Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.7 2016-05-17T10:10:30Z 2016-05-17T10:10:30Z Kees Cook keescook@chromium.org 2016-05-17T08:45:52Z urn:sha1:b937190c40de0f6f07f592042e3097b16c6b0130 Instead of being enabled by default when SECURITY_LOADPIN is selected, provide an additional (default off) config to determine the boot time behavior. As before, the "loadpin.enabled=0/1" kernel parameter remains available. Suggested-by: James Morris <jmorris@namei.org> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com> 2016-04-21T00:47:27Z Kees Cook keescook@chromium.org 2016-04-20T22:46:28Z urn:sha1:9b091556a073a9f5f93e2ad23d118f45c4796a84 This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>