blob: d593346d0bba48d22454b5ee4e8724204ce1c394 [file] [log] [blame]
Mimi Zohar66dbc3252011-03-15 16:12:09 -04001config EVM
Christoph Jaeger6341e622014-12-20 15:41:11 -05002 bool "EVM support"
Dmitry Kasatkina3aef942014-02-28 14:18:09 +02003 select KEYS
4 select ENCRYPTED_KEYS
Mimi Zohar66dbc3252011-03-15 16:12:09 -04005 select CRYPTO_HMAC
Mimi Zohar66dbc3252011-03-15 16:12:09 -04006 select CRYPTO_SHA1
Mimi Zohar66dbc3252011-03-15 16:12:09 -04007 default n
8 help
9 EVM protects a file's security extended attributes against
10 integrity attacks.
11
12 If you are unsure how to answer this question, answer N.
Dmitry Kasatkin74de6682012-09-10 10:37:20 +030013
Dmitry Kasatkind3b33672014-03-28 14:31:04 +020014config EVM_ATTR_FSUUID
15 bool "FSUUID (version 2)"
16 default y
17 depends on EVM
18 help
19 Include filesystem UUID for HMAC calculation.
20
21 Default value is 'selected', which is former version 2.
22 if 'not selected', it is former version 1
23
24 WARNING: changing the HMAC calculation method or adding
Dmitry Kasatkin74de6682012-09-10 10:37:20 +030025 additional info to the calculation, requires existing EVM
Dmitry Kasatkind3b33672014-03-28 14:31:04 +020026 labeled file systems to be relabeled.
27
Dmitry Kasatkin3e38df52014-03-28 14:31:14 +020028config EVM_EXTRA_SMACK_XATTRS
29 bool "Additional SMACK xattrs"
30 depends on EVM && SECURITY_SMACK
31 default n
32 help
33 Include additional SMACK xattrs for HMAC calculation.
34
35 In addition to the original security xattrs (eg. security.selinux,
36 security.SMACK64, security.capability, and security.ima) included
37 in the HMAC calculation, enabling this option includes newly defined
38 Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
39 security.SMACK64MMAP.
40
41 WARNING: changing the HMAC calculation method or adding
42 additional info to the calculation, requires existing EVM
43 labeled file systems to be relabeled.
44
Matthew Garrettfa516b62018-05-15 10:38:26 -070045config EVM_ADD_XATTRS
46 bool "Add additional EVM extended attributes at runtime"
47 depends on EVM
48 default n
49 help
50 Allow userland to provide additional xattrs for HMAC calculation.
51
52 When this option is enabled, root can add additional xattrs to the
53 list used by EVM by writing them into
54 /sys/kernel/security/integrity/evm/evm_xattrs.
55
Dmitry Kasatkin2ce523e2015-10-22 21:26:21 +030056config EVM_LOAD_X509
57 bool "Load an X509 certificate onto the '.evm' trusted keyring"
Arnd Bergmann05d3884b2015-11-27 14:52:33 +010058 depends on EVM && INTEGRITY_TRUSTED_KEYRING
Dmitry Kasatkin2ce523e2015-10-22 21:26:21 +030059 default n
60 help
61 Load an X509 certificate onto the '.evm' trusted keyring.
62
63 This option enables X509 certificate loading from the kernel
64 onto the '.evm' trusted keyring. A public key can be used to
65 verify EVM integrity starting from the 'init' process.
66
67config EVM_X509_PATH
68 string "EVM X509 certificate path"
69 depends on EVM_LOAD_X509
70 default "/etc/keys/x509_evm.der"
71 help
72 This option defines X509 certificate path.