loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
If modules are built compressed, and LoadPin is enforcing by default, we must have in-kernel module decompression enabled (MODULE_DECOMPRESS). Modules will fail to load without decompression built into the kernel because they'll be blocked by LoadPin. Add a depends on clause to prevent this combination. Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Douglas Anderson <dianders@chromium.org> Signed-off-by: Stephen Boyd <swboyd@chromium.org> Link: https://lore.kernel.org/r/20240514224839.2526112-1-swboyd@chromium.org Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
parent
6d305cbef1
commit
ce0d73ef8d
@ -14,6 +14,9 @@ config SECURITY_LOADPIN
|
||||
config SECURITY_LOADPIN_ENFORCE
|
||||
bool "Enforce LoadPin at boot"
|
||||
depends on SECURITY_LOADPIN
|
||||
# Module compression breaks LoadPin unless modules are decompressed in
|
||||
# the kernel.
|
||||
depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
|
||||
help
|
||||
If selected, LoadPin will enforce pinning at boot. If not
|
||||
selected, it can be enabled at boot with the kernel parameter
|
||||
|
Loading…
Reference in New Issue
Block a user