forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74 lines
2.2 KiB
74 lines
2.2 KiB
# SPDX-License-Identifier: GPL-2.0-only |
|
config EVM |
|
bool "EVM support" |
|
select KEYS |
|
select ENCRYPTED_KEYS |
|
select CRYPTO_HMAC |
|
select CRYPTO_SHA1 |
|
select CRYPTO_HASH_INFO |
|
default n |
|
help |
|
EVM protects a file's security extended attributes against |
|
integrity attacks. |
|
|
|
If you are unsure how to answer this question, answer N. |
|
|
|
config EVM_ATTR_FSUUID |
|
bool "FSUUID (version 2)" |
|
default y |
|
depends on EVM |
|
help |
|
Include filesystem UUID for HMAC calculation. |
|
|
|
Default value is 'selected', which is former version 2. |
|
if 'not selected', it is former version 1 |
|
|
|
WARNING: changing the HMAC calculation method or adding |
|
additional info to the calculation, requires existing EVM |
|
labeled file systems to be relabeled. |
|
|
|
config EVM_EXTRA_SMACK_XATTRS |
|
bool "Additional SMACK xattrs" |
|
depends on EVM && SECURITY_SMACK |
|
default n |
|
help |
|
Include additional SMACK xattrs for HMAC calculation. |
|
|
|
In addition to the original security xattrs (eg. security.selinux, |
|
security.SMACK64, security.capability, and security.ima) included |
|
in the HMAC calculation, enabling this option includes newly defined |
|
Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and |
|
security.SMACK64MMAP. |
|
|
|
WARNING: changing the HMAC calculation method or adding |
|
additional info to the calculation, requires existing EVM |
|
labeled file systems to be relabeled. |
|
|
|
config EVM_ADD_XATTRS |
|
bool "Add additional EVM extended attributes at runtime" |
|
depends on EVM |
|
default n |
|
help |
|
Allow userland to provide additional xattrs for HMAC calculation. |
|
|
|
When this option is enabled, root can add additional xattrs to the |
|
list used by EVM by writing them into |
|
/sys/kernel/security/integrity/evm/evm_xattrs. |
|
|
|
config EVM_LOAD_X509 |
|
bool "Load an X509 certificate onto the '.evm' trusted keyring" |
|
depends on EVM && INTEGRITY_TRUSTED_KEYRING |
|
default n |
|
help |
|
Load an X509 certificate onto the '.evm' trusted keyring. |
|
|
|
This option enables X509 certificate loading from the kernel |
|
onto the '.evm' trusted keyring. A public key can be used to |
|
verify EVM integrity starting from the 'init' process. |
|
|
|
config EVM_X509_PATH |
|
string "EVM X509 certificate path" |
|
depends on EVM_LOAD_X509 |
|
default "/etc/keys/x509_evm.der" |
|
help |
|
This option defines X509 certificate path.
|
|
|