18c2ecf20Sopenharmony_ciconfig SECURITY_LOCKDOWN_LSM 28c2ecf20Sopenharmony_ci bool "Basic module for enforcing kernel lockdown" 38c2ecf20Sopenharmony_ci depends on SECURITY 48c2ecf20Sopenharmony_ci select MODULE_SIG if MODULES 58c2ecf20Sopenharmony_ci help 68c2ecf20Sopenharmony_ci Build support for an LSM that enforces a coarse kernel lockdown 78c2ecf20Sopenharmony_ci behaviour. 88c2ecf20Sopenharmony_ci 98c2ecf20Sopenharmony_ciconfig SECURITY_LOCKDOWN_LSM_EARLY 108c2ecf20Sopenharmony_ci bool "Enable lockdown LSM early in init" 118c2ecf20Sopenharmony_ci depends on SECURITY_LOCKDOWN_LSM 128c2ecf20Sopenharmony_ci help 138c2ecf20Sopenharmony_ci Enable the lockdown LSM early in boot. This is necessary in order 148c2ecf20Sopenharmony_ci to ensure that lockdown enforcement can be carried out on kernel 158c2ecf20Sopenharmony_ci boot parameters that are otherwise parsed before the security 168c2ecf20Sopenharmony_ci subsystem is fully initialised. If enabled, lockdown will 178c2ecf20Sopenharmony_ci unconditionally be called before any other LSMs. 188c2ecf20Sopenharmony_ci 198c2ecf20Sopenharmony_cichoice 208c2ecf20Sopenharmony_ci prompt "Kernel default lockdown mode" 218c2ecf20Sopenharmony_ci default LOCK_DOWN_KERNEL_FORCE_NONE 228c2ecf20Sopenharmony_ci depends on SECURITY_LOCKDOWN_LSM 238c2ecf20Sopenharmony_ci help 248c2ecf20Sopenharmony_ci The kernel can be configured to default to differing levels of 258c2ecf20Sopenharmony_ci lockdown. 268c2ecf20Sopenharmony_ci 278c2ecf20Sopenharmony_ciconfig LOCK_DOWN_KERNEL_FORCE_NONE 288c2ecf20Sopenharmony_ci bool "None" 298c2ecf20Sopenharmony_ci help 308c2ecf20Sopenharmony_ci No lockdown functionality is enabled by default. Lockdown may be 318c2ecf20Sopenharmony_ci enabled via the kernel commandline or /sys/kernel/security/lockdown. 328c2ecf20Sopenharmony_ci 338c2ecf20Sopenharmony_ciconfig LOCK_DOWN_KERNEL_FORCE_INTEGRITY 348c2ecf20Sopenharmony_ci bool "Integrity" 358c2ecf20Sopenharmony_ci help 368c2ecf20Sopenharmony_ci The kernel runs in integrity mode by default. Features that allow 378c2ecf20Sopenharmony_ci the kernel to be modified at runtime are disabled. 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ciconfig LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY 408c2ecf20Sopenharmony_ci bool "Confidentiality" 418c2ecf20Sopenharmony_ci help 428c2ecf20Sopenharmony_ci The kernel runs in confidentiality mode by default. Features that 438c2ecf20Sopenharmony_ci allow the kernel to be modified at runtime or that permit userland 448c2ecf20Sopenharmony_ci code to read confidential material held inside the kernel are 458c2ecf20Sopenharmony_ci disabled. 468c2ecf20Sopenharmony_ci 478c2ecf20Sopenharmony_ciendchoice 48