From 1b8602d083e9a065fba17988a05d04176555c264 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 3 Mar 2021 08:44:25 +0100 Subject: [PATCH] evm: Extend evm= with x509. allow_metadata_writes and complete values hulk inclusion category: feature feature: IMA Digest Lists extension bugzilla: 46797 ------------------------------------------------- Introduce three new values for evm= kernel option: x509: enable EVM by setting x509 flag; allow_metadata_writes: permit metadata modificatons; complete: don't allow further changes of the EVM status. Signed-off-by: Roberto Sassu Signed-off-by: Tianxing Zhang Reviewed-by: Jason Yan Signed-off-by: Zheng Zengkai --- Documentation/admin-guide/kernel-parameters.txt | 10 +++++++--- security/integrity/evm/evm_main.c | 10 ++++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 4abf537de01b..0aa18521b0a3 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -1347,9 +1347,13 @@ has equivalent usage. See its documentation for details. evm= [EVM] - Format: { "fix" } - Permit 'security.evm' to be updated regardless of - current integrity status. + Format: { "fix" | "x509" | "allow_metadata_writes" | + "complete" } + fix: permit 'security.evm' to be updated regardless of + current integrity status; + x509: enable EVM by setting x509 flag; + allow_metadata_writes: permit metadata modificatons; + complete: don't allow further changes of the EVM status. failslab= fail_usercopy= diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 8cbf0787eb02..c6eb6904277a 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -57,16 +57,22 @@ static struct xattr_list evm_config_default_xattrnames[] = { LIST_HEAD(evm_config_xattrnames); static int evm_fixmode; -static int __init evm_set_fixmode(char *str) +static int __init evm_set_param(char *str) { if (strncmp(str, "fix", 3) == 0) evm_fixmode = 1; + else if (strncmp(str, "x509", 4) == 0) + evm_initialized |= EVM_INIT_X509; + else if (strncmp(str, "allow_metadata_writes", 21) == 0) + evm_initialized |= EVM_ALLOW_METADATA_WRITES; + else if (strncmp(str, "complete", 8) == 0) + evm_initialized |= EVM_SETUP_COMPLETE; else pr_err("invalid \"%s\" mode", str); return 0; } -__setup("evm=", evm_set_fixmode); +__setup("evm=", evm_set_param); static void __init evm_init_config(void) { -- GitLab