summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Boyd <swboyd@chromium.org>2024-05-14 15:48:38 -0700
committerKees Cook <keescook@chromium.org>2024-05-18 13:46:10 -0700
commitce0d73ef8dea52d7253bdc2fd3cc3e89d7089ded (patch)
tree5e03fc3f81a8a287e32cb08c8d5b028e03a4cecf
parent6d305cbef1aa01b9714e01e35f3d5c28544cf04d (diff)
downloadlwn-ce0d73ef8dea52d7253bdc2fd3cc3e89d7089ded.tar.gz
lwn-ce0d73ef8dea52d7253bdc2fd3cc3e89d7089ded.zip
loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
If modules are built compressed, and LoadPin is enforcing by default, we must have in-kernel module decompression enabled (MODULE_DECOMPRESS). Modules will fail to load without decompression built into the kernel because they'll be blocked by LoadPin. Add a depends on clause to prevent this combination. Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Douglas Anderson <dianders@chromium.org> Signed-off-by: Stephen Boyd <swboyd@chromium.org> Link: https://lore.kernel.org/r/20240514224839.2526112-1-swboyd@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org>
-rw-r--r--security/loadpin/Kconfig3
1 files changed, 3 insertions, 0 deletions
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index 6724eaba3d36..848f8b4a6019 100644
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -14,6 +14,9 @@ config SECURITY_LOADPIN
config SECURITY_LOADPIN_ENFORCE
bool "Enforce LoadPin at boot"
depends on SECURITY_LOADPIN
+ # Module compression breaks LoadPin unless modules are decompressed in
+ # the kernel.
+ depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
help
If selected, LoadPin will enforce pinning at boot. If not
selected, it can be enabled at boot with the kernel parameter