Kernel/linux-next
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2024-12-29 17:22:07 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression

Browse Source 
If modules are built compressed, and LoadPin is enforcing by default, we
must have in-kernel module decompression enabled (MODULE_DECOMPRESS).
Modules will fail to load without decompression built into the kernel
because they'll be blocked by LoadPin. Add a depends on clause to
prevent this combination.

Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Link: https://lore.kernel.org/r/20240514224839.2526112-1-swboyd@chromium.org
Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Stephen Boyd 2024-05-14 15:48:38 -07:00 committed by Kees Cook
parent 6d305cbef1
commit ce0d73ef8d
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
security/loadpin/Kconfig
View File

@ -14,6 +14,9 @@ config SECURITY_LOADPIN
config SECURITY_LOADPIN_ENFORCE config SECURITY_LOADPIN_ENFORCE
bool "Enforce LoadPin at boot" bool "Enforce LoadPin at boot"
depends on SECURITY_LOADPIN depends on SECURITY_LOADPIN
# Module compression breaks LoadPin unless modules are decompressed in
# the kernel.
depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
help help
If selected, LoadPin will enforce pinning at boot. If not If selected, LoadPin will enforce pinning at boot. If not
selected, it can be enabled at boot with the kernel parameter selected, it can be enabled at boot with the kernel parameter