| Thomas Gleixner | ec8f24b | 2019-05-19 13:07:45 +0100 | [diff] [blame] | 1 | # SPDX-License-Identifier: GPL-2.0-only |
| Kees Cook | 9b09155 | 2016-04-20 15:46:28 -0700 | [diff] [blame] | 2 | config SECURITY_LOADPIN |
| 3 | bool "Pin load of kernel files (modules, fw, etc) to one filesystem" |
| 4 | depends on SECURITY && BLOCK |
| 5 | help |
| 6 | Any files read through the kernel file reading interface |
| Kees Cook | b937190 | 2016-05-17 01:45:52 -0700 | [diff] [blame] | 7 | (kernel modules, firmware, kexec images, security policy) |
| 8 | can be pinned to the first filesystem used for loading. When |
| 9 | enabled, any files that come from other filesystems will be |
| 10 | rejected. This is best used on systems without an initrd that |
| 11 | have a root filesystem backed by a read-only device such as |
| 12 | dm-verity or a CDROM. |
| 13 | |
| Kees Cook | 13523be | 2018-09-24 14:43:59 -0700 | [diff] [blame] | 14 | config SECURITY_LOADPIN_ENFORCE |
| Kees Cook | b937190 | 2016-05-17 01:45:52 -0700 | [diff] [blame] | 15 | bool "Enforce LoadPin at boot" |
| 16 | depends on SECURITY_LOADPIN |
| 17 | help |
| 18 | If selected, LoadPin will enforce pinning at boot. If not |
| 19 | selected, it can be enabled at boot with the kernel parameter |
| Kees Cook | 13523be | 2018-09-24 14:43:59 -0700 | [diff] [blame] | 20 | "loadpin.enforce=1". |