1 config SECURITY_LOCKDOWN_LSM
2 bool "Basic module for enforcing kernel lockdown"
4 select MODULE_SIG if MODULES
6 Build support for an LSM that enforces a coarse kernel lockdown
9 config SECURITY_LOCKDOWN_LSM_EARLY
10 bool "Enable lockdown LSM early in init"
11 depends on SECURITY_LOCKDOWN_LSM
13 Enable the lockdown LSM early in boot. This is necessary in order
14 to ensure that lockdown enforcement can be carried out on kernel
15 boot parameters that are otherwise parsed before the security
16 subsystem is fully initialised. If enabled, lockdown will
17 unconditionally be called before any other LSMs.
19 config LOCK_DOWN_IN_SECURE_BOOT
20 bool "Lock down the kernel in Secure Boot mode"
22 depends on (EFI || S390 || PPC) && SECURITY_LOCKDOWN_LSM_EARLY
24 Secure Boot provides a mechanism for ensuring that the firmware will
25 only load signed bootloaders and kernels. Secure boot mode
26 determination is platform-specific; examples include EFI secure boot
29 Enabling this option results in kernel lockdown being triggered if
30 booted under secure boot.
33 prompt "Kernel default lockdown mode"
34 default LOCK_DOWN_KERNEL_FORCE_NONE
35 depends on SECURITY_LOCKDOWN_LSM
37 The kernel can be configured to default to differing levels of
40 config LOCK_DOWN_KERNEL_FORCE_NONE
43 No lockdown functionality is enabled by default. Lockdown may be
44 enabled via the kernel commandline or /sys/kernel/security/lockdown.
46 config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
49 The kernel runs in integrity mode by default. Features that allow
50 the kernel to be modified at runtime are disabled.
52 config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
53 bool "Confidentiality"
55 The kernel runs in confidentiality mode by default. Features that
56 allow the kernel to be modified at runtime or that permit userland
57 code to read confidential material held inside the kernel are
projects / mirror_ubuntu-jammy-kernel.git / blob