0001 # SPDX-License-Identifier: GPL-2.0-only
0002 config SECURITY_LOADPIN
0003 bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
0004 depends on SECURITY && BLOCK
0005 help
0006 Any files read through the kernel file reading interface
0007 (kernel modules, firmware, kexec images, security policy)
0008 can be pinned to the first filesystem used for loading. When
0009 enabled, any files that come from other filesystems will be
0010 rejected. This is best used on systems without an initrd that
0011 have a root filesystem backed by a read-only device such as
0012 dm-verity or a CDROM.
0013
0014 config SECURITY_LOADPIN_ENFORCE
0015 bool "Enforce LoadPin at boot"
0016 depends on SECURITY_LOADPIN
0017 help
0018 If selected, LoadPin will enforce pinning at boot. If not
0019 selected, it can be enabled at boot with the kernel parameter
0020 "loadpin.enforce=1".
0021
0022 config SECURITY_LOADPIN_VERITY
0023 bool "Allow reading files from certain other filesystems that use dm-verity"
0024 depends on SECURITY_LOADPIN && DM_VERITY=y && SECURITYFS
0025 help
0026 If selected LoadPin can allow reading files from filesystems
0027 that use dm-verity. LoadPin maintains a list of verity root
0028 digests it considers trusted. A verity backed filesystem is
0029 considered trusted if its root digest is found in the list
0030 of trusted digests.
0031
0032 The list of trusted verity can be populated through an ioctl
0033 on the LoadPin securityfs entry 'dm-verity'. The ioctl
0034 expects a file descriptor of a file with verity digests as
0035 parameter. The file must be located on the pinned root and
0036 contain a comma separated list of digests.
