From 2b10c166d0da99f7738fa55e930807b7c3a07fc0 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Tue, 21 Jun 2022 02:25:42 +0200
Subject: Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code

On architectures where we don't sign code:

- Activating Lockdown will make it impossible to load in-tree modules.
  This makes it unusable.
- If MODULE_SIG is enabled, loading any unsigned in-tree module will
  cause the kernel to be tainted, so it is always tainted.  This is
  not helpful.

Disable them both by default.  (We didn't actually explicitly enable
MODULE_SIG by default, but SECURITY_LOCKDOWN_LSM selects it.)

Closes: #825141
---
 debian/bin/gencontrol.py | 2 +-
 debian/changelog         | 2 ++
 debian/config/config     | 3 ++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index b62cb400c..0233b01f2 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -619,7 +619,7 @@ class Gencontrol(Base):
         makeflags['KCONFIG'] = ' '.join(kconfig)
         makeflags['KCONFIG_OPTIONS'] = ''
         if build_signed:
-            makeflags['KCONFIG_OPTIONS'] += ' -o MODULE_SIG=y'
+            makeflags['KCONFIG_OPTIONS'] += ' -o SECURITY_LOCKDOWN_LSM=y -o MODULE_SIG=y'
         # Add "salt" to fix #872263
         makeflags['KCONFIG_OPTIONS'] += \
             ' -o "BUILD_SALT=\\"%(abiname)s%(localversion)s\\""' % vars
diff --git a/debian/changelog b/debian/changelog
index 243bc2d85..7a3fa30e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -288,6 +288,8 @@ linux (5.18.8-1) UNRELEASED; urgency=medium
   * [rt] Update to 5.18-rt11:
     - Revert "softirq: Check preemption after reenabling interrupts"
   * Bump ABI to 3
+  * Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code
+    (Closes: #825141)
 
  -- Ben Hutchings <benh@debian.org>  Mon, 20 Jun 2022 12:48:13 +0200
 
diff --git a/debian/config/config b/debian/config/config
index 789074230..ff21002cf 100644
--- a/debian/config/config
+++ b/debian/config/config
@@ -7776,7 +7776,8 @@ CONFIG_SECURITY_LANDLOCK=y
 ##
 ## file: security/lockdown/Kconfig
 ##
-CONFIG_SECURITY_LOCKDOWN_LSM=y
+#. This is overridden if the [build]signed-code setting is enabled
+# CONFIG_SECURITY_LOCKDOWN_LSM is not set
 ## choice: Kernel default lockdown mode
 CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
 ## end choice
-- 
cgit v1.2.3