%PDF- %PDF-
Direktori : /usr/src/linux-headers-5.15.0-125-generic/security/integrity/evm/ |
Current File : //usr/src/linux-headers-5.15.0-125-generic/security/integrity/evm/Kconfig |
# SPDX-License-Identifier: GPL-2.0-only config EVM bool "EVM support" select KEYS select ENCRYPTED_KEYS select CRYPTO_HMAC select CRYPTO_SHA1 select CRYPTO_HASH_INFO default n help EVM protects a file's security extended attributes against integrity attacks. If you are unsure how to answer this question, answer N. config EVM_ATTR_FSUUID bool "FSUUID (version 2)" default y depends on EVM help Include filesystem UUID for HMAC calculation. Default value is 'selected', which is former version 2. if 'not selected', it is former version 1 WARNING: changing the HMAC calculation method or adding additional info to the calculation, requires existing EVM labeled file systems to be relabeled. config EVM_EXTRA_SMACK_XATTRS bool "Additional SMACK xattrs" depends on EVM && SECURITY_SMACK default n help Include additional SMACK xattrs for HMAC calculation. In addition to the original security xattrs (eg. security.selinux, security.SMACK64, security.capability, and security.ima) included in the HMAC calculation, enabling this option includes newly defined Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and security.SMACK64MMAP. WARNING: changing the HMAC calculation method or adding additional info to the calculation, requires existing EVM labeled file systems to be relabeled. config EVM_ADD_XATTRS bool "Add additional EVM extended attributes at runtime" depends on EVM default n help Allow userland to provide additional xattrs for HMAC calculation. When this option is enabled, root can add additional xattrs to the list used by EVM by writing them into /sys/kernel/security/integrity/evm/evm_xattrs. config EVM_LOAD_X509 bool "Load an X509 certificate onto the '.evm' trusted keyring" depends on EVM && INTEGRITY_TRUSTED_KEYRING default n help Load an X509 certificate onto the '.evm' trusted keyring. This option enables X509 certificate loading from the kernel onto the '.evm' trusted keyring. A public key can be used to verify EVM integrity starting from the 'init' process. config EVM_X509_PATH string "EVM X509 certificate path" depends on EVM_LOAD_X509 default "/etc/keys/x509_evm.der" help This option defines X509 certificate path.