[PATCH] loadpin: Prevent SECURITY_LOADPIN_ENFORCE=y without module decompression

[Kees Cook]

On Tue, May 14, 2024 at 03:48:38PM -0700, Stephen Boyd wrote:
> If modules are built compressed, and LoadPin is enforcing by default, we
> must have in-kernel module decompression enabled (MODULE_DECOMPRESS).
> Modules will fail to load without decompression built into the kernel
> because they'll be blocked by LoadPin. Add a depends on clause to
> prevent this combination.
> 
> Cc: Dmitry Torokhov <dmitry.torokhov at gmail.com>
> Cc: Douglas Anderson <dianders at chromium.org>
> Signed-off-by: Stephen Boyd <swboyd at chromium.org>
> ---
>  security/loadpin/Kconfig | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
> index 6724eaba3d36..8c22171088a7 100644
> --- a/security/loadpin/Kconfig
> +++ b/security/loadpin/Kconfig
> @@ -14,6 +14,9 @@ config SECURITY_LOADPIN
>  config SECURITY_LOADPIN_ENFORCE
>  	bool "Enforce LoadPin at boot"
>  	depends on SECURITY_LOADPIN
> +	# Module compression breaks LoadPin unless modules are decompressed in
> +	# the kernel.
> +	depends on MODULE_COMPRESS_NONE || MODULE_DECOMPRESS
>  	help
>  	  If selected, LoadPin will enforce pinning at boot. If not
>  	  selected, it can be enabled at boot with the kernel parameter
> 

I've folded this change in, since loadpin also works in non-module
situations:

diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index 8c22171088a7..848f8b4a6019 100644
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -16,7 +16,7 @@ config SECURITY_LOADPIN_ENFORCE
 	depends on SECURITY_LOADPIN
 	# Module compression breaks LoadPin unless modules are decompressed in
 	# the kernel.
-	depends on MODULE_COMPRESS_NONE || MODULE_DECOMPRESS
+	depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS)
 	help
 	  If selected, LoadPin will enforce pinning at boot. If not
 	  selected, it can be enabled at boot with the kernel parameter

-- 
Kees Cook