loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression

If modules are built compressed, and LoadPin is enforcing by default, we must have in-kernel module decompression enabled (MODULE_DECOMPRESS). Modules will fail to load without decompression built into the kernel because they'll be blocked by LoadPin. Add a depends on clause to prevent this combination. Cc: Dmitry Torokhov <[email protected]> Cc: Douglas Anderson <[email protected]> Signed-off-by: Stephen Boyd <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Kees Cook <[email protected]>
noroot · May 18, 2024 · ce0d73e · ce0d73e
1 parent 6d305cb
commit ce0d73e
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
@@ -14,6 +14,9 @@ config SECURITY_LOADPIN
 config SECURITY_LOADPIN_ENFORCE
 	bool "Enforce LoadPin at boot"
 	depends on SECURITY_LOADPIN
+	# Module compression breaks LoadPin unless modules are decompressed in
+	# the kernel.
+	depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
 	help
 	  If selected, LoadPin will enforce pinning at boot. If not
 	  selected, it can be enabled at boot with the kernel parameter