summaryrefslogtreecommitdiff
path: root/Documentation/ABI/testing/evm
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/ABI/testing/evm')
-rw-r--r--Documentation/ABI/testing/evm54
1 files changed, 35 insertions, 19 deletions
diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 9578247e1792..d12cb2eae9ee 100644
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -14,30 +14,46 @@ Description:
generated either locally or remotely using an
asymmetric key. These keys are loaded onto root's
keyring using keyctl, and EVM is then enabled by
- echoing a value to <securityfs>/evm:
+ echoing a value to <securityfs>/evm made up of the
+ following bits:
- 1: enable HMAC validation and creation
- 2: enable digital signature validation
- 3: enable HMAC and digital signature validation and HMAC
- creation
+ Bit Effect
+ 0 Enable HMAC validation and creation
+ 1 Enable digital signature validation
+ 2 Permit modification of EVM-protected metadata at
+ runtime. Not supported if HMAC validation and
+ creation is enabled.
+ 31 Disable further runtime modification of EVM policy
- Further writes will be blocked if HMAC support is enabled or
- if bit 32 is set:
+ For example:
- echo 0x80000002 ><securityfs>/evm
+ echo 1 ><securityfs>/evm
- will enable digital signature validation and block
- further writes to <securityfs>/evm.
+ will enable HMAC validation and creation
- Until this is done, EVM can not create or validate the
- 'security.evm' xattr, but returns INTEGRITY_UNKNOWN.
- Loading keys and signaling EVM should be done as early
- as possible. Normally this is done in the initramfs,
- which has already been measured as part of the trusted
- boot. For more information on creating and loading
- existing trusted/encrypted keys, refer to:
+ echo 0x80000003 ><securityfs>/evm
- Documentation/security/keys/trusted-encrypted.rst. Both dracut
- (via 97masterkey and 98integrity) and systemd (via
+ will enable HMAC and digital signature validation and
+ HMAC creation and disable all further modification of policy.
+
+ echo 0x80000006 ><securityfs>/evm
+
+ will enable digital signature validation, permit
+ modification of EVM-protected metadata and
+ disable all further modification of policy
+
+ Note that once a key has been loaded, it will no longer be
+ possible to enable metadata modification.
+
+ Until key loading has been signaled EVM can not create
+ or validate the 'security.evm' xattr, but returns
+ INTEGRITY_UNKNOWN. Loading keys and signaling EVM
+ should be done as early as possible. Normally this is
+ done in the initramfs, which has already been measured
+ as part of the trusted boot. For more information on
+ creating and loading existing trusted/encrypted keys,
+ refer to:
+ Documentation/security/keys/trusted-encrypted.rst. Both
+ dracut (via 97masterkey and 98integrity) and systemd (via
core/ima-setup) have support for loading keys at boot
time.