summaryrefslogtreecommitdiffstats
path: root/security/integrity/evm/Kconfig
blob: d606f3d12d6bfb8f27d849a3b4fa9fc9ee411875 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
config EVM
	boolean "EVM support"
	depends on SECURITY
	select KEYS
	select ENCRYPTED_KEYS
	select CRYPTO_HMAC
	select CRYPTO_SHA1
	default n
	help
	  EVM protects a file's security extended attributes against
	  integrity attacks.

	  If you are unsure how to answer this question, answer N.

if EVM

menu "EVM options"

config EVM_ATTR_FSUUID
	bool "FSUUID (version 2)"
	default y
	depends on EVM
	help
	  Include filesystem UUID for HMAC calculation.

	  Default value is 'selected', which is former version 2.
	  if 'not selected', it is former version 1

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing EVM
	  labeled file systems to be relabeled.

config EVM_EXTRA_SMACK_XATTRS
	bool "Additional SMACK xattrs"
	depends on EVM && SECURITY_SMACK
	default n
	help
	  Include additional SMACK xattrs for HMAC calculation.

	  In addition to the original security xattrs (eg. security.selinux,
	  security.SMACK64, security.capability, and security.ima) included
	  in the HMAC calculation, enabling this option includes newly defined
	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
	  security.SMACK64MMAP.

	  WARNING: changing the HMAC calculation method or adding
	  additional info to the calculation, requires existing EVM
	  labeled file systems to be relabeled.

endmenu

endif