63 lines
2.1 KiB
Plaintext
63 lines
2.1 KiB
Plaintext
config SECURITY_LOCKDOWN_LSM
|
|
bool "Basic module for enforcing kernel lockdown"
|
|
depends on SECURITY
|
|
select MODULE_SIG if MODULES
|
|
help
|
|
Build support for an LSM that enforces a coarse kernel lockdown
|
|
behaviour.
|
|
|
|
config SECURITY_LOCKDOWN_LSM_EARLY
|
|
bool "Enable lockdown LSM early in init"
|
|
depends on SECURITY_LOCKDOWN_LSM
|
|
help
|
|
Enable the lockdown LSM early in boot. This is necessary in order
|
|
to ensure that lockdown enforcement can be carried out on kernel
|
|
boot parameters that are otherwise parsed before the security
|
|
subsystem is fully initialised. If enabled, lockdown will
|
|
unconditionally be called before any other LSMs.
|
|
|
|
choice
|
|
prompt "Kernel default lockdown mode"
|
|
default LOCK_DOWN_KERNEL_FORCE_NONE
|
|
depends on SECURITY_LOCKDOWN_LSM
|
|
help
|
|
The kernel can be configured to default to differing levels of
|
|
lockdown.
|
|
|
|
config LOCK_DOWN_KERNEL_FORCE_NONE
|
|
bool "None"
|
|
help
|
|
No lockdown functionality is enabled by default. Lockdown may be
|
|
enabled via the kernel commandline or /sys/kernel/security/lockdown.
|
|
|
|
config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
|
|
bool "Integrity"
|
|
help
|
|
The kernel runs in integrity mode by default. Features that allow
|
|
the kernel to be modified at runtime are disabled.
|
|
|
|
config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
|
|
bool "Confidentiality"
|
|
help
|
|
The kernel runs in confidentiality mode by default. Features that
|
|
allow the kernel to be modified at runtime or that permit userland
|
|
code to read confidential material held inside the kernel are
|
|
disabled.
|
|
|
|
endchoice
|
|
|
|
config LOCK_DOWN_IN_EFI_SECURE_BOOT
|
|
bool "Lock down the kernel in EFI Secure Boot mode"
|
|
default n
|
|
depends on SECURITY_LOCKDOWN_LSM
|
|
depends on EFI
|
|
select SECURITY_LOCKDOWN_LSM_EARLY
|
|
help
|
|
UEFI Secure Boot provides a mechanism for ensuring that the firmware
|
|
will only load signed bootloaders and kernels. Secure boot mode may
|
|
be determined from EFI variables provided by the system firmware if
|
|
not indicated by the boot parameters.
|
|
|
|
Enabling this option results in kernel lockdown being
|
|
triggered in confidentiality mode if EFI Secure Boot is set.
|