MIRRORS/linux-imx
1
0
Fork 0
mirror of https://github.com/nxp-imx/linux-imx.git synced 2025-09-03 10:33:11 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
lf-6.6.y
linux-imx/Documentation/ABI/testing/evm
Mauro Carvalho Chehab 483f7d699f ABI: evm: place a second what at the next line 
Originally, get_abi.pl was using spaces to separate What: parameters,
but there are several references that declare things like:

	/sys/class/powercap/.../<power zone>/enabled

So, the logic was changes in order to properly address it.
That broke the second What added by
Changeset 18e49b3046 ("ABI: security: fix location for evm and ima_policy").

As the only file that defines multiple What: at the same line is
this file, let's move the second What: to a separate line.

Fixes: 18e49b3046 ("ABI: security: fix location for evm and ima_policy")
Fixes: ab9c14805b ("scripts: get_abi.pl: Better handle multiple What parameters")
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Link: https://lore.kernel.org/r/1f1e29ccdc0dd0ec089a67b8a4e9650517c6137a.1632823172.git.mchehab+huawei@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-09-28 12:45:42 +02:00

3.6 KiB
Raw Permalink Blame History

What: /sys/kernel/security/evm What: /sys/kernel/security/*/evm Date: March 2011 Contact: Mimi Zohar zohar@us.ibm.com Description: EVM protects a file's security extended attributes(xattrs) against integrity attacks. The initial method maintains an HMAC-sha1 value across the extended attributes, storing the value as the extended attribute 'security.evm'.

	EVM supports two classes of security.evm. The first is
	an HMAC-sha1 generated locally with a
	trusted/encrypted key stored in the Kernel Key
	Retention System. The second is a digital signature
	generated either locally or remotely using an
	asymmetric key. These keys are loaded onto root's
	keyring using keyctl, and EVM is then enabled by
	echoing a value to <securityfs>/evm made up of the
	following bits:

	===	  ==================================================
	Bit	  Effect
	===	  ==================================================
	0	  Enable HMAC validation and creation
	1	  Enable digital signature validation
	2	  Permit modification of EVM-protected metadata at
		  runtime. Not supported if HMAC validation and
		  creation is enabled (deprecated).
	31	  Disable further runtime modification of EVM policy
	===	  ==================================================

	For example::

	  echo 1 ><securityfs>/evm

	will enable HMAC validation and creation

	::

	  echo 0x80000003 ><securityfs>/evm

	will enable HMAC and digital signature validation and
	HMAC creation and disable all further modification of policy.

	::

	  echo 0x80000006 ><securityfs>/evm

	will enable digital signature validation, permit
	modification of EVM-protected metadata and
	disable all further modification of policy. This option is now
	deprecated in favor of::

	  echo 0x80000002 ><securityfs>/evm

	as the outstanding issues that prevent the usage of EVM portable
	signatures have been solved.

	Echoing a value is additive, the new value is added to the
	existing initialization flags.

	For example, after::

	  echo 2 ><securityfs>/evm

	another echo can be performed::

	  echo 1 ><securityfs>/evm

	and the resulting value will be 3.

	Note that once an HMAC key has been loaded, it will no longer
	be possible to enable metadata modification. Signaling that an
	HMAC key has been loaded will clear the corresponding flag.
	For example, if the current value is 6 (2 and 4 set)::

	  echo 1 ><securityfs>/evm

	will set the new value to 3 (4 cleared).

	Loading an HMAC key is the only way to disable metadata
	modification.

	Until key loading has been signaled EVM can not create
	or validate the 'security.evm' xattr, but returns
	INTEGRITY_UNKNOWN.  Loading keys and signaling EVM
	should be done as early as possible.  Normally this is
	done in the initramfs, which has already been measured
	as part of the trusted boot.  For more information on
	creating and loading existing trusted/encrypted keys,
	refer to:
	Documentation/security/keys/trusted-encrypted.rst. Both
	dracut (via 97masterkey and 98integrity) and systemd (via
	core/ima-setup) have support for loading keys at boot
	time.

What: /sys/kernel/security/*/evm/evm_xattrs Date: April 2018 Contact: Matthew Garrett mjg59@google.com Description: Shows the set of extended attributes used to calculate or validate the EVM signature, and allows additional attributes to be added at runtime. Any signatures generated after additional attributes are added (and on files possessing those additional attributes) will only be valid if the same additional attributes are configured on system boot. Writing a single period (.) will lock the xattr list from any further modification.