4 files changed, 33 insertions, 11 deletions

diff --git a/security/integrity/evm/Kconfig b/security/integrity/evm/Kconfig
index d35b4915b00d..0df4f7a2f1e9 100644
--- a/security/integrity/evm/Kconfig
+++ b/security/integrity/evm/Kconfig
@@ -12,15 +12,24 @@ config EVM
 
           If you are unsure how to answer this question, answer N.
 
-config EVM_HMAC_VERSION
-        int "EVM HMAC version"
+if EVM
+
+menu "EVM options"
+
+config EVM_ATTR_FSUUID
+        bool "FSUUID (version 2)"
+        default y
         depends on EVM
-        default 2
         help
-          This options adds EVM HMAC version support.
-          1 - original version
-          2 - add per filesystem unique identifier (UUID) (default)
+          Include filesystem UUID for HMAC calculation.
+
+          Default value is 'selected', which is former version 2.
+          if 'not selected', it is former version 1
 
-          WARNING: changing the HMAC calculation method or adding 
+          WARNING: changing the HMAC calculation method or adding
           additional info to the calculation, requires existing EVM
-          labeled file systems to be relabeled.  
+          labeled file systems to be relabeled.
+
+endmenu
+
+endif
diff --git a/security/integrity/evm/evm.h b/security/integrity/evm/evm.h
index 37c88ddb3cfe..88bfe77efa1c 100644
--- a/security/integrity/evm/evm.h
+++ b/security/integrity/evm/evm.h
@@ -24,7 +24,10 @@
 extern int evm_initialized;
 extern char *evm_hmac;
 extern char *evm_hash;
-extern int evm_hmac_version;
+
+#define EVM_ATTR_FSUUID         0x0001
+
+extern int evm_hmac_attrs;
 
 extern struct crypto_shash *hmac_tfm;
 extern struct crypto_shash *hash_tfm;
diff --git a/security/integrity/evm/evm_crypto.c b/security/integrity/evm/evm_crypto.c
index 6b540f1822e0..5e9687f02e1b 100644
--- a/security/integrity/evm/evm_crypto.c
+++ b/security/integrity/evm/evm_crypto.c
@@ -112,7 +112,7 @@ static void hmac_add_misc(struct shash_desc *desc, struct inode *inode,
         hmac_misc.gid = from_kgid(&init_user_ns, inode->i_gid);
         hmac_misc.mode = inode->i_mode;
         crypto_shash_update(desc, (const u8 *)&hmac_misc, sizeof(hmac_misc));
-        if (evm_hmac_version > 1)
+        if (evm_hmac_attrs & EVM_ATTR_FSUUID)
                 crypto_shash_update(desc, inode->i_sb->s_uuid,
                                     sizeof(inode->i_sb->s_uuid));
         crypto_shash_final(desc, digest);
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 6e0bd933b6a9..1dc09190a948 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -32,7 +32,7 @@ static char *integrity_status_msg[] = {
 };
 char *evm_hmac = "hmac(sha1)";
 char *evm_hash = "sha1";
-int evm_hmac_version = CONFIG_EVM_HMAC_VERSION;
+int evm_hmac_attrs;
 
 char *evm_config_xattrnames[] = {
 #ifdef CONFIG_SECURITY_SELINUX
@@ -57,6 +57,14 @@ static int __init evm_set_fixmode(char *str)
 }
 __setup("evm=", evm_set_fixmode);
 
+static void __init evm_init_config(void)
+{
+#ifdef CONFIG_EVM_ATTR_FSUUID
+        evm_hmac_attrs |= EVM_ATTR_FSUUID;
+#endif
+        pr_info("HMAC attrs: 0x%x\n", evm_hmac_attrs);
+}
+
 static int evm_find_protected_xattrs(struct dentry *dentry)
 {
         struct inode *inode = dentry->d_inode;
@@ -432,6 +440,8 @@ static int __init init_evm(void)
 {
         int error;
 
+        evm_init_config();
+
         error = evm_init_secfs();
         if (error < 0) {
                 pr_info("Error registering secfs\n");