xref: /openbmc/linux/security/lockdown/Kconfig (revision da60fbe7)
1config SECURITY_LOCKDOWN_LSM
2	bool "Basic module for enforcing kernel lockdown"
3	depends on SECURITY
4	select MODULE_SIG if MODULES
5	help
6	  Build support for an LSM that enforces a coarse kernel lockdown
7	  behaviour.
8
9config SECURITY_LOCKDOWN_LSM_EARLY
10	bool "Enable lockdown LSM early in init"
11	depends on SECURITY_LOCKDOWN_LSM
12	help
13	  Enable the lockdown LSM early in boot. This is necessary in order
14	  to ensure that lockdown enforcement can be carried out on kernel
15	  boot parameters that are otherwise parsed before the security
16	  subsystem is fully initialised. If enabled, lockdown will
17	  unconditionally be called before any other LSMs.
18
19choice
20	prompt "Kernel default lockdown mode"
21	default LOCK_DOWN_KERNEL_FORCE_NONE
22	depends on SECURITY_LOCKDOWN_LSM
23	help
24	  The kernel can be configured to default to differing levels of
25	  lockdown.
26
27config LOCK_DOWN_KERNEL_FORCE_NONE
28	bool "None"
29	help
30	  No lockdown functionality is enabled by default. Lockdown may be
31	  enabled via the kernel commandline or /sys/kernel/security/lockdown.
32
33config LOCK_DOWN_KERNEL_FORCE_INTEGRITY
34	bool "Integrity"
35	help
36	 The kernel runs in integrity mode by default. Features that allow
37	 the kernel to be modified at runtime are disabled.
38
39config LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
40	bool "Confidentiality"
41	help
42	 The kernel runs in confidentiality mode by default. Features that
43	 allow the kernel to be modified at runtime or that permit userland
44	 code to read confidential material held inside the kernel are
45	 disabled.
46
47endchoice
48