mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-22 12:14:01 +08:00
5feeb61183
SHA1 is reasonable in HMAC constructs, but it's desirable to be able to use stronger hashes in digital signatures. Modify the EVM crypto code so the hash type is imported from the digital signature and passed down to the hash calculation code, and return the digest size to higher layers for validation. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
74 lines
2.2 KiB
Plaintext
74 lines
2.2 KiB
Plaintext
config EVM
|
|
bool "EVM support"
|
|
select KEYS
|
|
select ENCRYPTED_KEYS
|
|
select CRYPTO_HMAC
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_HASH_INFO
|
|
default n
|
|
help
|
|
EVM protects a file's security extended attributes against
|
|
integrity attacks.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config EVM_ATTR_FSUUID
|
|
bool "FSUUID (version 2)"
|
|
default y
|
|
depends on EVM
|
|
help
|
|
Include filesystem UUID for HMAC calculation.
|
|
|
|
Default value is 'selected', which is former version 2.
|
|
if 'not selected', it is former version 1
|
|
|
|
WARNING: changing the HMAC calculation method or adding
|
|
additional info to the calculation, requires existing EVM
|
|
labeled file systems to be relabeled.
|
|
|
|
config EVM_EXTRA_SMACK_XATTRS
|
|
bool "Additional SMACK xattrs"
|
|
depends on EVM && SECURITY_SMACK
|
|
default n
|
|
help
|
|
Include additional SMACK xattrs for HMAC calculation.
|
|
|
|
In addition to the original security xattrs (eg. security.selinux,
|
|
security.SMACK64, security.capability, and security.ima) included
|
|
in the HMAC calculation, enabling this option includes newly defined
|
|
Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
|
|
security.SMACK64MMAP.
|
|
|
|
WARNING: changing the HMAC calculation method or adding
|
|
additional info to the calculation, requires existing EVM
|
|
labeled file systems to be relabeled.
|
|
|
|
config EVM_ADD_XATTRS
|
|
bool "Add additional EVM extended attributes at runtime"
|
|
depends on EVM
|
|
default n
|
|
help
|
|
Allow userland to provide additional xattrs for HMAC calculation.
|
|
|
|
When this option is enabled, root can add additional xattrs to the
|
|
list used by EVM by writing them into
|
|
/sys/kernel/security/integrity/evm/evm_xattrs.
|
|
|
|
config EVM_LOAD_X509
|
|
bool "Load an X509 certificate onto the '.evm' trusted keyring"
|
|
depends on EVM && INTEGRITY_TRUSTED_KEYRING
|
|
default n
|
|
help
|
|
Load an X509 certificate onto the '.evm' trusted keyring.
|
|
|
|
This option enables X509 certificate loading from the kernel
|
|
onto the '.evm' trusted keyring. A public key can be used to
|
|
verify EVM integrity starting from the 'init' process.
|
|
|
|
config EVM_X509_PATH
|
|
string "EVM X509 certificate path"
|
|
depends on EVM_LOAD_X509
|
|
default "/etc/keys/x509_evm.der"
|
|
help
|
|
This option defines X509 certificate path.
|