Commit 1434c6a1 authored by Roberto Sassu's avatar Roberto Sassu Committed by Mimi Zohar
Browse files

evm: Deprecate EVM_ALLOW_METADATA_WRITES 



This patch deprecates the usage of EVM_ALLOW_METADATA_WRITES, as it is no
longer necessary. All the issues that prevent the usage of EVM portable
signatures just with a public key loaded have been solved.

This flag will remain available for a short time to ensure that users are
able to use EVM without it.

Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 1886ab01

Documentation/ABI/testing/evm

+8 −2
Original line number Diff line number Diff line
@@ -24,7 +24,7 @@ Description: 
		1	  Enable digital signature validation

		2	  Permit modification of EVM-protected metadata at

			  runtime. Not supported if HMAC validation and

			  creation is enabled.

			  creation is enabled (deprecated).

		31	  Disable further runtime modification of EVM policy

		===	  ==================================================
@@ -47,7 +47,13 @@ Description: 


		will enable digital signature validation, permit

		modification of EVM-protected metadata and

		disable all further modification of policy

		disable all further modification of policy. This option is now

		deprecated in favor of::



		  echo 0x80000002 ><securityfs>/evm



		as the outstanding issues that prevent the usage of EVM portable

		signatures have been solved.



		Echoing a value is additive, the new value is added to the

		existing initialization flags.