From: Kees Cook <keescook@chromium.org>
To: Stephen Boyd <swboyd@chromium.org>
Cc: Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
linux-kernel@vger.kernel.org, patches@lists.linux.dev,
linux-security-module@vger.kernel.org,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Douglas Anderson <dianders@chromium.org>
Subject: Re: [PATCH] loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression
Date: Sat, 18 May 2024 13:47:14 -0700 [thread overview]
Message-ID: <202405181346.901048F98@keescook> (raw)
In-Reply-To: <20240514224839.2526112-1-swboyd@chromium.org>
On Tue, May 14, 2024 at 03:48:38PM -0700, Stephen Boyd wrote:
> If modules are built compressed, and LoadPin is enforcing by default, we
> must have in-kernel module decompression enabled (MODULE_DECOMPRESS).
> Modules will fail to load without decompression built into the kernel
> because they'll be blocked by LoadPin. Add a depends on clause to
> prevent this combination.
>
> Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Cc: Douglas Anderson <dianders@chromium.org>
> Signed-off-by: Stephen Boyd <swboyd@chromium.org>
> ---
> security/loadpin/Kconfig | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
> index 6724eaba3d36..8c22171088a7 100644
> --- a/security/loadpin/Kconfig
> +++ b/security/loadpin/Kconfig
> @@ -14,6 +14,9 @@ config SECURITY_LOADPIN
> config SECURITY_LOADPIN_ENFORCE
> bool "Enforce LoadPin at boot"
> depends on SECURITY_LOADPIN
> + # Module compression breaks LoadPin unless modules are decompressed in
> + # the kernel.
> + depends on MODULE_COMPRESS_NONE || MODULE_DECOMPRESS
> help
> If selected, LoadPin will enforce pinning at boot. If not
> selected, it can be enabled at boot with the kernel parameter
>
I've folded this change in, since loadpin also works in non-module
situations:
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index 8c22171088a7..848f8b4a6019 100644
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -16,7 +16,7 @@ config SECURITY_LOADPIN_ENFORCE
depends on SECURITY_LOADPIN
# Module compression breaks LoadPin unless modules are decompressed in
# the kernel.
- depends on MODULE_COMPRESS_NONE || MODULE_DECOMPRESS
+ depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
help
If selected, LoadPin will enforce pinning at boot. If not
selected, it can be enabled at boot with the kernel parameter
--
Kees Cook
next prev parent reply other threads:[~2024-05-18 20:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-14 22:48 [PATCH] loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression Stephen Boyd
2024-05-14 22:52 ` Kees Cook
2024-05-18 20:47 ` Kees Cook [this message]
2024-05-21 4:14 ` Stephen Boyd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202405181346.901048F98@keescook \
--to=keescook@chromium.org \
--cc=dianders@chromium.org \
--cc=dmitry.torokhov@gmail.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=swboyd@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.