From: Roberto Sassu roberto.sassu@huawei.com
euleros inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I7QZ2M CVE: NA
-------------------------------------------------
Introduce three new values for evm= kernel option:
x509: enable EVM by setting x509 flag; allow_metadata_writes: permit metadata modificatons; complete: don't allow further changes of the EVM status.
Signed-off-by: Roberto Sassu roberto.sassu@huawei.com Signed-off-by: Tianxing Zhang zhangtianxing3@huawei.com Reviewed-by: Jason Yan yanaijie@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com Signed-off-by: zhoushuiqing zhoushuiqing2@huawei.com --- Documentation/admin-guide/kernel-parameters.txt | 10 +++++++--- security/integrity/evm/evm_main.c | 16 ++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 0ac4ed2b8..84fe3bc6c 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -1476,9 +1476,13 @@ has equivalent usage. See its documentation for details.
evm= [EVM] - Format: { "fix" } - Permit 'security.evm' to be updated regardless of - current integrity status. + Format: { "fix" | "x509" | "allow_metadata_writes" | + "complete" } + fix: permit 'security.evm' to be updated regardless of + current integrity status; + x509: enable EVM by setting x509 flag; + allow_metadata_writes: permit metadata modificatons; + complete: don't allow further changes of the EVM status.
early_page_ext [KNL] Enforces page_ext initialization to earlier stages so cover more early boot allocations. diff --git a/security/integrity/evm/evm_main.c b/security/integrity/evm/evm_main.c index 47ac6e9e7..404858623 100644 --- a/security/integrity/evm/evm_main.c +++ b/security/integrity/evm/evm_main.c @@ -73,16 +73,32 @@ static struct xattr_list evm_config_default_xattrnames[] = { LIST_HEAD(evm_config_xattrnames);
static int evm_fixmode __ro_after_init; +#ifdef CONFIG_IMA_DIGEST_LIST +static int __init evm_set_param(char *str) +#else static int __init evm_set_fixmode(char *str) +#endif { if (strncmp(str, "fix", 3) == 0) evm_fixmode = 1; +#ifdef CONFIG_IMA_DIGEST_LIST + else if (strncmp(str, "x509", 4) == 0) + evm_initialized |= EVM_INIT_X509; + else if (strncmp(str, "allow_metadata_writes", 21) == 0) + evm_initialized |= EVM_ALLOW_METADATA_WRITES; + else if (strncmp(str, "complete", 8) == 0) + evm_initialized |= EVM_SETUP_COMPLETE; +#endif else pr_err("invalid "%s" mode", str);
return 1; } +#ifdef CONFIG_IMA_DIGEST_LIST +__setup("evm=", evm_set_param); +#else __setup("evm=", evm_set_fixmode); +#endif
static void __init evm_init_config(void) {