Linux Audio

Check our new training course

Open Menu / security / integrity / evm / Kconfig
Loading...
v5.4
 1# SPDX-License-Identifier: GPL-2.0-only
 2config EVM
 3	bool "EVM support"
 4	select KEYS
 5	select ENCRYPTED_KEYS
 6	select CRYPTO_HMAC
 7	select CRYPTO_SHA1
 8	select CRYPTO_HASH_INFO
 
 9	default n
10	help
11	  EVM protects a file's security extended attributes against
12	  integrity attacks.
13
14	  If you are unsure how to answer this question, answer N.
15
16config EVM_ATTR_FSUUID
17	bool "FSUUID (version 2)"
18	default y
19	depends on EVM
20	help
21	  Include filesystem UUID for HMAC calculation.
22
23	  Default value is 'selected', which is former version 2.
24	  if 'not selected', it is former version 1
25
26	  WARNING: changing the HMAC calculation method or adding
27	  additional info to the calculation, requires existing EVM
28	  labeled file systems to be relabeled.
29
30config EVM_EXTRA_SMACK_XATTRS
31	bool "Additional SMACK xattrs"
32	depends on EVM && SECURITY_SMACK
33	default n
34	help
35	  Include additional SMACK xattrs for HMAC calculation.
36
37	  In addition to the original security xattrs (eg. security.selinux,
38	  security.SMACK64, security.capability, and security.ima) included
39	  in the HMAC calculation, enabling this option includes newly defined
40	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
41	  security.SMACK64MMAP.
42
43	  WARNING: changing the HMAC calculation method or adding
44	  additional info to the calculation, requires existing EVM
45	  labeled file systems to be relabeled.
46
47config EVM_ADD_XATTRS
48	bool "Add additional EVM extended attributes at runtime"
49	depends on EVM
50	default n
51	help
52	  Allow userland to provide additional xattrs for HMAC calculation.
53
54	  When this option is enabled, root can add additional xattrs to the
55	  list used by EVM by writing them into
56	  /sys/kernel/security/integrity/evm/evm_xattrs.
57
58config EVM_LOAD_X509
59	bool "Load an X509 certificate onto the '.evm' trusted keyring"
60	depends on EVM && INTEGRITY_TRUSTED_KEYRING
61	default n
62	help
63	   Load an X509 certificate onto the '.evm' trusted keyring.
64
65	   This option enables X509 certificate loading from the kernel
66	   onto the '.evm' trusted keyring.  A public key can be used to
67	   verify EVM integrity starting from the 'init' process.
 
68
69config EVM_X509_PATH
70	string "EVM X509 certificate path"
71	depends on EVM_LOAD_X509
72	default "/etc/keys/x509_evm.der"
73	help
74	   This option defines X509 certificate path.
v6.9.4
 1# SPDX-License-Identifier: GPL-2.0-only
 2config EVM
 3	bool "EVM support"
 4	select KEYS
 5	select ENCRYPTED_KEYS
 6	select CRYPTO_HMAC
 7	select CRYPTO_SHA1
 8	select CRYPTO_HASH_INFO
 9	select SECURITY_PATH
10	default n
11	help
12	  EVM protects a file's security extended attributes against
13	  integrity attacks.
14
15	  If you are unsure how to answer this question, answer N.
16
17config EVM_ATTR_FSUUID
18	bool "FSUUID (version 2)"
19	default y
20	depends on EVM
21	help
22	  Include filesystem UUID for HMAC calculation.
23
24	  Default value is 'selected', which is former version 2.
25	  if 'not selected', it is former version 1
26
27	  WARNING: changing the HMAC calculation method or adding
28	  additional info to the calculation, requires existing EVM
29	  labeled file systems to be relabeled.
30
31config EVM_EXTRA_SMACK_XATTRS
32	bool "Additional SMACK xattrs"
33	depends on EVM && SECURITY_SMACK
34	default n
35	help
36	  Include additional SMACK xattrs for HMAC calculation.
37
38	  In addition to the original security xattrs (eg. security.selinux,
39	  security.SMACK64, security.capability, and security.ima) included
40	  in the HMAC calculation, enabling this option includes newly defined
41	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
42	  security.SMACK64MMAP.
43
44	  WARNING: changing the HMAC calculation method or adding
45	  additional info to the calculation, requires existing EVM
46	  labeled file systems to be relabeled.
47
48config EVM_ADD_XATTRS
49	bool "Add additional EVM extended attributes at runtime"
50	depends on EVM
51	default n
52	help
53	  Allow userland to provide additional xattrs for HMAC calculation.
54
55	  When this option is enabled, root can add additional xattrs to the
56	  list used by EVM by writing them into
57	  /sys/kernel/security/integrity/evm/evm_xattrs.
58
59config EVM_LOAD_X509
60	bool "Load an X509 certificate onto the '.evm' trusted keyring"
61	depends on EVM && INTEGRITY_TRUSTED_KEYRING
62	default n
63	help
64	   Load an X509 certificate onto the '.evm' trusted keyring.
65
66	   This option enables X509 certificate loading from the kernel
67	   onto the '.evm' trusted keyring.  A public key can be used to
68	   verify EVM integrity starting from the 'init' process. The
69	   key must have digitalSignature usage set.
70
71config EVM_X509_PATH
72	string "EVM X509 certificate path"
73	depends on EVM_LOAD_X509
74	default "/etc/keys/x509_evm.der"
75	help
76	   This option defines X509 certificate path.