diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 4abf537de01b0d90c4bd33ad2ff29a2a3bd98ace..0aa18521b0a35e116758ab5b6a3324688e3e4738 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1347,9 +1347,13 @@
 			has equivalent usage. See its documentation for details.
 
 	evm=		[EVM]
-			Format: { "fix" }
-			Permit 'security.evm' to be updated regardless of
-			current integrity status.
+			Format: { "fix" | "x509" | "allow_metadata_writes" |
+				  "complete" }
+			fix: permit 'security.evm' to be updated regardless of
+			current integrity status;
+			x509: enable EVM by setting x509 flag;
+			allow_metadata_writes: permit metadata modificatons;
+			complete: don't allow further changes of the EVM status.
 
 	failslab=
 	fail_usercopy=
diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c
index 8cbf0787eb02dd42224af4097331e6870c451736..c6eb6904277a6df84872a6c78c71017c1b089470 100644
--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -57,16 +57,22 @@ static struct xattr_list evm_config_default_xattrnames[] = {
 LIST_HEAD(evm_config_xattrnames);
 
 static int evm_fixmode;
-static int __init evm_set_fixmode(char *str)
+static int __init evm_set_param(char *str)
 {
 	if (strncmp(str, "fix", 3) == 0)
 		evm_fixmode = 1;
+	else if (strncmp(str, "x509", 4) == 0)
+		evm_initialized |= EVM_INIT_X509;
+	else if (strncmp(str, "allow_metadata_writes", 21) == 0)
+		evm_initialized |= EVM_ALLOW_METADATA_WRITES;
+	else if (strncmp(str, "complete", 8) == 0)
+		evm_initialized |= EVM_SETUP_COMPLETE;
 	else
 		pr_err("invalid \"%s\" mode", str);
 
 	return 0;
 }
-__setup("evm=", evm_set_fixmode);
+__setup("evm=", evm_set_param);
 
 static void __init evm_init_config(void)
 {