diff options
| author | James Morris <jmorris@namei.org> | 2011-08-08 20:31:03 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-08-08 20:31:03 -0400 |
| commit | 5a2f3a02aea164f4f59c0c3497772090a411b462 (patch) | |
| tree | d3ebe03d4f97575290087843960baa01de3acd0a /Documentation | |
| parent | 1d568ab068c021672d6cd7f50f92a3695a921ffb (diff) | |
| parent | 817b54aa45db03437c6d09a7693fc6926eb8e822 (diff) | |
Merge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next
Conflicts:
fs/attr.c
Resolve conflict manually.
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/ABI/testing/evm | 23 | ||||
| -rw-r--r-- | Documentation/kernel-parameters.txt | 6 |
2 files changed, 29 insertions, 0 deletions
diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm new file mode 100644 index 000000000000..8374d4557e5d --- /dev/null +++ b/Documentation/ABI/testing/evm | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | What: security/evm | ||
| 2 | Date: March 2011 | ||
| 3 | Contact: Mimi Zohar <zohar@us.ibm.com> | ||
| 4 | Description: | ||
| 5 | EVM protects a file's security extended attributes(xattrs) | ||
| 6 | against integrity attacks. The initial method maintains an | ||
| 7 | HMAC-sha1 value across the extended attributes, storing the | ||
| 8 | value as the extended attribute 'security.evm'. | ||
| 9 | |||
| 10 | EVM depends on the Kernel Key Retention System to provide it | ||
| 11 | with a trusted/encrypted key for the HMAC-sha1 operation. | ||
| 12 | The key is loaded onto the root's keyring using keyctl. Until | ||
| 13 | EVM receives notification that the key has been successfully | ||
| 14 | loaded onto the keyring (echo 1 > <securityfs>/evm), EVM | ||
| 15 | can not create or validate the 'security.evm' xattr, but | ||
| 16 | returns INTEGRITY_UNKNOWN. Loading the key and signaling EVM | ||
| 17 | should be done as early as possible. Normally this is done | ||
| 18 | in the initramfs, which has already been measured as part | ||
| 19 | of the trusted boot. For more information on creating and | ||
| 20 | loading existing trusted/encrypted keys, refer to: | ||
| 21 | Documentation/keys-trusted-encrypted.txt. (A sample dracut | ||
| 22 | patch, which loads the trusted/encrypted key and enables | ||
| 23 | EVM, is available from http://linux-ima.sourceforge.net/#EVM.) | ||
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index e279b7242912..cd7c86110147 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt | |||
| @@ -48,6 +48,7 @@ parameter is applicable: | |||
| 48 | EDD BIOS Enhanced Disk Drive Services (EDD) is enabled | 48 | EDD BIOS Enhanced Disk Drive Services (EDD) is enabled |
| 49 | EFI EFI Partitioning (GPT) is enabled | 49 | EFI EFI Partitioning (GPT) is enabled |
| 50 | EIDE EIDE/ATAPI support is enabled. | 50 | EIDE EIDE/ATAPI support is enabled. |
| 51 | EVM Extended Verification Module | ||
| 51 | FB The frame buffer device is enabled. | 52 | FB The frame buffer device is enabled. |
| 52 | GCOV GCOV profiling is enabled. | 53 | GCOV GCOV profiling is enabled. |
| 53 | HW Appropriate hardware is enabled. | 54 | HW Appropriate hardware is enabled. |
| @@ -758,6 +759,11 @@ bytes respectively. Such letter suffixes can also be entirely omitted. | |||
| 758 | This option is obsoleted by the "netdev=" option, which | 759 | This option is obsoleted by the "netdev=" option, which |
| 759 | has equivalent usage. See its documentation for details. | 760 | has equivalent usage. See its documentation for details. |
| 760 | 761 | ||
| 762 | evm= [EVM] | ||
| 763 | Format: { "fix" } | ||
| 764 | Permit 'security.evm' to be updated regardless of | ||
| 765 | current integrity status. | ||
| 766 | |||
| 761 | failslab= | 767 | failslab= |
| 762 | fail_page_alloc= | 768 | fail_page_alloc= |
| 763 | fail_make_request=[KNL] | 769 | fail_make_request=[KNL] |