On Mon, 2016-03-28 at 14:14 -0700, Kees Cook wrote: > This LSM enforces that kernel-loaded files (modules, firmware, etc) > must all come from the same filesystem, with the expectation that > such a filesystem is backed by a read-only device such as dm-verity > or CDROM. This allows systems that have a verified and/or unchangeable > filesystem to enforce module and firmware loading restrictions without > needing to sign the files individually.
trivia: > diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c [] > +#define pr_fmt(fmt) "LoadPin: " fmt Using #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt would be a lot more common. Is there some reason the logging messages should be prefixed with "LoadPin: " instead of "loadpin: "?
