Bug 12432

Summary:	enable CONFIG_SECURITY_LOADPIN and CONFIG_SECURITY_LOADPIN_ENFORCE
Product:	IPFire	Reporter:	Peter Müller <peter.mueller>
Component:	---	Assignee:	Peter Müller <peter.mueller>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	Security
Priority:	- Unknown -	CC:	peter.mueller
Version:	2
Hardware:	unspecified
OS:	Unspecified
See Also:	https://bugzilla.ipfire.org/show_bug.cgi?id=12430
Bug Depends on:
Bug Blocks:	12361

Description Peter Müller 2020-06-09 18:35:24 UTC

> For every boot, any file read through the kernel file reading interface can
> be pinned to the first filesystem used for loading. If you try to load any
> file that comes from other filesystem will be rejected.

IMHO this can be safely enabled as there is no legitimate reason to swap filesystems on an IPFire machine during runtime.

Comment 1 Peter Müller 2020-06-09 18:39:55 UTC

https://patchwork.ipfire.org/project/ipfire/list/?series=1350

Comment 2 Peter MÃ¼ller 2022-03-21 21:40:28 UTC

https://patchwork.ipfire.org/project/ipfire/patch/867bc7ac-1f22-4f70-5a8c-867f0d020e78@ipfire.org/

Comment 3 Peter MÃ¼ller 2023-03-20 15:20:00 UTC

Closing this, since we probably never be able to turn this on, and since we enforce proper signing of kernel modules already, there is little security benefit in pinning them to the same filesystem.