17 May, 2016
1 commit
-
Instead of being enabled by default when SECURITY_LOADPIN is selected,
provide an additional (default off) config to determine the boot time
behavior. As before, the "loadpin.enabled=0/1" kernel parameter remains
available.Suggested-by: James Morris
Signed-off-by: Kees Cook
Signed-off-by: James Morris
21 Apr, 2016
1 commit
-
This LSM enforces that kernel-loaded files (modules, firmware, etc)
must all come from the same filesystem, with the expectation that
such a filesystem is backed by a read-only device such as dm-verity
or CDROM. This allows systems that have a verified and/or unchangeable
filesystem to enforce module and firmware loading restrictions without
needing to sign the files individually.Signed-off-by: Kees Cook
Acked-by: Serge Hallyn
Signed-off-by: James Morris