Changes in Kconfig en Copyright 2015 Java 49fcf732 - lockdown: Enforce module signatures if the kernel is locked down http://172.16.0.5:8080/history/linux-6.15/security/lockdown/Kconfig#49fcf732 lockdown: Enforce module signatures if the kernel is locked downIf the kernel is locked down, require that all modules have validsignatures that we can verify.I have adjusted the errors generated: (1) If there's no signature (ENODATA) or we can't check it (ENOPKG, ENOKEY), then: (a) If signatures are enforced then EKEYREJECTED is returned. (b) If there's no signature or we can't check it, but the kernel is locked down then EPERM is returned (this is then consistent with other lockdown cases). (2) If the signature is unparseable (EBADMSG, EINVAL), the signature fails the check (EKEYREJECTED) or a system error occurs (eg. ENOMEM), we return the error we got.Note that the X.509 code doesn't check for key expiry as the RTC might notbe valid or might not have been transferred to the kernel's clock yet. [Modified by Matthew Garrett to remove the IMA integration. This will be replaced with integration with the IMA architecture policy patchset.]Signed-off-by: David Howells <dhowells@redhat.com>Signed-off-by: Matthew Garrett <matthewgarrett@google.com>Reviewed-by: Kees Cook <keescook@chromium.org>Cc: Jessica Yu <jeyu@kernel.org>Signed-off-by: James Morris <jmorris@namei.org> List of files: /linux-6.15/security/lockdown/Kconfig Tue, 20 Aug 2019 00:17:40 +0000 David Howells <dhowells@redhat.com> 000d388e - security: Add a static lockdown policy LSM http://172.16.0.5:8080/history/linux-6.15/security/lockdown/Kconfig#000d388e security: Add a static lockdown policy LSMWhile existing LSMs can be extended to handle lockdown policy,distributions generally want to be able to apply a straightforwardstatic policy. This patch adds a simple LSM that can be configured toreject either integrity or all lockdown queries, and can be configuredat runtime (through securityfs), boot time (via a kernel parameter) orbuild time (via a kconfig option). Based on initial code by DavidHowells.Signed-off-by: Matthew Garrett <mjg59@google.com>Reviewed-by: Kees Cook <keescook@chromium.org>Cc: David Howells <dhowells@redhat.com>Signed-off-by: James Morris <jmorris@namei.org> List of files: /linux-6.15/security/lockdown/Kconfig Tue, 20 Aug 2019 00:17:39 +0000 Matthew Garrett <matthewgarrett@google.com>