Kconfig 2.3 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576
  1. # SPDX-License-Identifier: GPL-2.0-only
  2. config EVM
  3. bool "EVM support"
  4. select KEYS
  5. select ENCRYPTED_KEYS
  6. select CRYPTO_HMAC
  7. select CRYPTO_SHA1
  8. select CRYPTO_HASH_INFO
  9. select SECURITY_PATH
  10. default n
  11. help
  12. EVM protects a file's security extended attributes against
  13. integrity attacks.
  14. If you are unsure how to answer this question, answer N.
  15. config EVM_ATTR_FSUUID
  16. bool "FSUUID (version 2)"
  17. default y
  18. depends on EVM
  19. help
  20. Include filesystem UUID for HMAC calculation.
  21. Default value is 'selected', which is former version 2.
  22. if 'not selected', it is former version 1
  23. WARNING: changing the HMAC calculation method or adding
  24. additional info to the calculation, requires existing EVM
  25. labeled file systems to be relabeled.
  26. config EVM_EXTRA_SMACK_XATTRS
  27. bool "Additional SMACK xattrs"
  28. depends on EVM && SECURITY_SMACK
  29. default n
  30. help
  31. Include additional SMACK xattrs for HMAC calculation.
  32. In addition to the original security xattrs (eg. security.selinux,
  33. security.SMACK64, security.capability, and security.ima) included
  34. in the HMAC calculation, enabling this option includes newly defined
  35. Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
  36. security.SMACK64MMAP.
  37. WARNING: changing the HMAC calculation method or adding
  38. additional info to the calculation, requires existing EVM
  39. labeled file systems to be relabeled.
  40. config EVM_ADD_XATTRS
  41. bool "Add additional EVM extended attributes at runtime"
  42. depends on EVM
  43. default n
  44. help
  45. Allow userland to provide additional xattrs for HMAC calculation.
  46. When this option is enabled, root can add additional xattrs to the
  47. list used by EVM by writing them into
  48. /sys/kernel/security/integrity/evm/evm_xattrs.
  49. config EVM_LOAD_X509
  50. bool "Load an X509 certificate onto the '.evm' trusted keyring"
  51. depends on EVM && INTEGRITY_TRUSTED_KEYRING
  52. default n
  53. help
  54. Load an X509 certificate onto the '.evm' trusted keyring.
  55. This option enables X509 certificate loading from the kernel
  56. onto the '.evm' trusted keyring. A public key can be used to
  57. verify EVM integrity starting from the 'init' process. The
  58. key must have digitalSignature usage set.
  59. config EVM_X509_PATH
  60. string "EVM X509 certificate path"
  61. depends on EVM_LOAD_X509
  62. default "/etc/keys/x509_evm.der"
  63. help
  64. This option defines X509 certificate path.