| blob | e825e0ae78e72fdd548a0f10de2f865d84e41543 |
1 config EVM
2 bool "EVM support"
3 select KEYS
4 select ENCRYPTED_KEYS
5 select CRYPTO_HMAC
6 select CRYPTO_SHA1
7 default n
8 help
9 EVM protects a file's security extended attributes against
10 integrity attacks.
12 If you are unsure how to answer this question, answer N.
14 config EVM_ATTR_FSUUID
15 bool "FSUUID (version 2)"
16 default y
17 depends on EVM
18 help
19 Include filesystem UUID for HMAC calculation.
21 Default value is 'selected', which is former version 2.
22 if 'not selected', it is former version 1
24 WARNING: changing the HMAC calculation method or adding
25 additional info to the calculation, requires existing EVM
26 labeled file systems to be relabeled.
28 config EVM_EXTRA_SMACK_XATTRS
29 bool "Additional SMACK xattrs"
30 depends on EVM && SECURITY_SMACK
31 default n
32 help
33 Include additional SMACK xattrs for HMAC calculation.
35 In addition to the original security xattrs (eg. security.selinux,
36 security.SMACK64, security.capability, and security.ima) included
37 in the HMAC calculation, enabling this option includes newly defined
38 Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
39 security.SMACK64MMAP.
41 WARNING: changing the HMAC calculation method or adding
42 additional info to the calculation, requires existing EVM
43 labeled file systems to be relabeled.
45 config EVM_LOAD_X509
46 bool "Load an X509 certificate onto the '.evm' trusted keyring"
47 depends on EVM && INTEGRITY_TRUSTED_KEYRING
48 default n
49 help
50 Load an X509 certificate onto the '.evm' trusted keyring.
52 This option enables X509 certificate loading from the kernel
53 onto the '.evm' trusted keyring. A public key can be used to
54 verify EVM integrity starting from the 'init' process.
56 config EVM_X509_PATH
57 string "EVM X509 certificate path"
58 depends on EVM_LOAD_X509
59 default "/etc/keys/x509_evm.der"
60 help
61 This option defines X509 certificate path.