git.samba.org / sfrench / cifs-2.6.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge tag 'xfs-4.16-merge-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
[sfrench/cifs-2.6.git] / Documentation / ABI / testing / evm
diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 9578247e17929bf4fcd6bd50b185f955031dc96d..d12cb2eae9ee658e552c81c9009e2759a9142d58 100644 (file)
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -14,30 +14,46 @@ Description:
                generated either locally or remotely using an
                asymmetric key. These keys are loaded onto root's
                keyring using keyctl, and EVM is then enabled by
-               echoing a value to <securityfs>/evm:
+               echoing a value to <securityfs>/evm made up of the
+               following bits:
 
-               1: enable HMAC validation and creation
-               2: enable digital signature validation
-               3: enable HMAC and digital signature validation and HMAC
-                  creation
+               Bit       Effect
+               0         Enable HMAC validation and creation
+               1         Enable digital signature validation
+               2         Permit modification of EVM-protected metadata at
+                         runtime. Not supported if HMAC validation and
+                         creation is enabled.
+               31        Disable further runtime modification of EVM policy
 
-               Further writes will be blocked if HMAC support is enabled or
-               if bit 32 is set:
+               For example:
 
-               echo 0x80000002 ><securityfs>/evm
+               echo 1 ><securityfs>/evm
 
-               will enable digital signature validation and block
-               further writes to <securityfs>/evm.
+               will enable HMAC validation and creation
 
-               Until this is done, EVM can not create or validate the
-               'security.evm' xattr, but returns INTEGRITY_UNKNOWN.
-               Loading keys and signaling EVM should be done as early
-               as possible.  Normally this is done in the initramfs,
-               which has already been measured as part of the trusted
-               boot.  For more information on creating and loading
-               existing trusted/encrypted keys, refer to:
+               echo 0x80000003 ><securityfs>/evm
 
-               Documentation/security/keys/trusted-encrypted.rst. Both dracut
-               (via 97masterkey and 98integrity) and systemd (via
+               will enable HMAC and digital signature validation and
+               HMAC creation and disable all further modification of policy.
+
+               echo 0x80000006 ><securityfs>/evm
+
+               will enable digital signature validation, permit
+               modification of EVM-protected metadata and
+               disable all further modification of policy
+
+               Note that once a key has been loaded, it will no longer be
+               possible to enable metadata modification.
+
+               Until key loading has been signaled EVM can not create
+               or validate the 'security.evm' xattr, but returns
+               INTEGRITY_UNKNOWN.  Loading keys and signaling EVM
+               should be done as early as possible.  Normally this is
+               done in the initramfs, which has already been measured
+               as part of the trusted boot.  For more information on
+               creating and loading existing trusted/encrypted keys,
+               refer to:
+               Documentation/security/keys/trusted-encrypted.rst. Both
+               dracut (via 97masterkey and 98integrity) and systemd (via
                core/ima-setup) have support for loading keys at boot
                time.
Unnamed repository; edit this file 'description' to name the repository.