At my knowledge enforce loadpin is incompatible with initramfs. https://lwn.net/Articles/682302/ Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware so i think we cannot apply this! Arne Am 2022-03-19 22:09, schrieb Peter Müller: > This can be safely enabled on IPFire, as we never swap filesystems > during runtime. > > Fixes: #12432 > > Signed-off-by: Peter Müller > --- > config/kernel/kernel.config.aarch64-ipfire | 3 ++- > config/kernel/kernel.config.armv6l-ipfire | 3 ++- > config/kernel/kernel.config.riscv64-ipfire | 3 ++- > config/kernel/kernel.config.x86_64-ipfire | 3 ++- > 4 files changed, 8 insertions(+), 4 deletions(-) > > diff --git a/config/kernel/kernel.config.aarch64-ipfire > b/config/kernel/kernel.config.aarch64-ipfire > index 35c249253..d9179c061 100644 > --- a/config/kernel/kernel.config.aarch64-ipfire > +++ b/config/kernel/kernel.config.aarch64-ipfire > @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.armv6l-ipfire > b/config/kernel/kernel.config.armv6l-ipfire > index 5b4ff8e20..522278160 100644 > --- a/config/kernel/kernel.config.armv6l-ipfire > +++ b/config/kernel/kernel.config.armv6l-ipfire > @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.riscv64-ipfire > b/config/kernel/kernel.config.riscv64-ipfire > index d4c0e0451..ebb830eb7 100644 > --- a/config/kernel/kernel.config.riscv64-ipfire > +++ b/config/kernel/kernel.config.riscv64-ipfire > @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set > diff --git a/config/kernel/kernel.config.x86_64-ipfire > b/config/kernel/kernel.config.x86_64-ipfire > index 8b525ef89..675c3ce1e 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y > # CONFIG_SECURITY_SMACK is not set > # CONFIG_SECURITY_TOMOYO is not set > # CONFIG_SECURITY_APPARMOR is not set > -# CONFIG_SECURITY_LOADPIN is not set > +CONFIG_SECURITY_LOADPIN=y > +CONFIG_SECURITY_LOADPIN_ENFORCE=y > # CONFIG_SECURITY_YAMA is not set > # CONFIG_SECURITY_SAFESETID is not set > # CONFIG_SECURITY_LOCKDOWN_LSM is not set