1 files changed, 23 insertions, 0 deletions
diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
new file mode 100644
index 000000000000..8374d4557e5d
--- /dev/null
+++ b/Documentation/ABI/testing/evm
@@ -0,0 +1,23 @@
+What:           security/evm
+Date:           March 2011
+Contact:        Mimi Zohar <zohar@us.ibm.com>
+Description:
+                EVM protects a file's security extended attributes(xattrs)
+                against integrity attacks. The initial method maintains an
+                HMAC-sha1 value across the extended attributes, storing the
+                value as the extended attribute 'security.evm'.
+                EVM depends on the Kernel Key Retention System to provide it
+                with a trusted/encrypted key for the HMAC-sha1 operation.
+                The key is loaded onto the root's keyring using keyctl.  Until
+                EVM receives notification that the key has been successfully
+                loaded onto the keyring (echo 1 > <securityfs>/evm), EVM
+                can not create or validate the 'security.evm' xattr, but
+                returns INTEGRITY_UNKNOWN.  Loading the key and signaling EVM
+                should be done as early as possible.  Normally this is done
+                in the initramfs, which has already been measured as part
+                of the trusted boot.  For more information on creating and
+                loading existing trusted/encrypted keys, refer to:
+                Documentation/keys-trusted-encrypted.txt.  (A sample dracut
+                patch, which loads the trusted/encrypted key and enables
+                EVM, is available from http://linux-ima.sourceforge.net/#EVM.)

diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm new file mode 100644 index 000000000000..8374d4557e5d --- /dev/null +++ b/Documentation/ABI/testing/evm
@@ -0,0 +1,23 @@
	1	What: security/evm
	2	Date: March 2011
	3	Contact: Mimi Zohar <zohar@us.ibm.com>
	4	Description:
	5	EVM protects a file's security extended attributes(xattrs)
	6	against integrity attacks. The initial method maintains an
	7	HMAC-sha1 value across the extended attributes, storing the
	8	value as the extended attribute 'security.evm'.
	9
	10	EVM depends on the Kernel Key Retention System to provide it
	11	with a trusted/encrypted key for the HMAC-sha1 operation.
	12	The key is loaded onto the root's keyring using keyctl. Until
	13	EVM receives notification that the key has been successfully
	14	loaded onto the keyring (echo 1 > <securityfs>/evm), EVM
	15	can not create or validate the 'security.evm' xattr, but
	16	returns INTEGRITY_UNKNOWN. Loading the key and signaling EVM
	17	should be done as early as possible. Normally this is done
	18	in the initramfs, which has already been measured as part
	19	of the trusted boot. For more information on creating and
	20	loading existing trusted/encrypted keys, refer to:
	21	Documentation/keys-trusted-encrypted.txt. (A sample dracut
	22	patch, which loads the trusted/encrypted key and enables
	23	EVM, is available from http://linux-ima.sourceforge.net/#EVM.)