Searched hist:"579 baeec" (Results 1 – 1 of 1) sorted by relevance
| /openbmc/linux/arch/powerpc/configs/ |
| H A D | skiroot_defconfig | 579baeec Mon Jan 20 22:29:57 CST 2020 Joel Stanley <joel@jms.id.au> powerpc/configs/skiroot: Enable security features
This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
FORTIFY_SOURCE.
It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
LOCK_DOWN_KERNEL_FORCE_INTEGRITY options enabled. This still allows
xmon to be used in read-only mode.
MODULE_SIG is selected by lockdown, so it is still enabled.
Because we're setting LOCK_DOWN_KERNELFORCE_INTEGRITY=y we also need
to enable KEXEC_FILE=y so that kexec continues to work.
Signed-off-by: Joel Stanley <joel@jms.id.au>
[mpe: Switch to lockdown integrity mode per oohal, enable KEXEC_FILE
as reported by jms]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200121043000.16212-7-mpe@ellerman.id.au
579baeec Mon Jan 20 22:29:57 CST 2020 Joel Stanley <joel@jms.id.au> powerpc/configs/skiroot: Enable security features
This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
FORTIFY_SOURCE.
It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
LOCK_DOWN_KERNEL_FORCE_INTEGRITY options enabled. This still allows
xmon to be used in read-only mode.
MODULE_SIG is selected by lockdown, so it is still enabled.
Because we're setting LOCK_DOWN_KERNELFORCE_INTEGRITY=y we also need
to enable KEXEC_FILE=y so that kexec continues to work.
Signed-off-by: Joel Stanley <joel@jms.id.au>
[mpe: Switch to lockdown integrity mode per oohal, enable KEXEC_FILE
as reported by jms]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200121043000.16212-7-mpe@ellerman.id.au
|