1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 266dbc325SMimi Zoharconfig EVM 36341e62bSChristoph Jaeger bool "EVM support" 4a3aef94bSDmitry Kasatkin select KEYS 5a3aef94bSDmitry Kasatkin select ENCRYPTED_KEYS 666dbc325SMimi Zohar select CRYPTO_HMAC 766dbc325SMimi Zohar select CRYPTO_SHA1 85feeb611SMatthew Garrett select CRYPTO_HASH_INFO 9*75a323e6SRoberto Sassu select SECURITY_PATH 1066dbc325SMimi Zohar default n 1166dbc325SMimi Zohar help 1266dbc325SMimi Zohar EVM protects a file's security extended attributes against 1366dbc325SMimi Zohar integrity attacks. 1466dbc325SMimi Zohar 1566dbc325SMimi Zohar If you are unsure how to answer this question, answer N. 1674de6684SDmitry Kasatkin 17d3b33679SDmitry Kasatkinconfig EVM_ATTR_FSUUID 18d3b33679SDmitry Kasatkin bool "FSUUID (version 2)" 19d3b33679SDmitry Kasatkin default y 2074de6684SDmitry Kasatkin depends on EVM 2174de6684SDmitry Kasatkin help 22d3b33679SDmitry Kasatkin Include filesystem UUID for HMAC calculation. 23d3b33679SDmitry Kasatkin 24d3b33679SDmitry Kasatkin Default value is 'selected', which is former version 2. 25d3b33679SDmitry Kasatkin if 'not selected', it is former version 1 2674de6684SDmitry Kasatkin 2774de6684SDmitry Kasatkin WARNING: changing the HMAC calculation method or adding 2874de6684SDmitry Kasatkin additional info to the calculation, requires existing EVM 2974de6684SDmitry Kasatkin labeled file systems to be relabeled. 30d3b33679SDmitry Kasatkin 313e38df56SDmitry Kasatkinconfig EVM_EXTRA_SMACK_XATTRS 323e38df56SDmitry Kasatkin bool "Additional SMACK xattrs" 333e38df56SDmitry Kasatkin depends on EVM && SECURITY_SMACK 343e38df56SDmitry Kasatkin default n 353e38df56SDmitry Kasatkin help 363e38df56SDmitry Kasatkin Include additional SMACK xattrs for HMAC calculation. 373e38df56SDmitry Kasatkin 383e38df56SDmitry Kasatkin In addition to the original security xattrs (eg. security.selinux, 393e38df56SDmitry Kasatkin security.SMACK64, security.capability, and security.ima) included 403e38df56SDmitry Kasatkin in the HMAC calculation, enabling this option includes newly defined 413e38df56SDmitry Kasatkin Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and 423e38df56SDmitry Kasatkin security.SMACK64MMAP. 433e38df56SDmitry Kasatkin 443e38df56SDmitry Kasatkin WARNING: changing the HMAC calculation method or adding 453e38df56SDmitry Kasatkin additional info to the calculation, requires existing EVM 463e38df56SDmitry Kasatkin labeled file systems to be relabeled. 473e38df56SDmitry Kasatkin 48fa516b66SMatthew Garrettconfig EVM_ADD_XATTRS 49fa516b66SMatthew Garrett bool "Add additional EVM extended attributes at runtime" 50fa516b66SMatthew Garrett depends on EVM 51fa516b66SMatthew Garrett default n 52fa516b66SMatthew Garrett help 53fa516b66SMatthew Garrett Allow userland to provide additional xattrs for HMAC calculation. 54fa516b66SMatthew Garrett 55fa516b66SMatthew Garrett When this option is enabled, root can add additional xattrs to the 56fa516b66SMatthew Garrett list used by EVM by writing them into 57fa516b66SMatthew Garrett /sys/kernel/security/integrity/evm/evm_xattrs. 58fa516b66SMatthew Garrett 592ce523ebSDmitry Kasatkinconfig EVM_LOAD_X509 602ce523ebSDmitry Kasatkin bool "Load an X509 certificate onto the '.evm' trusted keyring" 6105d3884bSArnd Bergmann depends on EVM && INTEGRITY_TRUSTED_KEYRING 622ce523ebSDmitry Kasatkin default n 632ce523ebSDmitry Kasatkin help 642ce523ebSDmitry Kasatkin Load an X509 certificate onto the '.evm' trusted keyring. 652ce523ebSDmitry Kasatkin 662ce523ebSDmitry Kasatkin This option enables X509 certificate loading from the kernel 672ce523ebSDmitry Kasatkin onto the '.evm' trusted keyring. A public key can be used to 6890f6f691SEric Snowberg verify EVM integrity starting from the 'init' process. The 6990f6f691SEric Snowberg key must have digitalSignature usage set. 702ce523ebSDmitry Kasatkin 712ce523ebSDmitry Kasatkinconfig EVM_X509_PATH 722ce523ebSDmitry Kasatkin string "EVM X509 certificate path" 732ce523ebSDmitry Kasatkin depends on EVM_LOAD_X509 742ce523ebSDmitry Kasatkin default "/etc/keys/x509_evm.der" 752ce523ebSDmitry Kasatkin help 762ce523ebSDmitry Kasatkin This option defines X509 certificate path. 77