The newly added EVM_LOAD_X509 code can be configured even if
CONFIG_EVM is disabled, but that causes a link error:
security/built-in.o: In function `integrity_load_keys':
digsig_asymmetric.c:(.init.text+0x400): undefined reference to `evm_load_x509'
This adds a Kconfig dependency to ensure it is only enabled when
CONFIG_EVM is set as well.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 2ce523eb89 ("evm: load x509 certificate from the kernel")
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
		
	
			
		
			
				
	
	
		
			62 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			62 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| config EVM
 | |
| 	bool "EVM support"
 | |
| 	select KEYS
 | |
| 	select ENCRYPTED_KEYS
 | |
| 	select CRYPTO_HMAC
 | |
| 	select CRYPTO_SHA1
 | |
| 	default n
 | |
| 	help
 | |
| 	  EVM protects a file's security extended attributes against
 | |
| 	  integrity attacks.
 | |
| 
 | |
| 	  If you are unsure how to answer this question, answer N.
 | |
| 
 | |
| config EVM_ATTR_FSUUID
 | |
| 	bool "FSUUID (version 2)"
 | |
| 	default y
 | |
| 	depends on EVM
 | |
| 	help
 | |
| 	  Include filesystem UUID for HMAC calculation.
 | |
| 
 | |
| 	  Default value is 'selected', which is former version 2.
 | |
| 	  if 'not selected', it is former version 1
 | |
| 
 | |
| 	  WARNING: changing the HMAC calculation method or adding
 | |
| 	  additional info to the calculation, requires existing EVM
 | |
| 	  labeled file systems to be relabeled.
 | |
| 
 | |
| config EVM_EXTRA_SMACK_XATTRS
 | |
| 	bool "Additional SMACK xattrs"
 | |
| 	depends on EVM && SECURITY_SMACK
 | |
| 	default n
 | |
| 	help
 | |
| 	  Include additional SMACK xattrs for HMAC calculation.
 | |
| 
 | |
| 	  In addition to the original security xattrs (eg. security.selinux,
 | |
| 	  security.SMACK64, security.capability, and security.ima) included
 | |
| 	  in the HMAC calculation, enabling this option includes newly defined
 | |
| 	  Smack xattrs: security.SMACK64EXEC, security.SMACK64TRANSMUTE and
 | |
| 	  security.SMACK64MMAP.
 | |
| 
 | |
| 	  WARNING: changing the HMAC calculation method or adding
 | |
| 	  additional info to the calculation, requires existing EVM
 | |
| 	  labeled file systems to be relabeled.
 | |
| 
 | |
| config EVM_LOAD_X509
 | |
| 	bool "Load an X509 certificate onto the '.evm' trusted keyring"
 | |
| 	depends on EVM && INTEGRITY_TRUSTED_KEYRING
 | |
| 	default n
 | |
| 	help
 | |
| 	   Load an X509 certificate onto the '.evm' trusted keyring.
 | |
| 
 | |
| 	   This option enables X509 certificate loading from the kernel
 | |
| 	   onto the '.evm' trusted keyring.  A public key can be used to
 | |
| 	   verify EVM integrity starting from the 'init' process.
 | |
| 
 | |
| config EVM_X509_PATH
 | |
| 	string "EVM X509 certificate path"
 | |
| 	depends on EVM_LOAD_X509
 | |
| 	default "/etc/keys/x509_evm.der"
 | |
| 	help
 | |
| 	   This option defines X509 certificate path.
 |