Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/security/integrity/evm/Kconfig 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  1) # SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  2) config EVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  3) 	bool "EVM support"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  4) 	select KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  5) 	select ENCRYPTED_KEYS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  6) 	select CRYPTO_HMAC
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  7) 	select CRYPTO_SHA1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  8) 	select CRYPTO_HASH_INFO
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  9) 	default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) 	  EVM protects a file's security extended attributes against
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) 	  integrity attacks.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) 	  If you are unsure how to answer this question, answer N.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) config EVM_ATTR_FSUUID
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) 	bool "FSUUID (version 2)"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) 	default y
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) 	depends on EVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) 	  Include filesystem UUID for HMAC calculation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) 	  Default value is 'selected', which is former version 2.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 	  if 'not selected', it is former version 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) 	  WARNING: changing the HMAC calculation method or adding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) 	  additional info to the calculation, requires existing EVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) 	  labeled file systems to be relabeled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) config EVM_EXTRA_SMACK_XATTRS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) 	bool "Additional SMACK xattrs"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) 	depends on EVM && SECURITY_SMACK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) 	default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) 	  Include additional SMACK xattrs for HMAC calculation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) 	  In addition to the original security xattrs (eg. security.selinux,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) 	  security.SMACK64, security.capability, and security.ima) included
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) 	  in the HMAC calculation, enabling this option includes newly defined
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) 	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) 	  security.SMACK64MMAP.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) 	  WARNING: changing the HMAC calculation method or adding
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) 	  additional info to the calculation, requires existing EVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) 	  labeled file systems to be relabeled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) config EVM_ADD_XATTRS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) 	bool "Add additional EVM extended attributes at runtime"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) 	depends on EVM
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) 	default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) 	  Allow userland to provide additional xattrs for HMAC calculation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) 	  When this option is enabled, root can add additional xattrs to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) 	  list used by EVM by writing them into
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) 	  /sys/kernel/security/integrity/evm/evm_xattrs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) config EVM_LOAD_X509
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) 	bool "Load an X509 certificate onto the '.evm' trusted keyring"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) 	depends on EVM && INTEGRITY_TRUSTED_KEYRING
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) 	default n
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) 	   Load an X509 certificate onto the '.evm' trusted keyring.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) 	   This option enables X509 certificate loading from the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) 	   onto the '.evm' trusted keyring.  A public key can be used to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) 	   verify EVM integrity starting from the 'init' process.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) config EVM_X509_PATH
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) 	string "EVM X509 certificate path"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) 	depends on EVM_LOAD_X509
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) 	default "/etc/keys/x509_evm.der"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) 	help
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) 	   This option defines X509 certificate path.
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.