[mirror_ubuntu-jammy-kernel.git] / security / lockdown / Kconfig

config SECURITY_LOCKDOWN_LSM
	bool "Basic module for enforcing kernel lockdown"
	depends on SECURITY
	select MODULE_SIG if MODULES
	help
	  Build support for an LSM that enforces a coarse kernel lockdown
	  behaviour.

config SECURITY_LOCKDOWN_LSM_EARLY
	bool "Enable lockdown LSM early in init"
	depends on SECURITY_LOCKDOWN_LSM
	help
	  Enable the lockdown LSM early in boot. This is necessary in order
	  to ensure that lockdown enforcement can be carried out on kernel
	  boot parameters that are otherwise parsed before the security
	  subsystem is fully initialised. If enabled, lockdown will
	  unconditionally be called before any other LSMs.

config LOCK_DOWN_IN_SECURE_BOOT
	bool "Lock down the kernel in Secure Boot mode"
	default n
	depends on (EFI || S390 || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
	help
	  Secure Boot provides a mechanism for ensuring that the firmware will
	  only load signed bootloaders and kernels.  Secure boot mode
	  determination is platform-specific; examples include EFI secure boot
	  and SIPL on s390.

	  Enabling this option results in kernel lockdown being triggered if
	  booted under secure boot.

choice
	prompt "Kernel default lockdown mode"
	default LOCK_DOWN_KERNEL_FORCE_NONE
	depends on SECURITY_LOCKDOWN_LSM
	help
	  The kernel can be configured to default to differing levels of
	  lockdown.

config LOCK_DOWN_KERNEL_FORCE_NONE
	bool "None"
	help
	  No lockdown functionality is enabled by default. Lockdown may be
	  enabled via the kernel commandline or /sys/kernel/security/lockdown.

config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
	bool "Integrity"
	help
	 The kernel runs in integrity mode by default. Features that allow
	 the kernel to be modified at runtime are disabled.

config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
	bool "Confidentiality"
	help
	 The kernel runs in confidentiality mode by default. Features that
	 allow the kernel to be modified at runtime or that permit userland
	 code to read confidential material held inside the kernel are
	 disabled.

endchoice
Commit	Line	Data
000d388e MG	1	config SECURITY_LOCKDOWN_LSM
	2	bool "Basic module for enforcing kernel lockdown"
	3	depends on SECURITY
49fcf732	4	select MODULE_SIG if MODULES
000d388e MG	5	help
	6	Build support for an LSM that enforces a coarse kernel lockdown
	7	behaviour.
	8
	9	config SECURITY_LOCKDOWN_LSM_EARLY
	10	bool "Enable lockdown LSM early in init"
	11	depends on SECURITY_LOCKDOWN_LSM
	12	help
	13	Enable the lockdown LSM early in boot. This is necessary in order
	14	to ensure that lockdown enforcement can be carried out on kernel
	15	boot parameters that are otherwise parsed before the security
	16	subsystem is fully initialised. If enabled, lockdown will
	17	unconditionally be called before any other LSMs.
	18
01f96e4a SF	19	config LOCK_DOWN_IN_SECURE_BOOT
01f96e4a SF	20	bool "Lock down the kernel in Secure Boot mode"
438296a5	21	default n
59a69f24	22	depends on (EFI \|\| S390 \|\| PPC) && SECURITY_LOCKDOWN_LSM_EARLY
438296a5	23	help
01f96e4a SF	24	Secure Boot provides a mechanism for ensuring that the firmware will
	25	only load signed bootloaders and kernels. Secure boot mode
	26	determination is platform-specific; examples include EFI secure boot
	27	and SIPL on s390.
438296a5 DH	28
438296a5 DH	29	Enabling this option results in kernel lockdown being triggered if
01f96e4a	30	booted under secure boot.
438296a5	31
000d388e MG	32	choice
	33	prompt "Kernel default lockdown mode"
	34	default LOCK_DOWN_KERNEL_FORCE_NONE
	35	depends on SECURITY_LOCKDOWN_LSM
	36	help
	37	The kernel can be configured to default to differing levels of
	38	lockdown.
	39
	40	config LOCK_DOWN_KERNEL_FORCE_NONE
	41	bool "None"
	42	help
	43	No lockdown functionality is enabled by default. Lockdown may be
	44	enabled via the kernel commandline or /sys/kernel/security/lockdown.
	45
	46	config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
	47	bool "Integrity"
	48	help
	49	The kernel runs in integrity mode by default. Features that allow
	50	the kernel to be modified at runtime are disabled.
	51
	52	config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
	53	bool "Confidentiality"
	54	help
	55	The kernel runs in confidentiality mode by default. Features that
	56	allow the kernel to be modified at runtime or that permit userland
	57	code to read confidential material held inside the kernel are
	58	disabled.
	59
	60	endchoice