TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / third_party / linux.git / b4b6d4a02fa8aa8187d426b508fb7f3b69df0dcc^! / . / security / integrity / evm / Kconfig
commitb4b6d4a02fa8aa8187d426b508fb7f3b69df0dcc[log] [tgz]
authorAndrew Scull <ascull@google.com>Wed Jan 02 15:54:55 2019 +0000
committerAndrew Scull <ascull@google.com>Wed Jan 02 15:54:55 2019 +0000
treefdf4498bc30cb80757eaf20b46ea866b23141a93
v4.19.13 snapshot.

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
new file mode 100644
index 0000000..6022185
--- /dev/null
+++ b/security/integrity/evm/Kconfig

@@ -0,0 +1,73 @@
+config EVM
+	bool "EVM support"
+	select KEYS
+	select ENCRYPTED_KEYS
+	select CRYPTO_HMAC
+	select CRYPTO_SHA1
+	select CRYPTO_HASH_INFO
+	default n
+	help
+	  EVM protects a file's security extended attributes against
+	  integrity attacks.
+
+	  If you are unsure how to answer this question, answer N.
+
+config EVM_ATTR_FSUUID
+	bool "FSUUID (version 2)"
+	default y
+	depends on EVM
+	help
+	  Include filesystem UUID for HMAC calculation.
+
+	  Default value is 'selected', which is former version 2.
+	  if 'not selected', it is former version 1
+
+	  WARNING: changing the HMAC calculation method or adding
+	  additional info to the calculation, requires existing EVM
+	  labeled file systems to be relabeled.
+
+config EVM_EXTRA_SMACK_XATTRS
+	bool "Additional SMACK xattrs"
+	depends on EVM && SECURITY_SMACK
+	default n
+	help
+	  Include additional SMACK xattrs for HMAC calculation.
+
+	  In addition to the original security xattrs (eg. security.selinux,
+	  security.SMACK64, security.capability, and security.ima) included
+	  in the HMAC calculation, enabling this option includes newly defined
+	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
+	  security.SMACK64MMAP.
+
+	  WARNING: changing the HMAC calculation method or adding
+	  additional info to the calculation, requires existing EVM
+	  labeled file systems to be relabeled.
+
+config EVM_ADD_XATTRS
+	bool "Add additional EVM extended attributes at runtime"
+	depends on EVM
+	default n
+	help
+	  Allow userland to provide additional xattrs for HMAC calculation.
+
+	  When this option is enabled, root can add additional xattrs to the
+	  list used by EVM by writing them into
+	  /sys/kernel/security/integrity/evm/evm_xattrs.
+
+config EVM_LOAD_X509
+	bool "Load an X509 certificate onto the '.evm' trusted keyring"
+	depends on EVM && INTEGRITY_TRUSTED_KEYRING
+	default n
+	help
+	   Load an X509 certificate onto the '.evm' trusted keyring.
+
+	   This option enables X509 certificate loading from the kernel
+	   onto the '.evm' trusted keyring.  A public key can be used to
+	   verify EVM integrity starting from the 'init' process.
+
+config EVM_X509_PATH
+	string "EVM X509 certificate path"
+	depends on EVM_LOAD_X509
+	default "/etc/keys/x509_evm.der"
+	help
+	   This option defines X509 certificate path.