evm: Enforce signatures version 3 with new EVM policy 'bit 3'

Enable the configuration of EVM so that it requires that asymmetric signatures it accepts are of version 3 (sigv3). To enable this, introduce bit 3 (value 0x0008) that the user may write to EVM's securityfs policy configuration file 'evm' for sigv3 enforcement. Mention bit 3 in the documentation. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
author: Stefan Berger <stefanb@linux.ibm.com> 2026-03-25 17:33:49 -0400
committer: Mimi Zohar <zohar@linux.ibm.com> 2026-04-01 10:16:53 -0400
commit: 82bbd447199ff1441031d2eaf9afe041550cf525 (patch)
tree: 292e2762b88320af684b83886ce5df57546468d4 /Documentation
parent: bab8e90bca64a87dd058527ae1d02596d35dc601 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 44750a933db4..db3007babb58 100644
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -26,6 +26,7 @@ Description:
 		2	  Permit modification of EVM-protected metadata at
 			  runtime. Not supported if HMAC validation and
 			  creation is enabled (deprecated).
+		3	  Require asymmetric signatures to be version 3
 		31	  Disable further runtime modification of EVM policy
 		===	  ==================================================
author	Stefan Berger <stefanb@linux.ibm.com>	2026-03-25 17:33:49 -0400
committer	Mimi Zohar <zohar@linux.ibm.com>	2026-04-01 10:16:53 -0400
commit	82bbd447199ff1441031d2eaf9afe041550cf525 (patch)
tree	292e2762b88320af684b83886ce5df57546468d4 /Documentation
parent	bab8e90bca64a87dd058527ae1d02596d35dc601 (diff)