Changes in evm

82bbd447199ff1441031d2eaf9afe041550cf525 - evm: Enforce signatures version 3 with new EVM policy 'bit 3'

Wed, 25 Mar 2026 22:33:49 +0100

evm: Enforce signatures version 3 with new EVM policy 'bit 3'Enable the configuration of EVM so that it requires that asymmetricsignatures it accepts are of version 3 (sigv3). To enable this, introducebit 3 (value 0x0008) that the user may write to EVM's securityfs policyconfiguration file 'evm' for sigv3 enforcement.Mention bit 3 in the documentation.Signed-off-by: Stefan Berger Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/evm

483f7d699fd96d494dbd299f73d758073c73c147 - ABI: evm: place a second what at the next line

Tue, 28 Sep 2021 12:14:04 +0200

ABI: evm: place a second what at the next lineOriginally, get_abi.pl was using spaces to separate What: parameters,but there are several references that declare things like: /sys/class/powercap/...//enabledSo, the logic was changes in order to properly address it.That broke the second What added byChangeset 18e49b304633 ("ABI: security: fix location for evm and ima_policy").As the only file that defines multiple What: at the same line isthis file, let's move the second What: to a separate line.Fixes: 18e49b304633 ("ABI: security: fix location for evm and ima_policy")Fixes: ab9c14805b37 ("scripts: get_abi.pl: Better handle multiple What parameters")Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/1f1e29ccdc0dd0ec089a67b8a4e9650517c6137a.1632823172.git.mchehab+huawei@kernel.orgSigned-off-by: Greg Kroah-Hartman List of files: /linux/Documentation/ABI/testing/evm

18e49b304633fab4253718173ea36e6605fd1036 - ABI: security: fix location for evm and ima_policy

Thu, 16 Sep 2021 10:59:31 +0200

ABI: security: fix location for evm and ima_policyThe What: definitions there are wrong, pointing to differentlocations than what's expected.Reviewed-by: Mimi Zohar Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/b2563ac34c2e234cdd728f0c701b57ac9023c45a.1631782432.git.mchehab+huawei@kernel.orgSigned-off-by: Greg Kroah-Hartman List of files: /linux/Documentation/ABI/testing/evm

1434c6a1d32a3a1a77f58a03197b802b1724c740 - evm: Deprecate EVM_ALLOW_METADATA_WRITES

Fri, 14 May 2021 17:27:50 +0200

evm: Deprecate EVM_ALLOW_METADATA_WRITESThis patch deprecates the usage of EVM_ALLOW_METADATA_WRITES, as it is nolonger necessary. All the issues that prevent the usage of EVM portablesignatures just with a public key loaded have been solved.This flag will remain available for a short time to ensure that users areable to use EVM without it.Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/evm

9acc89d31f0c94c8e573ed61f3e4340bbd526d0c - evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

Fri, 14 May 2021 17:27:44 +0200

evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loadedEVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set totemporarily disable metadata verification until all xattrs/attrs necessaryto verify an EVM portable signature are copied to the file. This flag iscleared when EVM is initialized with an HMAC key, to avoid that the HMAC iscalculated on unverified xattrs/attrs.Currently EVM unnecessarily denies setting this flag if EVM is initializedwith a public key, which is not a concern as it cannot be used to trustxattrs/attrs updates. This patch removes this limitation.Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata")Signed-off-by: Roberto Sassu Cc: stable@vger.kernel.org # 4.16.xSigned-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/evm

34433332841de2787f903fcf7de8dc3e06780f4a - docs: ABI: testing: make the files compatible with ReST output

Fri, 30 Oct 2020 08:40:39 +0100

docs: ABI: testing: make the files compatible with ReST outputSome files over there won't parse well by Sphinx.Fix them.Acked-by: Jonathan Cameron # for IIOAcked-by: Fabrice Gasnier Acked-by: Jonathan Corbet Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/58cf3c2d611e0197fb215652719ebd82ca2658db.1604042072.git.mchehab+huawei@kernel.orgSigned-off-by: Greg Kroah-Hartman List of files: /linux/Documentation/ABI/testing/evm

fa516b66a1bfce1d72f1620c54bdfebc493000d1 - EVM: Allow runtime modification of the set of verified xattrs

Tue, 15 May 2018 19:38:26 +0200

EVM: Allow runtime modification of the set of verified xattrsSites may wish to provide additional metadata alongside files in orderto make more fine-grained security decisions[1]. The security of this isenhanced if this metadata is protected, something that EVM makespossible. However, the kernel cannot know about the set of extendedattributes that local admins may wish to protect, and hardcoding thispolicy in the kernel makes it difficult to change over time and lessconvenient for distributions to enable.This patch adds a new /sys/kernel/security/integrity/evm/evm_xattrs node,which can be read to obtain the current set of EVM-protected extendedattributes or written to in order to add new entries. Extending this listwill not change the validity of any existing signatures provided that thefile in question does not have any of the additional extended attributes -missing xattrs are skipped when calculating the EVM hash.[1] For instance, a package manager could install information about thepackage uploader in an additional extended attribute. Local LSM policycould then be associated with that extended attribute in order torestrict the privileges available to packages from less trusteduploaders.Signed-off-by: Matthew Garrett Reviewed-by: James Morris Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/evm

ae1ba1676b88e6c62368a433c7e2d0417e9879fd - EVM: Allow userland to permit modification of EVM-protected metadata

Tue, 07 Nov 2017 16:18:35 +0100

EVM: Allow userland to permit modification of EVM-protected metadataWhen EVM is enabled it forbids modification of metadata protected byEVM unless there is already a valid EVM signature. If any modificationis made, the kernel will then generate a new EVM HMAC. However, thisdoes not map well on use cases which use only asymmetric EVM signatures,as in this scenario the kernel is unable to generate new signatures.This patch extends the /sys/kernel/security/evm interface to allowuserland to request that modification of these xattrs be permitted. Thisis only permitted if no keys have already been loaded. In thisconfiguration, modifying the metadata will invalidate the EVM appraisalon the file in question. This allows packaging systems to write out newfiles, set the relevant extended attributes and then move them intoplace.There's also some refactoring of the use of evm_initialized in order toavoid heading down codepaths that assume there's a key available.Signed-off-by: Matthew Garrett Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/evm

b33e3cc5c90b8293599318b68e61b93a89c127bb - Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Mon, 13 Nov 2017 19:41:25 +0100

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-securityPull security subsystem integrity updates from James Morris: "There is a mixture of bug fixes, code cleanup, preparatory code for new functionality and new functionality. Commit 26ddabfe96bb ("evm: enable EVM when X509 certificate is loaded") enabled EVM without loading a symmetric key, but was limited to defining the x509 certificate pathname at build. Included in this set of patches is the ability of enabling EVM, without loading the EVM symmetric key, from userspace. New is the ability to prevent the loading of an EVM symmetric key."* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: ima: Remove redundant conditional operator ima: Fix bool initialization/comparison ima: check signature enforcement against cmdline param instead of CONFIG module: export module signature enforcement status ima: fix hash algorithm initialization EVM: Only complain about a missing HMAC key once EVM: Allow userspace to signal an RSA key has been loaded EVM: Include security.apparmor in EVM measurements ima: call ima_file_free() prior to calling fasync integrity: use kernel_read_file_from_path() to read x509 certs ima: always measure and audit files in policy ima: don't remove the securityfs policy file vfs: fix mounting a filesystem with i_version List of files: /linux/Documentation/ABI/testing/evm

f00d79750712511d0a83c108eea0d44b680a915f - EVM: Allow userspace to signal an RSA key has been loaded

Wed, 11 Oct 2017 21:10:14 +0200

EVM: Allow userspace to signal an RSA key has been loadedEVM will only perform validation once a key has been loaded. This keymay either be a symmetric trusted key (for HMAC validation and creation)or the public half of an asymmetric key (for digital signaturevalidation). The /sys/kernel/security/evm interface allows userland tosignal that a symmetric key has been loaded, but does not allow userlandto signal that an asymmetric public key has been loaded.This patch extends the interface to permit userspace to pass a bitmaskof loaded key types. It also allows userspace to block loading of asymmetric key in order to avoid a compromised system from being able toload an additional key type later.Signed-off-by: Matthew Garrett Signed-off-by: Mimi Zohar List of files: /linux/Documentation/ABI/testing/evm

c7f66400f504fd54bda6ec644853c07333e8cb87 - Documentation: fix security related doc refs

Tue, 10 Oct 2017 19:36:30 +0200

Documentation: fix security related doc refsMake security document refs valid.Signed-off-by: Tom Saeger Signed-off-by: Jonathan Corbet List of files: /linux/Documentation/ABI/testing/evm

66dbc325afcef909043c30e90930a36823fc734c - evm: re-release

Tue, 15 Mar 2011 21:12:09 +0100

evm: re-releaseEVM protects a file's security extended attributes(xattrs) against integrityattacks. This patchset provides the framework and an initial method. Theinitial method maintains an HMAC-sha1 value across the security extendedattributes, storing the HMAC value as the extended attribute 'security.evm'.Other methods of validating the integrity of a file's metadata will be postedseparately (eg. EVM-digital-signatures).While this patchset does authenticate the security xattrs, andcryptographically binds them to the inode, coming extensions will bind otherdirectory and inode metadata for more complete protection. To help simplifythe review and upstreaming process, each extension will be posted separately(eg. IMA-appraisal, IMA-appraisal-directory). For a general overview of theproposed Linux integrity subsystem, refer to Dave Safford's whitepaper:http://downloads.sf.net/project/linux-ima/linux-ima/Integrity_overview.pdf.EVM depends on the Kernel Key Retention System to provide it with atrusted/encrypted key for the HMAC-sha1 operation. The key is loaded onto theroot's keyring using keyctl. Until EVM receives notification that the key hasbeen successfully loaded onto the keyring (echo 1 > /evm), EVM cannot create or validate the 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.Loading the key and signaling EVM should be done as early as possible. Normallythis is done in the initramfs, which has already been measured as part of thetrusted boot. For more information on creating and loading existingtrusted/encrypted keys, refer to Documentation/keys-trusted-encrypted.txt. Asample dracut patch, which loads the trusted/encrypted key and enables EVM, isavailable from http://linux-ima.sourceforge.net/#EVM.Based on the LSMs enabled, the set of EVM protected security xattrs is definedat compile. EVM adds the following three calls to the existing security hooks:evm_inode_setxattr(), evm_inode_post_setxattr(), and evm_inode_removexattr. Toinitialize and update the 'security.evm' extended attribute, EVM defines threecalls: evm_inode_post_init(), evm_inode_post_setattr() andevm_inode_post_removexattr() hooks. To verify the integrity of a securityxattr, EVM exports evm_verifyxattr().Changelog v7:- Fixed URL in EVM ABI documentationChangelog v6: (based on Serge Hallyn's review)- fix URL in patch description- remove evm_hmac_size definition- use SHA1_DIGEST_SIZE (removed both MAX_DIGEST_SIZE and evm_hmac_size)- moved linux include before other includes- test for crypto_hash_setkey failure- fail earlier for invalid key- clear entire encrypted key, even on failure- check xattr name length before comparing xattr namesChangelog:- locking based on i_mutex, remove evm_mutex- using trusted/encrypted keys for storing the EVM key used in the HMAC-sha1 operation.- replaced crypto hash with shash (Dmitry Kasatkin)- support for additional methods of verifying the security xattrs (Dmitry Kasatkin)- iint not allocated for all regular files, but only for those appraised- Use cap_sys_admin in lieu of cap_mac_admin- Use __vfs_setxattr_noperm(), without permission checks, from EVMSigned-off-by: Mimi Zohar Acked-by: Serge Hallyn List of files: /linux/Documentation/ABI/testing/evm