Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

# SPDX-License-Identifier: GPL-2.0-only
config CONFIG_EVM
	bool "EVM support"
	select CONFIG_KEYS
	select CONFIG_ENCRYPTED_KEYS
	select CONFIG_CRYPTO_HMAC
	select CONFIG_CRYPTO_SHA1
	select CONFIG_CRYPTO_HASH_INFO
	default n
	help
	  CONFIG_EVM protects a file's security extended attributes against
	  integrity attacks.

	  If you are unsure how to answer this question, answer N.

config CONFIG_EVM_ATTR_FSUUID
	bool "FSUUID (version 2)"
	default y
	depends on CONFIG_EVM
	help
	  Include filesystem UUID for HMAC calculation.

	  Default value is 'selected', which is former version 2.
	  if 'not selected', it is former version 1

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing CONFIG_EVM
	  labeled file systems to be relabeled.

config CONFIG_EVM_EXTRA_SMACK_XATTRS
	bool "Additional SMACK xattrs"
	depends on CONFIG_EVM && CONFIG_SECURITY_SMACK
	default n
	help
	  Include additional SMACK xattrs for HMAC calculation.

	  In addition to the original security xattrs (eg. security.selinux,
	  security.SMACK64, security.capability, and security.ima) included
	  in the HMAC calculation, enabling this option includes newly defined
	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
	  security.SMACK64MMAP.

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing CONFIG_EVM
	  labeled file systems to be relabeled.

config CONFIG_EVM_ADD_XATTRS
	bool "Add additional EVM extended attributes at runtime"
	depends on CONFIG_EVM
	default n
	help
	  Allow userland to provide additional xattrs for HMAC calculation.

	  When this option is enabled, root can add additional xattrs to the
	  list used by CONFIG_EVM by writing them into
	  /sys/kernel/security/integrity/evm/evm_xattrs.

config CONFIG_EVM_LOAD_X509
	bool "Load an X509 certificate onto the '.evm' trusted keyring"
	depends on CONFIG_EVM && CONFIG_INTEGRITY_TRUSTED_KEYRING
	default n
	help
	   Load an X509 certificate onto the '.evm' trusted keyring.

	   This option enables X509 certificate loading from the kernel
	   onto the '.evm' trusted keyring.  CONFIG_A public key can be used to
	   verify CONFIG_EVM integrity starting from the 'init' process.

config CONFIG_EVM_X509_PATH
	string "EVM X509 certificate path"
	depends on CONFIG_EVM_LOAD_X509
	default "/etc/keys/x509_evm.der"
	help
	   This option defines X509 certificate path.