From: Serge E. Hallyn on
Quoting Mimi Zohar (zohar(a)
> EVM protects a file's security extended attributes against integrity
> attacks. It maintains an HMAC-sha1 value across the extended attributes,
> storing the value as the extended attribute 'security.evm'. EVM has gone
> through a number of iterations, initially as an LSM module, subsequently
> as a LIM integrity provider, and now, when co-located with a security_
> hook, embedded directly in the security_ hook, similar to IMA.
> This is the first part of a local file integrity verification system.
> While this part does authenticate the selected extended attributes, and
> cryptographically bind them to the inode, coming extensions will bind
> other directory and inode metadata for more complete protection. The
> set of protected security extended attributes is configured at compile.
> EVM depends on the Kernel Key Retention System to provide it with the
> kernel master key for the HMAC operation. The kernel master key is
> securely loaded onto the root's keyring, typically by 'loadkernkey',
> which either uses the TPM sealed secret key, if available, or a
> password requested from the console. To signal EVM, that the key has
> been loaded onto the keyring, 'echo 1 > <securityfs>/evm'. This is
> normally done in the initrd, which has already been measured as part
> of the trusted boot. (Refer to
> EVM adds the following three calls to the existing security hooks,
> evm_inode_setxattr(), evm_inode_post_setxattr(), and
> evm_inode_removexattr.
> To initialize and update the 'security.evm' extended attribute, EVM
> defines three calls: evm_inode_post_init(), evm_inode_post_setattr()
> and evm_inode_post_removexattr() hooks.
> To verify the integrity of an extended attribute, EVM exports
> evm_verifyxattr().
> Signed-off-by: Mimi Zohar <zohar(a)>

Acked-by: Serge Hallyn <serue(a)>

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)
More majordomo info at
Please read the FAQ at