1# SPDX-License-Identifier: GPL-2.0-only 2config EVM 3 bool "EVM support" 4 select KEYS 5 select ENCRYPTED_KEYS 6 select CRYPTO_HMAC 7 select CRYPTO_SHA1 8 select CRYPTO_HASH_INFO 9 default n 10 help 11 EVM protects a file's security extended attributes against 12 integrity attacks. 13 14 If you are unsure how to answer this question, answer N. 15 16config EVM_ATTR_FSUUID 17 bool "FSUUID (version 2)" 18 default y 19 depends on EVM 20 help 21 Include filesystem UUID for HMAC calculation. 22 23 Default value is 'selected', which is former version 2. 24 if 'not selected', it is former version 1 25 26 WARNING: changing the HMAC calculation method or adding 27 additional info to the calculation, requires existing EVM 28 labeled file systems to be relabeled. 29 30config EVM_EXTRA_SMACK_XATTRS 31 bool "Additional SMACK xattrs" 32 depends on EVM && SECURITY_SMACK 33 default n 34 help 35 Include additional SMACK xattrs for HMAC calculation. 36 37 In addition to the original security xattrs (eg. security.selinux, 38 security.SMACK64, security.capability, and security.ima) included 39 in the HMAC calculation, enabling this option includes newly defined 40 Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and 41 security.SMACK64MMAP. 42 43 WARNING: changing the HMAC calculation method or adding 44 additional info to the calculation, requires existing EVM 45 labeled file systems to be relabeled. 46 47config EVM_ADD_XATTRS 48 bool "Add additional EVM extended attributes at runtime" 49 depends on EVM 50 default n 51 help 52 Allow userland to provide additional xattrs for HMAC calculation. 53 54 When this option is enabled, root can add additional xattrs to the 55 list used by EVM by writing them into 56 /sys/kernel/security/integrity/evm/evm_xattrs. 57 58config EVM_LOAD_X509 59 bool "Load an X509 certificate onto the '.evm' trusted keyring" 60 depends on EVM && INTEGRITY_TRUSTED_KEYRING 61 default n 62 help 63 Load an X509 certificate onto the '.evm' trusted keyring. 64 65 This option enables X509 certificate loading from the kernel 66 onto the '.evm' trusted keyring. A public key can be used to 67 verify EVM integrity starting from the 'init' process. The 68 key must have digitalSignature usage set. 69 70config EVM_X509_PATH 71 string "EVM X509 certificate path" 72 depends on EVM_LOAD_X509 73 default "/etc/keys/x509_evm.der" 74 help 75 This option defines X509 certificate path. 76