162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
262306a36Sopenharmony_ciconfig EVM
362306a36Sopenharmony_ci	bool "EVM support"
462306a36Sopenharmony_ci	select KEYS
562306a36Sopenharmony_ci	select ENCRYPTED_KEYS
662306a36Sopenharmony_ci	select CRYPTO_HMAC
762306a36Sopenharmony_ci	select CRYPTO_SHA1
862306a36Sopenharmony_ci	select CRYPTO_HASH_INFO
962306a36Sopenharmony_ci	default n
1062306a36Sopenharmony_ci	help
1162306a36Sopenharmony_ci	  EVM protects a file's security extended attributes against
1262306a36Sopenharmony_ci	  integrity attacks.
1362306a36Sopenharmony_ci
1462306a36Sopenharmony_ci	  If you are unsure how to answer this question, answer N.
1562306a36Sopenharmony_ci
1662306a36Sopenharmony_ciconfig EVM_ATTR_FSUUID
1762306a36Sopenharmony_ci	bool "FSUUID (version 2)"
1862306a36Sopenharmony_ci	default y
1962306a36Sopenharmony_ci	depends on EVM
2062306a36Sopenharmony_ci	help
2162306a36Sopenharmony_ci	  Include filesystem UUID for HMAC calculation.
2262306a36Sopenharmony_ci
2362306a36Sopenharmony_ci	  Default value is 'selected', which is former version 2.
2462306a36Sopenharmony_ci	  if 'not selected', it is former version 1
2562306a36Sopenharmony_ci
2662306a36Sopenharmony_ci	  WARNING: changing the HMAC calculation method or adding
2762306a36Sopenharmony_ci	  additional info to the calculation, requires existing EVM
2862306a36Sopenharmony_ci	  labeled file systems to be relabeled.
2962306a36Sopenharmony_ci
3062306a36Sopenharmony_ciconfig EVM_EXTRA_SMACK_XATTRS
3162306a36Sopenharmony_ci	bool "Additional SMACK xattrs"
3262306a36Sopenharmony_ci	depends on EVM && SECURITY_SMACK
3362306a36Sopenharmony_ci	default n
3462306a36Sopenharmony_ci	help
3562306a36Sopenharmony_ci	  Include additional SMACK xattrs for HMAC calculation.
3662306a36Sopenharmony_ci
3762306a36Sopenharmony_ci	  In addition to the original security xattrs (eg. security.selinux,
3862306a36Sopenharmony_ci	  security.SMACK64, security.capability, and security.ima) included
3962306a36Sopenharmony_ci	  in the HMAC calculation, enabling this option includes newly defined
4062306a36Sopenharmony_ci	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
4162306a36Sopenharmony_ci	  security.SMACK64MMAP.
4262306a36Sopenharmony_ci
4362306a36Sopenharmony_ci	  WARNING: changing the HMAC calculation method or adding
4462306a36Sopenharmony_ci	  additional info to the calculation, requires existing EVM
4562306a36Sopenharmony_ci	  labeled file systems to be relabeled.
4662306a36Sopenharmony_ci
4762306a36Sopenharmony_ciconfig EVM_ADD_XATTRS
4862306a36Sopenharmony_ci	bool "Add additional EVM extended attributes at runtime"
4962306a36Sopenharmony_ci	depends on EVM
5062306a36Sopenharmony_ci	default n
5162306a36Sopenharmony_ci	help
5262306a36Sopenharmony_ci	  Allow userland to provide additional xattrs for HMAC calculation.
5362306a36Sopenharmony_ci
5462306a36Sopenharmony_ci	  When this option is enabled, root can add additional xattrs to the
5562306a36Sopenharmony_ci	  list used by EVM by writing them into
5662306a36Sopenharmony_ci	  /sys/kernel/security/integrity/evm/evm_xattrs.
5762306a36Sopenharmony_ci
5862306a36Sopenharmony_ciconfig EVM_LOAD_X509
5962306a36Sopenharmony_ci	bool "Load an X509 certificate onto the '.evm' trusted keyring"
6062306a36Sopenharmony_ci	depends on EVM && INTEGRITY_TRUSTED_KEYRING
6162306a36Sopenharmony_ci	default n
6262306a36Sopenharmony_ci	help
6362306a36Sopenharmony_ci	   Load an X509 certificate onto the '.evm' trusted keyring.
6462306a36Sopenharmony_ci
6562306a36Sopenharmony_ci	   This option enables X509 certificate loading from the kernel
6662306a36Sopenharmony_ci	   onto the '.evm' trusted keyring.  A public key can be used to
6762306a36Sopenharmony_ci	   verify EVM integrity starting from the 'init' process. The
6862306a36Sopenharmony_ci	   key must have digitalSignature usage set.
6962306a36Sopenharmony_ci
7062306a36Sopenharmony_ciconfig EVM_X509_PATH
7162306a36Sopenharmony_ci	string "EVM X509 certificate path"
7262306a36Sopenharmony_ci	depends on EVM_LOAD_X509
7362306a36Sopenharmony_ci	default "/etc/keys/x509_evm.der"
7462306a36Sopenharmony_ci	help
7562306a36Sopenharmony_ci	   This option defines X509 certificate path.
76