Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi...

[linux-2.6-microblaze.git] / init / Kconfig

diff --git a/init/Kconfig b/init/Kconfig
index 5712359..b4daad2 100644 (file)
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1963,6 +1963,10 @@ config BASE_SMALL
        default 0 if BASE_FULL
        default 1 if !BASE_FULL
 
+config MODULE_SIG_FORMAT
+       def_bool n
+       select SYSTEM_DATA_VERIFICATION
+
 menuconfig MODULES
        bool "Enable loadable module support"
        option modules
@@ -2047,7 +2051,7 @@ config MODULE_SRCVERSION_ALL
 
 config MODULE_SIG
        bool "Module signature verification"
-       select SYSTEM_DATA_VERIFICATION
+       select MODULE_SIG_FORMAT
        help
          Check modules for valid signatures upon load: the signature
          is simply appended to the module. For more information see
@@ -2057,6 +2061,11 @@ config MODULE_SIG
          kernel build dependency so that the signing tool can use its crypto
          library.
 
+         You should enable this option if you wish to use either
+         CONFIG_SECURITY_LOCKDOWN_LSM or lockdown functionality imposed via
+         another LSM - otherwise unsigned modules will be loadable regardless
+         of the lockdown policy.
+
          !!!WARNING!!!  If you enable this option, you MUST make sure that the
          module DOES NOT get stripped after being signed.  This includes the
          debuginfo strip done by some packagers (such as rpmbuild) and