evm: Extend evm= with x509. allow_metadata_writes and complete values (0d1eb7af) · Commits · EulixOS / Software / Kernel

Documentation/admin-guide/kernel-parameters.txt

+7 −3

Original line number	Diff line number	Diff line
		@@ -1491,9 +1491,13 @@
		has equivalent usage. See its documentation for details.

		evm= [EVM]
		Format: { "fix" }
		Permit 'security.evm' to be updated regardless of
		current integrity status.
		Format: { "fix" \| "x509" \| "allow_metadata_writes" \|
		"complete" }
		fix: permit 'security.evm' to be updated regardless of
		current integrity status;
		x509: enable EVM by setting x509 flag;
		allow_metadata_writes: permit metadata modificatons;
		complete: don't allow further changes of the EVM status.

		early_page_ext [KNL] Enforces page_ext initialization to earlier
		stages so cover more early boot allocations.

+16 −0

Original line number	Diff line number	Diff line
		@@ -74,16 +74,32 @@ static struct xattr_list evm_config_default_xattrnames[] = {
		LIST_HEAD(evm_config_xattrnames);

		static int evm_fixmode __ro_after_init;
		#ifdef CONFIG_IMA_DIGEST_LIST
		static int __init evm_set_param(char *str)
		#else
		static int __init evm_set_fixmode(char *str)
		#endif
		{
		if (strncmp(str, "fix", 3) == 0)
		evm_fixmode = 1;
		#ifdef CONFIG_IMA_DIGEST_LIST
		else if (strncmp(str, "x509", 4) == 0)
		evm_initialized \|= EVM_INIT_X509;
		else if (strncmp(str, "allow_metadata_writes", 21) == 0)
		evm_initialized \|= EVM_ALLOW_METADATA_WRITES;
		else if (strncmp(str, "complete", 8) == 0)
		evm_initialized \|= EVM_SETUP_COMPLETE;
		#endif
		else
		pr_err("invalid \"%s\" mode", str);

		return 1;
		}
		#ifdef CONFIG_IMA_DIGEST_LIST
		__setup("evm=", evm_set_param);
		#else
		__setup("evm=", evm_set_fixmode);
		#endif

		static void __init evm_init_config(void)
		{