mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-19 09:04:51 +08:00
05d3884b1e
The newly added EVM_LOAD_X509 code can be configured even if
CONFIG_EVM is disabled, but that causes a link error:
security/built-in.o: In function `integrity_load_keys':
digsig_asymmetric.c:(.init.text+0x400): undefined reference to `evm_load_x509'
This adds a Kconfig dependency to ensure it is only enabled when
CONFIG_EVM is set as well.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 2ce523eb89
("evm: load x509 certificate from the kernel")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
62 lines
1.8 KiB
Plaintext
62 lines
1.8 KiB
Plaintext
config EVM
|
|
bool "EVM support"
|
|
select KEYS
|
|
select ENCRYPTED_KEYS
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA1
|
|
default n
|
|
help
|
|
EVM protects a file's security extended attributes against
|
|
integrity attacks.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config EVM_ATTR_FSUUID
|
|
bool "FSUUID (version 2)"
|
|
default y
|
|
depends on EVM
|
|
help
|
|
Include filesystem UUID for HMAC calculation.
|
|
|
|
Default value is 'selected', which is former version 2.
|
|
if 'not selected', it is former version 1
|
|
|
|
WARNING: changing the HMAC calculation method or adding
|
|
additional info to the calculation, requires existing EVM
|
|
labeled file systems to be relabeled.
|
|
|
|
config EVM_EXTRA_SMACK_XATTRS
|
|
bool "Additional SMACK xattrs"
|
|
depends on EVM && SECURITY_SMACK
|
|
default n
|
|
help
|
|
Include additional SMACK xattrs for HMAC calculation.
|
|
|
|
In addition to the original security xattrs (eg. security.selinux,
|
|
security.SMACK64, security.capability, and security.ima) included
|
|
in the HMAC calculation, enabling this option includes newly defined
|
|
Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
|
|
security.SMACK64MMAP.
|
|
|
|
WARNING: changing the HMAC calculation method or adding
|
|
additional info to the calculation, requires existing EVM
|
|
labeled file systems to be relabeled.
|
|
|
|
config EVM_LOAD_X509
|
|
bool "Load an X509 certificate onto the '.evm' trusted keyring"
|
|
depends on EVM && INTEGRITY_TRUSTED_KEYRING
|
|
default n
|
|
help
|
|
Load an X509 certificate onto the '.evm' trusted keyring.
|
|
|
|
This option enables X509 certificate loading from the kernel
|
|
onto the '.evm' trusted keyring. A public key can be used to
|
|
verify EVM integrity starting from the 'init' process.
|
|
|
|
config EVM_X509_PATH
|
|
string "EVM X509 certificate path"
|
|
depends on EVM_LOAD_X509
|
|
default "/etc/keys/x509_evm.der"
|
|
help
|
|
This option defines X509 certificate path.
|