|  | # SPDX-License-Identifier: GPL-2.0-only | 
|  | config SECURITY_LOADPIN | 
|  | bool "Pin load of kernel files (modules, fw, etc) to one filesystem" | 
|  | depends on SECURITY && BLOCK | 
|  | help | 
|  | Any files read through the kernel file reading interface | 
|  | (kernel modules, firmware, kexec images, security policy) | 
|  | can be pinned to the first filesystem used for loading. When | 
|  | enabled, any files that come from other filesystems will be | 
|  | rejected. This is best used on systems without an initrd that | 
|  | have a root filesystem backed by a read-only device such as | 
|  | dm-verity or a CDROM. | 
|  |  | 
|  | config SECURITY_LOADPIN_ENFORCE | 
|  | bool "Enforce LoadPin at boot" | 
|  | depends on SECURITY_LOADPIN | 
|  | help | 
|  | If selected, LoadPin will enforce pinning at boot. If not | 
|  | selected, it can be enabled at boot with the kernel parameter | 
|  | "loadpin.enforce=1". |