| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- config EVM
- bool "EVM support"
- select KEYS
- select ENCRYPTED_KEYS
- select CRYPTO_HMAC
- select CRYPTO_SHA1
- default n
- help
- EVM protects a file's security extended attributes against
- integrity attacks.
- If you are unsure how to answer this question, answer N.
- config EVM_ATTR_FSUUID
- bool "FSUUID (version 2)"
- default y
- depends on EVM
- help
- Include filesystem UUID for HMAC calculation.
- Default value is 'selected', which is former version 2.
- if 'not selected', it is former version 1
- WARNING: changing the HMAC calculation method or adding
- additional info to the calculation, requires existing EVM
- labeled file systems to be relabeled.
- config EVM_EXTRA_SMACK_XATTRS
- bool "Additional SMACK xattrs"
- depends on EVM && SECURITY_SMACK
- default n
- help
- Include additional SMACK xattrs for HMAC calculation.
- In addition to the original security xattrs (eg. security.selinux,
- security.SMACK64, security.capability, and security.ima) included
- in the HMAC calculation, enabling this option includes newly defined
- Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
- security.SMACK64MMAP.
- WARNING: changing the HMAC calculation method or adding
- additional info to the calculation, requires existing EVM
- labeled file systems to be relabeled.
- config EVM_LOAD_X509
- bool "Load an X509 certificate onto the '.evm' trusted keyring"
- depends on EVM && INTEGRITY_TRUSTED_KEYRING
- default n
- help
- Load an X509 certificate onto the '.evm' trusted keyring.
- This option enables X509 certificate loading from the kernel
- onto the '.evm' trusted keyring. A public key can be used to
- verify EVM integrity starting from the 'init' process.
- config EVM_X509_PATH
- string "EVM X509 certificate path"
- depends on EVM_LOAD_X509
- default "/etc/keys/x509_evm.der"
- help
- This option defines X509 certificate path.
|
