evm: Extend evm= with x509. allow_metadata_writes and complete values

hulk inclusion
category: feature
feature: IMA Digest Lists extension
bugzilla: 46797

-------------------------------------------------

Introduce three new values for evm= kernel option:

x509: enable EVM by setting x509 flag;
allow_metadata_writes: permit metadata modificatons;
complete: don't allow further changes of the EVM status.
Signed-off-by: NRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: NTianxing Zhang <zhangtianxing3@huawei.com>
Reviewed-by: NJason Yan <yanaijie@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

Documentation/admin-guide/kernel-parameters.txt

@@ -1347,9 +1347,13 @@
 			has equivalent usage. See its documentation for details.
 
 	evm=		[EVM]
-			Format: { "fix" }
-			Permit 'security.evm' to be updated regardless of
-			current integrity status.
+			Format: { "fix" | "x509" | "allow_metadata_writes" |
+				  "complete" }
+			fix: permit 'security.evm' to be updated regardless of
+			current integrity status;
+			x509: enable EVM by setting x509 flag;
+			allow_metadata_writes: permit metadata modificatons;
+			complete: don't allow further changes of the EVM status.
 
 	failslab=
 	fail_usercopy=

security/integrity/evm/evm_main.c

@@ -57,16 +57,22 @@ static struct xattr_list evm_config_default_xattrnames[] = {
 LIST_HEAD(evm_config_xattrnames);
 
 static int evm_fixmode;
-static int __init evm_set_fixmode(char *str)
+static int __init evm_set_param(char *str)
 {
 	if (strncmp(str, "fix", 3) == 0)
 		evm_fixmode = 1;
+	else if (strncmp(str, "x509", 4) == 0)
+		evm_initialized |= EVM_INIT_X509;
+	else if (strncmp(str, "allow_metadata_writes", 21) == 0)
+		evm_initialized |= EVM_ALLOW_METADATA_WRITES;
+	else if (strncmp(str, "complete", 8) == 0)
+		evm_initialized |= EVM_SETUP_COMPLETE;
 	else
 		pr_err("invalid \"%s\" mode", str);
 
 	return 0;
 }
-__setup("evm=", evm_set_fixmode);
+__setup("evm=", evm_set_param);
 
 static void __init evm_init_config(void)
 {