On Tue, Apr 29, 2025 at 9:04 AM Thomas Weißschuh <li...@weissschuh.net> wrote: > > The new hash-based module integrity checking will also be able to > satisfy the requirements of lockdown. > Such an alternative is not representable with "select", so use > "depends on" instead. > > Signed-off-by: Thomas Weißschuh <li...@weissschuh.net> > --- > security/lockdown/Kconfig | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)
I'm hopeful that we will see notice about dedicated Lockdown maintainers soon, but in the meantime this looks okay to me. Acked-by: Paul Moore <p...@paul-moore.com> > diff --git a/security/lockdown/Kconfig b/security/lockdown/Kconfig > index > e84ddf48401010bcc0829a32db58e6f12bfdedcb..155959205b8eac2c85897a8c4c8b7ec471156706 > 100644 > --- a/security/lockdown/Kconfig > +++ b/security/lockdown/Kconfig > @@ -1,7 +1,7 @@ > config SECURITY_LOCKDOWN_LSM > bool "Basic module for enforcing kernel lockdown" > depends on SECURITY > - select MODULE_SIG if MODULES > + depends on !MODULES || MODULE_SIG > help > Build support for an LSM that enforces a coarse kernel lockdown > behaviour. > > -- > 2.49.0 -- paul-moore.com
