On Thu, Aug 8, 2019 at 3:01 AM Jessica Yu <jeyu@xxxxxxxxxx> wrote: > If you're confident that a hard dependency is not the right approach, > then perhaps we could add a comment in the Kconfig (You could take a > look at the comment under MODULE_SIG_ALL in init/Kconfig for an > example)? If someone is configuring the kernel on their own then it'd > be nice to let them know, otherwise having a lockdown kernel without > module signatures would defeat the purpose of lockdown no? :-) James, what would your preference be here? Jessica is right that not having CONFIG_MODULE_SIG enabled means lockdown probably doesn't work as expected, but tying it to the lockdown LSM seems inappropriate when another LSM could be providing lockdown policy and run into the same issue. Should this just be mentioned in the CONFIG_MODULE_SIG Kconfig help?