| b.liu | e958203 | 2025-04-17 19:18:16 +0800 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| 2 | config SECURITY_LOADPIN |
| 3 | bool "Pin load of kernel files (modules, fw, etc) to one filesystem" |
| 4 | depends on SECURITY && BLOCK |
| 5 | help |
| 6 | Any files read through the kernel file reading interface |
| 7 | (kernel modules, firmware, kexec images, security policy) |
| 8 | can be pinned to the first filesystem used for loading. When |
| 9 | enabled, any files that come from other filesystems will be |
| 10 | rejected. This is best used on systems without an initrd that |
| 11 | have a root filesystem backed by a read-only device such as |
| 12 | dm-verity or a CDROM. |
| 13 | |
| 14 | config SECURITY_LOADPIN_ENFORCE |
| 15 | bool "Enforce LoadPin at boot" |
| 16 | depends on SECURITY_LOADPIN |
| 17 | help |
| 18 | If selected, LoadPin will enforce pinning at boot. If not |
| 19 | selected, it can be enabled at boot with the kernel parameter |
| 20 | "loadpin.enforce=1". |