18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ciconfig EVM 38c2ecf20Sopenharmony_ci bool "EVM support" 48c2ecf20Sopenharmony_ci select KEYS 58c2ecf20Sopenharmony_ci select ENCRYPTED_KEYS 68c2ecf20Sopenharmony_ci select CRYPTO_HMAC 78c2ecf20Sopenharmony_ci select CRYPTO_SHA1 88c2ecf20Sopenharmony_ci select CRYPTO_HASH_INFO 98c2ecf20Sopenharmony_ci default n 108c2ecf20Sopenharmony_ci help 118c2ecf20Sopenharmony_ci EVM protects a file's security extended attributes against 128c2ecf20Sopenharmony_ci integrity attacks. 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ci If you are unsure how to answer this question, answer N. 158c2ecf20Sopenharmony_ci 168c2ecf20Sopenharmony_ciconfig EVM_ATTR_FSUUID 178c2ecf20Sopenharmony_ci bool "FSUUID (version 2)" 188c2ecf20Sopenharmony_ci default y 198c2ecf20Sopenharmony_ci depends on EVM 208c2ecf20Sopenharmony_ci help 218c2ecf20Sopenharmony_ci Include filesystem UUID for HMAC calculation. 228c2ecf20Sopenharmony_ci 238c2ecf20Sopenharmony_ci Default value is 'selected', which is former version 2. 248c2ecf20Sopenharmony_ci if 'not selected', it is former version 1 258c2ecf20Sopenharmony_ci 268c2ecf20Sopenharmony_ci WARNING: changing the HMAC calculation method or adding 278c2ecf20Sopenharmony_ci additional info to the calculation, requires existing EVM 288c2ecf20Sopenharmony_ci labeled file systems to be relabeled. 298c2ecf20Sopenharmony_ci 308c2ecf20Sopenharmony_ciconfig EVM_EXTRA_SMACK_XATTRS 318c2ecf20Sopenharmony_ci bool "Additional SMACK xattrs" 328c2ecf20Sopenharmony_ci depends on EVM && SECURITY_SMACK 338c2ecf20Sopenharmony_ci default n 348c2ecf20Sopenharmony_ci help 358c2ecf20Sopenharmony_ci Include additional SMACK xattrs for HMAC calculation. 368c2ecf20Sopenharmony_ci 378c2ecf20Sopenharmony_ci In addition to the original security xattrs (eg. security.selinux, 388c2ecf20Sopenharmony_ci security.SMACK64, security.capability, and security.ima) included 398c2ecf20Sopenharmony_ci in the HMAC calculation, enabling this option includes newly defined 408c2ecf20Sopenharmony_ci Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and 418c2ecf20Sopenharmony_ci security.SMACK64MMAP. 428c2ecf20Sopenharmony_ci 438c2ecf20Sopenharmony_ci WARNING: changing the HMAC calculation method or adding 448c2ecf20Sopenharmony_ci additional info to the calculation, requires existing EVM 458c2ecf20Sopenharmony_ci labeled file systems to be relabeled. 468c2ecf20Sopenharmony_ci 478c2ecf20Sopenharmony_ciconfig EVM_ADD_XATTRS 488c2ecf20Sopenharmony_ci bool "Add additional EVM extended attributes at runtime" 498c2ecf20Sopenharmony_ci depends on EVM 508c2ecf20Sopenharmony_ci default n 518c2ecf20Sopenharmony_ci help 528c2ecf20Sopenharmony_ci Allow userland to provide additional xattrs for HMAC calculation. 538c2ecf20Sopenharmony_ci 548c2ecf20Sopenharmony_ci When this option is enabled, root can add additional xattrs to the 558c2ecf20Sopenharmony_ci list used by EVM by writing them into 568c2ecf20Sopenharmony_ci /sys/kernel/security/integrity/evm/evm_xattrs. 578c2ecf20Sopenharmony_ci 588c2ecf20Sopenharmony_ciconfig EVM_LOAD_X509 598c2ecf20Sopenharmony_ci bool "Load an X509 certificate onto the '.evm' trusted keyring" 608c2ecf20Sopenharmony_ci depends on EVM && INTEGRITY_TRUSTED_KEYRING 618c2ecf20Sopenharmony_ci default n 628c2ecf20Sopenharmony_ci help 638c2ecf20Sopenharmony_ci Load an X509 certificate onto the '.evm' trusted keyring. 648c2ecf20Sopenharmony_ci 658c2ecf20Sopenharmony_ci This option enables X509 certificate loading from the kernel 668c2ecf20Sopenharmony_ci onto the '.evm' trusted keyring. A public key can be used to 678c2ecf20Sopenharmony_ci verify EVM integrity starting from the 'init' process. 688c2ecf20Sopenharmony_ci 698c2ecf20Sopenharmony_ciconfig EVM_X509_PATH 708c2ecf20Sopenharmony_ci string "EVM X509 certificate path" 718c2ecf20Sopenharmony_ci depends on EVM_LOAD_X509 728c2ecf20Sopenharmony_ci default "/etc/keys/x509_evm.der" 738c2ecf20Sopenharmony_ci help 748c2ecf20Sopenharmony_ci This option defines X509 certificate path. 75