diff options
author | Stephen Boyd <swboyd@chromium.org> | 2024-05-14 15:48:38 -0700 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2024-05-18 13:46:10 -0700 |
commit | ce0d73ef8dea52d7253bdc2fd3cc3e89d7089ded (patch) | |
tree | 5e03fc3f81a8a287e32cb08c8d5b028e03a4cecf | |
parent | 6d305cbef1aa01b9714e01e35f3d5c28544cf04d (diff) | |
download | lwn-ce0d73ef8dea52d7253bdc2fd3cc3e89d7089ded.tar.gz lwn-ce0d73ef8dea52d7253bdc2fd3cc3e89d7089ded.zip |
loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
If modules are built compressed, and LoadPin is enforcing by default, we
must have in-kernel module decompression enabled (MODULE_DECOMPRESS).
Modules will fail to load without decompression built into the kernel
because they'll be blocked by LoadPin. Add a depends on clause to
prevent this combination.
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Link: https://lore.kernel.org/r/20240514224839.2526112-1-swboyd@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
-rw-r--r-- | security/loadpin/Kconfig | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index 6724eaba3d36..848f8b4a6019 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -14,6 +14,9 @@ config SECURITY_LOADPIN config SECURITY_LOADPIN_ENFORCE bool "Enforce LoadPin at boot" depends on SECURITY_LOADPIN + # Module compression breaks LoadPin unless modules are decompressed in + # the kernel. + depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS) help If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter |