evm: permit only valid security.evm xattrs to be updated In addition to requiring CAP_SYS_ADMIN permission to modify/delete security.evm, prohibit invalid security.evm xattrs from changing, unless in fixmode. This patch prevents inadvertent 'fixing' of security.evm to reflect offline modifications. Changelog v7: - rename boot paramater 'evm_mode' to 'evm' Reported-by: Roberto Sassu <roberto.sassu@polito.it> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>

commit: 7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac [log] [tgz]
author: Mimi Zohar <zohar@linux.vnet.ibm.com> Thu May 12 18:33:20 2011 -0400
committer: Mimi Zohar <zohar@linux.vnet.ibm.com> Mon Jul 18 12:29:49 2011 -0400
tree: 1de4ac95b25e6bebab103e4377047c8f76038dac
parent: 24e0198efe0df50034ec1c14b2d7b5bb0f66d54a [diff] [blame]
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index fd248a31..db97ff1 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt

@@ -48,6 +48,7 @@
 	EDD	BIOS Enhanced Disk Drive Services (EDD) is enabled
 	EFI	EFI Partitioning (GPT) is enabled
 	EIDE	EIDE/ATAPI support is enabled.
+	EVM	Extended Verification Module
 	FB	The frame buffer device is enabled.
 	GCOV	GCOV profiling is enabled.
 	HW	Appropriate hardware is enabled.
@@ -750,6 +751,11 @@
 			This option is obsoleted by the "netdev=" option, which
 			has equivalent usage. See its documentation for details.
 
+	evm=		[EVM]
+			Format: { "fix" }
+			Permit 'security.evm' to be updated regardless of
+			current integrity status.
+
 	failslab=
 	fail_page_alloc=
 	fail_make_request=[KNL]
commit	7102ebcd65c1cdb5d5a87c7c5cf7a46f5afb0cac	[log] [tgz]
author	Mimi Zohar <zohar@linux.vnet.ibm.com>	Thu May 12 18:33:20 2011 -0400
committer	Mimi Zohar <zohar@linux.vnet.ibm.com>	Mon Jul 18 12:29:49 2011 -0400
tree	1de4ac95b25e6bebab103e4377047c8f76038dac
parent	24e0198efe0df50034ec1c14b2d7b5bb0f66d54a [diff] [blame]