1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only 2*4882a593Smuzhiyunconfig EVM 3*4882a593Smuzhiyun bool "EVM support" 4*4882a593Smuzhiyun select KEYS 5*4882a593Smuzhiyun select ENCRYPTED_KEYS 6*4882a593Smuzhiyun select CRYPTO_HMAC 7*4882a593Smuzhiyun select CRYPTO_SHA1 8*4882a593Smuzhiyun select CRYPTO_HASH_INFO 9*4882a593Smuzhiyun default n 10*4882a593Smuzhiyun help 11*4882a593Smuzhiyun EVM protects a file's security extended attributes against 12*4882a593Smuzhiyun integrity attacks. 13*4882a593Smuzhiyun 14*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 15*4882a593Smuzhiyun 16*4882a593Smuzhiyunconfig EVM_ATTR_FSUUID 17*4882a593Smuzhiyun bool "FSUUID (version 2)" 18*4882a593Smuzhiyun default y 19*4882a593Smuzhiyun depends on EVM 20*4882a593Smuzhiyun help 21*4882a593Smuzhiyun Include filesystem UUID for HMAC calculation. 22*4882a593Smuzhiyun 23*4882a593Smuzhiyun Default value is 'selected', which is former version 2. 24*4882a593Smuzhiyun if 'not selected', it is former version 1 25*4882a593Smuzhiyun 26*4882a593Smuzhiyun WARNING: changing the HMAC calculation method or adding 27*4882a593Smuzhiyun additional info to the calculation, requires existing EVM 28*4882a593Smuzhiyun labeled file systems to be relabeled. 29*4882a593Smuzhiyun 30*4882a593Smuzhiyunconfig EVM_EXTRA_SMACK_XATTRS 31*4882a593Smuzhiyun bool "Additional SMACK xattrs" 32*4882a593Smuzhiyun depends on EVM && SECURITY_SMACK 33*4882a593Smuzhiyun default n 34*4882a593Smuzhiyun help 35*4882a593Smuzhiyun Include additional SMACK xattrs for HMAC calculation. 36*4882a593Smuzhiyun 37*4882a593Smuzhiyun In addition to the original security xattrs (eg. security.selinux, 38*4882a593Smuzhiyun security.SMACK64, security.capability, and security.ima) included 39*4882a593Smuzhiyun in the HMAC calculation, enabling this option includes newly defined 40*4882a593Smuzhiyun Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and 41*4882a593Smuzhiyun security.SMACK64MMAP. 42*4882a593Smuzhiyun 43*4882a593Smuzhiyun WARNING: changing the HMAC calculation method or adding 44*4882a593Smuzhiyun additional info to the calculation, requires existing EVM 45*4882a593Smuzhiyun labeled file systems to be relabeled. 46*4882a593Smuzhiyun 47*4882a593Smuzhiyunconfig EVM_ADD_XATTRS 48*4882a593Smuzhiyun bool "Add additional EVM extended attributes at runtime" 49*4882a593Smuzhiyun depends on EVM 50*4882a593Smuzhiyun default n 51*4882a593Smuzhiyun help 52*4882a593Smuzhiyun Allow userland to provide additional xattrs for HMAC calculation. 53*4882a593Smuzhiyun 54*4882a593Smuzhiyun When this option is enabled, root can add additional xattrs to the 55*4882a593Smuzhiyun list used by EVM by writing them into 56*4882a593Smuzhiyun /sys/kernel/security/integrity/evm/evm_xattrs. 57*4882a593Smuzhiyun 58*4882a593Smuzhiyunconfig EVM_LOAD_X509 59*4882a593Smuzhiyun bool "Load an X509 certificate onto the '.evm' trusted keyring" 60*4882a593Smuzhiyun depends on EVM && INTEGRITY_TRUSTED_KEYRING 61*4882a593Smuzhiyun default n 62*4882a593Smuzhiyun help 63*4882a593Smuzhiyun Load an X509 certificate onto the '.evm' trusted keyring. 64*4882a593Smuzhiyun 65*4882a593Smuzhiyun This option enables X509 certificate loading from the kernel 66*4882a593Smuzhiyun onto the '.evm' trusted keyring. A public key can be used to 67*4882a593Smuzhiyun verify EVM integrity starting from the 'init' process. 68*4882a593Smuzhiyun 69*4882a593Smuzhiyunconfig EVM_X509_PATH 70*4882a593Smuzhiyun string "EVM X509 certificate path" 71*4882a593Smuzhiyun depends on EVM_LOAD_X509 72*4882a593Smuzhiyun default "/etc/keys/x509_evm.der" 73*4882a593Smuzhiyun help 74*4882a593Smuzhiyun This option defines X509 certificate path. 75