Mimi Zohar | 66dbc325 | 2011-03-15 16:12:09 -0400 | [diff] [blame] | 1 | config EVM |
Christoph Jaeger | 6341e62 | 2014-12-20 15:41:11 -0500 | [diff] [blame] | 2 | bool "EVM support" |
Dmitry Kasatkin | a3aef94 | 2014-02-28 14:18:09 +0200 | [diff] [blame] | 3 | select KEYS |
| 4 | select ENCRYPTED_KEYS |
Mimi Zohar | 66dbc325 | 2011-03-15 16:12:09 -0400 | [diff] [blame] | 5 | select CRYPTO_HMAC |
Mimi Zohar | 66dbc325 | 2011-03-15 16:12:09 -0400 | [diff] [blame] | 6 | select CRYPTO_SHA1 |
Mimi Zohar | 66dbc325 | 2011-03-15 16:12:09 -0400 | [diff] [blame] | 7 | default n |
| 8 | help |
| 9 | EVM protects a file's security extended attributes against |
| 10 | integrity attacks. |
| 11 | |
| 12 | If you are unsure how to answer this question, answer N. |
Dmitry Kasatkin | 74de668 | 2012-09-10 10:37:20 +0300 | [diff] [blame] | 13 | |
Dmitry Kasatkin | d3b3367 | 2014-03-28 14:31:04 +0200 | [diff] [blame] | 14 | config EVM_ATTR_FSUUID |
| 15 | bool "FSUUID (version 2)" |
| 16 | default y |
| 17 | depends on EVM |
| 18 | help |
| 19 | Include filesystem UUID for HMAC calculation. |
| 20 | |
| 21 | Default value is 'selected', which is former version 2. |
| 22 | if 'not selected', it is former version 1 |
| 23 | |
| 24 | WARNING: changing the HMAC calculation method or adding |
Dmitry Kasatkin | 74de668 | 2012-09-10 10:37:20 +0300 | [diff] [blame] | 25 | additional info to the calculation, requires existing EVM |
Dmitry Kasatkin | d3b3367 | 2014-03-28 14:31:04 +0200 | [diff] [blame] | 26 | labeled file systems to be relabeled. |
| 27 | |
Dmitry Kasatkin | 3e38df5 | 2014-03-28 14:31:14 +0200 | [diff] [blame] | 28 | config EVM_EXTRA_SMACK_XATTRS |
| 29 | bool "Additional SMACK xattrs" |
| 30 | depends on EVM && SECURITY_SMACK |
| 31 | default n |
| 32 | help |
| 33 | Include additional SMACK xattrs for HMAC calculation. |
| 34 | |
| 35 | In addition to the original security xattrs (eg. security.selinux, |
| 36 | security.SMACK64, security.capability, and security.ima) included |
| 37 | in the HMAC calculation, enabling this option includes newly defined |
| 38 | Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and |
| 39 | security.SMACK64MMAP. |
| 40 | |
| 41 | WARNING: changing the HMAC calculation method or adding |
| 42 | additional info to the calculation, requires existing EVM |
| 43 | labeled file systems to be relabeled. |
| 44 | |
Matthew Garrett | fa516b6 | 2018-05-15 10:38:26 -0700 | [diff] [blame] | 45 | config EVM_ADD_XATTRS |
| 46 | bool "Add additional EVM extended attributes at runtime" |
| 47 | depends on EVM |
| 48 | default n |
| 49 | help |
| 50 | Allow userland to provide additional xattrs for HMAC calculation. |
| 51 | |
| 52 | When this option is enabled, root can add additional xattrs to the |
| 53 | list used by EVM by writing them into |
| 54 | /sys/kernel/security/integrity/evm/evm_xattrs. |
| 55 | |
Dmitry Kasatkin | 2ce523e | 2015-10-22 21:26:21 +0300 | [diff] [blame] | 56 | config EVM_LOAD_X509 |
| 57 | bool "Load an X509 certificate onto the '.evm' trusted keyring" |
Arnd Bergmann | 05d3884b | 2015-11-27 14:52:33 +0100 | [diff] [blame] | 58 | depends on EVM && INTEGRITY_TRUSTED_KEYRING |
Dmitry Kasatkin | 2ce523e | 2015-10-22 21:26:21 +0300 | [diff] [blame] | 59 | default n |
| 60 | help |
| 61 | Load an X509 certificate onto the '.evm' trusted keyring. |
| 62 | |
| 63 | This option enables X509 certificate loading from the kernel |
| 64 | onto the '.evm' trusted keyring. A public key can be used to |
| 65 | verify EVM integrity starting from the 'init' process. |
| 66 | |
| 67 | config EVM_X509_PATH |
| 68 | string "EVM X509 certificate path" |
| 69 | depends on EVM_LOAD_X509 |
| 70 | default "/etc/keys/x509_evm.der" |
| 71 | help |
| 72 | This option defines X509 certificate path. |