
| depends on EVM && SECURITY_SMACK |
| default n |
| help |
| Include additional SMACK xattrs for HMAC calculation. |
| |
| In addition to the original security xattrs (eg. security.selinux, |
| security.SMACK64, security.capability, and security.ima) included |
| in the HMAC calculation, enabling this option includes newly defined |
| Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and |
| security.SMACK64MMAP. |
| |
| WARNING: changing the HMAC calculation method or adding |
| additional info to the calculation, requires existing EVM |
| labeled file systems to be relabeled. |
| |
| config EVM_ADD_XATTRS |
| bool "Add additional EVM extended attributes at runtime" |
| depends on EVM |
| default n |
| help |
| Allow userland to provide additional xattrs for HMAC calculation. |
| |
| When this option is enabled, root can add additional xattrs to the |
| list used by EVM by writing them into |
| /sys/kernel/security/integrity/evm/evm_xattrs. |
| |
| config EVM_LOAD_X509 |
| bool "Load an X509 certificate onto the '.evm' trusted keyring" |
| depends on EVM && INTEGRITY_TRUSTED_KEYRING |
| default n |
| help |
| Load an X509 certificate onto the '.evm' trusted keyring. |
| |
| This option enables X509 certificate loading from the kernel |
| onto the '.evm' trusted keyring. A public key can be used to |
| verify EVM integrity starting from the 'init' process. The |
| key must have digitalSignature usage set. |
| |
| config EVM_X509_PATH |
| string "EVM X509 certificate path" |
| depends on EVM_LOAD_X509 |
| default "/etc/keys/x509_evm.der" |
| help |
| This option defines X509 certificate path. |