From: sashiko-bot@kernel.org
To: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v5 02/14] lockdown: Make the relationship to MODULE_SIG a dependency
Date: Tue, 05 May 2026 09:32:29 +0000 [thread overview]
Message-ID: <20260505093229.D8CD2C2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260505-module-hashes-v5-2-e174a5a49fce@weissschuh.net>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Replacing `select` with `depends on` silently disables Kernel Lockdown (`CONFIG_SECURITY_LOCKDOWN_LSM`) in existing defconfigs.
--
commit fc97135b538c64bfcbf058cc70c9665d00e5bb18
Author: Thomas Weißschuh <linux@weissschuh.net>
lockdown: Make the relationship to MODULE_SIG a dependency
This commit changes the relationship between SECURITY_LOCKDOWN_LSM and
MODULE_SIG from a select to a depends on. This is intended to allow for
future hash-based module integrity checking alternatives.
> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
> index e84ddf4840101..155959205b8ea 100644
> --- a/security/lockdown/Kconfig
> +++ b/security/lockdown/Kconfig
> @@ -1,7 +1,7 @@
> config SECURITY_LOCKDOWN_LSM
> bool "Basic module for enforcing kernel lockdown"
> depends on SECURITY
> - select MODULE_SIG if MODULES
> + depends on !MODULES || MODULE_SIG
Will this change silently disable CONFIG_SECURITY_LOCKDOWN_LSM in existing
defconfigs?
Because Kconfig's savedefconfig strips out automatically selected symbols,
many in-tree defconfigs contain CONFIG_SECURITY_LOCKDOWN_LSM=y but omit
CONFIG_MODULE_SIG=y. Since CONFIG_MODULE_SIG has no default y, it will
initialize to n.
With CONFIG_MODULES=y and CONFIG_MODULE_SIG=n, this new dependency evaluates
to n. As a result, Kconfig will drop CONFIG_SECURITY_LOCKDOWN_LSM from the
final configuration without any warnings, leaving the kernel unprotected by
lockdown. This also degrades discoverability, hiding the Lockdown LSM in
menuconfig unless a user explicitly enables MODULE_SIG first.
Could this be handled with a conditional select instead to avoid breaking
existing configurations while still supporting the upcoming MODULE_HASHES
feature? For example:
select MODULE_SIG if MODULES && !MODULE_HASHES
> help
> Build support for an LSM that enforces a coarse kernel lockdown
> behaviour.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net?part=2
next prev parent reply other threads:[~2026-05-05 9:32 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 9:05 [PATCH v5 00/14] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 01/14] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 02/14] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2026-05-05 9:32 ` sashiko-bot [this message]
2026-05-05 12:27 ` Nicolas Bouchinet
2026-05-05 9:05 ` [PATCH v5 03/14] kbuild: rename the strip_relocs command Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 04/14] module: Drop pointless debugging message Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 05/14] module: Make mod_verify_sig() static Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 06/14] module: Switch load_info::len to size_t Thomas Weißschuh
2026-05-26 9:47 ` Petr Pavlu
2026-05-26 11:35 ` Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 07/14] module: Make module authentication usable without MODULE_SIG Thomas Weißschuh
2026-05-05 9:40 ` sashiko-bot
2026-05-26 10:53 ` Petr Pavlu
2026-05-26 11:38 ` Thomas Weißschuh
2026-05-26 12:27 ` kpcyrd
2026-05-05 9:05 ` [PATCH v5 08/14] module: Move authentication logic into dedicated new file Thomas Weißschuh
2026-05-26 11:58 ` Petr Pavlu
2026-05-05 9:05 ` [PATCH v5 09/14] module: Move signature type check out of mod_check_sig() Thomas Weißschuh
2026-05-26 13:03 ` Petr Pavlu
2026-05-05 9:05 ` [PATCH v5 10/14] module: Prepare for additional module authentication mechanisms Thomas Weißschuh
2026-05-26 13:14 ` Petr Pavlu
2026-05-05 9:05 ` [PATCH v5 11/14] module: update timestamp of modules.order after modules are built Thomas Weißschuh
2026-05-05 9:41 ` sashiko-bot
2026-05-05 9:05 ` [PATCH v5 12/14] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-05-05 9:49 ` sashiko-bot
2026-05-05 9:05 ` [PATCH v5 13/14] kbuild: move handling of module stripping to Makefile.lib Thomas Weißschuh
2026-05-05 9:35 ` sashiko-bot
2026-05-05 9:05 ` [PATCH v5 14/14] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping Thomas Weißschuh
2026-05-05 10:04 ` sashiko-bot
2026-05-18 21:55 ` [PATCH v5 00/14] module: Introduce hash-based integrity checking Sami Tolvanen
2026-05-19 18:19 ` Thomas Weißschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505093229.D8CD2C2BCB4@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.