Hello, > On 21 Mar 2022, at 17:15, Arne Fitzenreiter wrote: > > At my knowledge enforce loadpin is incompatible with initramfs. > https://lwn.net/Articles/682302/ I cannot find that being mentioned in this article. And I am not sure whether the initramdisk counts as its own file system. > Also we have some older installations that have a seperate /var partition and /lib/firmware was moved to /var/lib/firmware > so i think we cannot apply this! The firmware currently is in /lib/firmware and since we have now a way to compress it, there is no need to move it any more. That should allow us enabling this switch. Best, -Michael > Arne > > > Am 2022-03-19 22:09, schrieb Peter Müller: >> This can be safely enabled on IPFire, as we never swap filesystems >> during runtime. >> Fixes: #12432 >> Signed-off-by: Peter Müller >> --- >> config/kernel/kernel.config.aarch64-ipfire | 3 ++- >> config/kernel/kernel.config.armv6l-ipfire | 3 ++- >> config/kernel/kernel.config.riscv64-ipfire | 3 ++- >> config/kernel/kernel.config.x86_64-ipfire | 3 ++- >> 4 files changed, 8 insertions(+), 4 deletions(-) >> diff --git a/config/kernel/kernel.config.aarch64-ipfire >> b/config/kernel/kernel.config.aarch64-ipfire >> index 35c249253..d9179c061 100644 >> --- a/config/kernel/kernel.config.aarch64-ipfire >> +++ b/config/kernel/kernel.config.aarch64-ipfire >> @@ -7555,7 +7555,8 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.armv6l-ipfire >> b/config/kernel/kernel.config.armv6l-ipfire >> index 5b4ff8e20..522278160 100644 >> --- a/config/kernel/kernel.config.armv6l-ipfire >> +++ b/config/kernel/kernel.config.armv6l-ipfire >> @@ -7559,7 +7559,8 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.riscv64-ipfire >> b/config/kernel/kernel.config.riscv64-ipfire >> index d4c0e0451..ebb830eb7 100644 >> --- a/config/kernel/kernel.config.riscv64-ipfire >> +++ b/config/kernel/kernel.config.riscv64-ipfire >> @@ -6192,7 +6192,8 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set >> diff --git a/config/kernel/kernel.config.x86_64-ipfire >> b/config/kernel/kernel.config.x86_64-ipfire >> index 8b525ef89..675c3ce1e 100644 >> --- a/config/kernel/kernel.config.x86_64-ipfire >> +++ b/config/kernel/kernel.config.x86_64-ipfire >> @@ -6968,7 +6968,8 @@ CONFIG_FORTIFY_SOURCE=y >> # CONFIG_SECURITY_SMACK is not set >> # CONFIG_SECURITY_TOMOYO is not set >> # CONFIG_SECURITY_APPARMOR is not set >> -# CONFIG_SECURITY_LOADPIN is not set >> +CONFIG_SECURITY_LOADPIN=y >> +CONFIG_SECURITY_LOADPIN_ENFORCE=y >> # CONFIG_SECURITY_YAMA is not set >> # CONFIG_SECURITY_SAFESETID is not set >> # CONFIG_SECURITY_LOCKDOWN_LSM is not set