0001 =======
0002 LoadPin
0003 =======
0004
0005 LoadPin is a Linux Security Module that ensures all kernel-loaded files
0006 (modules, firmware, etc) all originate from the same filesystem, with
0007 the expectation that such a filesystem is backed by a read-only device
0008 such as dm-verity or CDROM. This allows systems that have a verified
0009 and/or unchangeable filesystem to enforce module and firmware loading
0010 restrictions without needing to sign the files individually.
0011
0012 The LSM is selectable at build-time with ``CONFIG_SECURITY_LOADPIN``, and
0013 can be controlled at boot-time with the kernel command line option
0014 "``loadpin.enforce``". By default, it is enabled, but can be disabled at
0015 boot ("``loadpin.enforce=0``").
0016
0017 LoadPin starts pinning when it sees the first file loaded. If the
0018 block device backing the filesystem is not read-only, a sysctl is
0019 created to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having
0020 a mutable filesystem means pinning is mutable too, but having the
0021 sysctl allows for easy testing on systems with a mutable filesystem.)
0022
0023 It's also possible to exclude specific file types from LoadPin using kernel
0024 command line option "``loadpin.exclude``". By default, all files are
0025 included, but they can be excluded using kernel command line option such
0026 as "``loadpin.exclude=kernel-module,kexec-image``". This allows to use
0027 different mechanisms such as ``CONFIG_MODULE_SIG`` and
0028 ``CONFIG_KEXEC_VERIFY_SIG`` to verify kernel module and kernel image while
0029 still use LoadPin to protect the integrity of other files kernel loads. The
0030 full list of valid file types can be found in ``kernel_read_file_str``
0031 defined in ``include/linux/kernel_read_file.h``.
