evm: Deprecate EVM_ALLOW_METADATA_WRITES

This patch deprecates the usage of EVM_ALLOW_METADATA_WRITES, as it is no
longer necessary. All the issues that prevent the usage of EVM portable
signatures just with a public key loaded have been solved.

This flag will remain available for a short time to ensure that users are
able to use EVM without it.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/Documentation/ABI/testing/evm b/Documentation/ABI/testing/evm
index 2243b72e41107097ba5d503eb7c63b9e4d557401..553fd8a33e567b6c3aa8f4c5f3be72e9d9f53a26 100644 (file)
--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -24,7 +24,7 @@ Description:
                1         Enable digital signature validation
                2         Permit modification of EVM-protected metadata at
                          runtime. Not supported if HMAC validation and
-                         creation is enabled.
+                         creation is enabled (deprecated).
                31        Disable further runtime modification of EVM policy
                ===       ==================================================
 
@@ -47,7 +47,13 @@ Description:
 
                will enable digital signature validation, permit
                modification of EVM-protected metadata and
-               disable all further modification of policy
+               disable all further modification of policy. This option is now
+               deprecated in favor of::
+
+                 echo 0x80000002 ><securityfs>/evm
+
+               as the outstanding issues that prevent the usage of EVM portable
+               signatures have been solved.
 
                Echoing a value is additive, the new value is added to the
                existing initialization flags.