Skip to main content

Browse the archive

Staging
v0.5.1
https://github.com/torvalds/linux
02 December 2023, 22:23:51 UTC
Raw File
Tip revision: 3c2993b8c6143d8a5793746a54eba8f86f95240f authored by Linus Torvalds on 04 June 2017, 23:47:43 UTC
Linux 4.12-rc4
Tip revision: 3c2993b
evm 
What:		security/evm
Date:		March 2011
Contact:	Mimi Zohar <zohar@us.ibm.com>
Description:
		EVM protects a file's security extended attributes(xattrs)
		against integrity attacks. The initial method maintains an
		HMAC-sha1 value across the extended attributes, storing the
		value as the extended attribute 'security.evm'.

		EVM depends on the Kernel Key Retention System to provide it
		with a trusted/encrypted key for the HMAC-sha1 operation.
		The key is loaded onto the root's keyring using keyctl.  Until
		EVM receives notification that the key has been successfully
		loaded onto the keyring (echo 1 > <securityfs>/evm), EVM
		can not create or validate the 'security.evm' xattr, but
		returns INTEGRITY_UNKNOWN.  Loading the key and signaling EVM
		should be done as early as possible.  Normally this is done
		in the initramfs, which has already been measured as part
		of the trusted boot.  For more information on creating and
		loading existing trusted/encrypted keys, refer to:
		Documentation/keys-trusted-encrypted.txt.  (A sample dracut
		patch, which loads the trusted/encrypted key and enables
		EVM, is available from http://linux-ima.sourceforge.net/#EVM.)
back to top