From: sashiko-bot@kernel.org
To: "Thomas Weißschuh" <linux@weissschuh.net>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v5 02/14] lockdown: Make the relationship to MODULE_SIG a dependency
Date: Tue, 05 May 2026 09:32:29 +0000 [thread overview]
Message-ID: <20260505093229.D8CD2C2BCB4@smtp.kernel.org> (raw)
In-Reply-To: <20260505-module-hashes-v5-2-e174a5a49fce@weissschuh.net>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Replacing `select` with `depends on` silently disables Kernel Lockdown (`CONFIG_SECURITY_LOCKDOWN_LSM`) in existing defconfigs.
--
commit fc97135b538c64bfcbf058cc70c9665d00e5bb18
Author: Thomas Weißschuh <linux@weissschuh.net>
lockdown: Make the relationship to MODULE_SIG a dependency
This commit changes the relationship between SECURITY_LOCKDOWN_LSM and
MODULE_SIG from a select to a depends on. This is intended to allow for
future hash-based module integrity checking alternatives.
> diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig
> index e84ddf4840101..155959205b8ea 100644
> --- a/security/lockdown/Kconfig
> +++ b/security/lockdown/Kconfig
> @@ -1,7 +1,7 @@
> config SECURITY_LOCKDOWN_LSM
> bool "Basic module for enforcing kernel lockdown"
> depends on SECURITY
> - select MODULE_SIG if MODULES
> + depends on !MODULES || MODULE_SIG
Will this change silently disable CONFIG_SECURITY_LOCKDOWN_LSM in existing
defconfigs?
Because Kconfig's savedefconfig strips out automatically selected symbols,
many in-tree defconfigs contain CONFIG_SECURITY_LOCKDOWN_LSM=y but omit
CONFIG_MODULE_SIG=y. Since CONFIG_MODULE_SIG has no default y, it will
initialize to n.
With CONFIG_MODULES=y and CONFIG_MODULE_SIG=n, this new dependency evaluates
to n. As a result, Kconfig will drop CONFIG_SECURITY_LOCKDOWN_LSM from the
final configuration without any warnings, leaving the kernel unprotected by
lockdown. This also degrades discoverability, hiding the Lockdown LSM in
menuconfig unless a user explicitly enables MODULE_SIG first.
Could this be handled with a conditional select instead to avoid breaking
existing configurations while still supporting the upcoming MODULE_HASHES
feature? For example:
select MODULE_SIG if MODULES && !MODULE_HASHES
> help
> Build support for an LSM that enforces a coarse kernel lockdown
> behaviour.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260505-module-hashes-v5-0-e174a5a49fce@weissschuh.net?part=2
next prev parent reply other threads:[~2026-05-05 9:32 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 9:05 [PATCH v5 00/14] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 01/14] kbuild: generate module BTF based on vmlinux.unstripped Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 02/14] lockdown: Make the relationship to MODULE_SIG a dependency Thomas Weißschuh
2026-05-05 9:32 ` sashiko-bot [this message]
2026-05-05 12:27 ` Nicolas Bouchinet
2026-05-05 9:05 ` [PATCH v5 03/14] kbuild: rename the strip_relocs command Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 04/14] module: Drop pointless debugging message Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 05/14] module: Make mod_verify_sig() static Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 06/14] module: Switch load_info::len to size_t Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 07/14] module: Make module authentication usable without MODULE_SIG Thomas Weißschuh
2026-05-05 9:40 ` sashiko-bot
2026-05-05 9:05 ` [PATCH v5 08/14] module: Move authentication logic into dedicated new file Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 09/14] module: Move signature type check out of mod_check_sig() Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 10/14] module: Prepare for additional module authentication mechanisms Thomas Weißschuh
2026-05-05 9:05 ` [PATCH v5 11/14] module: update timestamp of modules.order after modules are built Thomas Weißschuh
2026-05-05 9:41 ` sashiko-bot
2026-05-05 9:05 ` [PATCH v5 12/14] module: Introduce hash-based integrity checking Thomas Weißschuh
2026-05-05 9:49 ` sashiko-bot
2026-05-05 9:05 ` [PATCH v5 13/14] kbuild: move handling of module stripping to Makefile.lib Thomas Weißschuh
2026-05-05 9:35 ` sashiko-bot
2026-05-05 9:05 ` [PATCH v5 14/14] kbuild: make CONFIG_MODULE_HASHES compatible with module stripping Thomas Weißschuh
2026-05-05 10:04 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260505093229.D8CD2C2BCB4@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox