config CONFIG_EVM
	bool "EVM support"
	select CONFIG_KEYS
	select CONFIG_ENCRYPTED_KEYS
	select CONFIG_CRYPTO_HMAC
	select CONFIG_CRYPTO_SHA1
	default n
	help
	  CONFIG_EVM protects a file's security extended attributes against
	  integrity attacks.

	  If you are unsure how to answer this question, answer N.

config CONFIG_EVM_ATTR_FSUUID
	bool "FSUUID (version 2)"
	default y
	depends on CONFIG_EVM
	help
	  Include filesystem UUID for HMAC calculation.

	  Default value is 'selected', which is former version 2.
	  if 'not selected', it is former version 1

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing CONFIG_EVM
	  labeled file systems to be relabeled.

config CONFIG_EVM_EXTRA_SMACK_XATTRS
	bool "Additional SMACK xattrs"
	depends on CONFIG_EVM && CONFIG_SECURITY_SMACK
	default n
	help
	  Include additional SMACK xattrs for HMAC calculation.

	  In addition to the original security xattrs (eg. security.selinux,
	  security.SMACK64, security.capability, and security.ima) included
	  in the HMAC calculation, enabling this option includes newly defined
	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
	  security.SMACK64MMAP.

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing CONFIG_EVM
	  labeled file systems to be relabeled.

config CONFIG_EVM_LOAD_X509
	bool "Load an X509 certificate onto the '.evm' trusted keyring"
	depends on CONFIG_EVM && CONFIG_INTEGRITY_TRUSTED_KEYRING
	default n
	help
	   Load an X509 certificate onto the '.evm' trusted keyring.

	   This option enables X509 certificate loading from the kernel
	   onto the '.evm' trusted keyring.  CONFIG_A public key can be used to
	   verify CONFIG_EVM integrity starting from the 'init' process.

config CONFIG_EVM_X509_PATH
	string "EVM X509 certificate path"
	depends on CONFIG_EVM_LOAD_X509
	default "/etc/keys/x509_evm.der"
	help
	   This option defines X509 certificate path.