Documentation/ABI/testing/evm

Source file repositories/reference/linux-study-clean/Documentation/ABI/testing/evm

File Facts

System
Linux kernel
Corpus path
Documentation/ABI/testing/evm
Extension
[no extension]
Size
3752 bytes
Lines
110
Domain
Support Tooling And Documentation
Bucket
Documentation
Inferred role
Support Tooling And Documentation: Documentation
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

What:		/sys/kernel/security/evm
What:		/sys/kernel/security/*/evm
Date:		March 2011
Contact:	Mimi Zohar <zohar@us.ibm.com>
Description:
		EVM protects a file's security extended attributes(xattrs)
		against integrity attacks. The initial method maintains an
		HMAC-sha1 value across the extended attributes, storing the
		value as the extended attribute 'security.evm'.

		EVM supports two classes of security.evm. The first is
		an HMAC-sha1 generated locally with a
		trusted/encrypted key stored in the Kernel Key
		Retention System. The second is a digital signature
		generated either locally or remotely using an
		asymmetric key. These keys are loaded onto root's
		keyring using keyctl, and EVM is then enabled by
		echoing a value to <securityfs>/evm made up of the
		following bits:

		===	  ==================================================
		Bit	  Effect
		===	  ==================================================
		0	  Enable HMAC validation and creation
		1	  Enable digital signature validation
		2	  Permit modification of EVM-protected metadata at
			  runtime. Not supported if HMAC validation and
			  creation is enabled (deprecated).
		3	  Require asymmetric signatures to be version 3
		31	  Disable further runtime modification of EVM policy
		===	  ==================================================

		For example::

		  echo 1 ><securityfs>/evm

		will enable HMAC validation and creation

		::

		  echo 0x80000003 ><securityfs>/evm

		will enable HMAC and digital signature validation and
		HMAC creation and disable all further modification of policy.

		::

		  echo 0x80000006 ><securityfs>/evm

		will enable digital signature validation, permit
		modification of EVM-protected metadata and
		disable all further modification of policy. This option is now
		deprecated in favor of::

		  echo 0x80000002 ><securityfs>/evm

		as the outstanding issues that prevent the usage of EVM portable
		signatures have been solved.

		Echoing a value is additive, the new value is added to the
		existing initialization flags.

		For example, after::

		  echo 2 ><securityfs>/evm

		another echo can be performed::

		  echo 1 ><securityfs>/evm

Annotation

Implementation Notes