1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only 2*4882a593Smuzhiyunconfig SECURITY_LOADPIN 3*4882a593Smuzhiyun bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 4*4882a593Smuzhiyun depends on SECURITY && BLOCK 5*4882a593Smuzhiyun help 6*4882a593Smuzhiyun Any files read through the kernel file reading interface 7*4882a593Smuzhiyun (kernel modules, firmware, kexec images, security policy) 8*4882a593Smuzhiyun can be pinned to the first filesystem used for loading. When 9*4882a593Smuzhiyun enabled, any files that come from other filesystems will be 10*4882a593Smuzhiyun rejected. This is best used on systems without an initrd that 11*4882a593Smuzhiyun have a root filesystem backed by a read-only device such as 12*4882a593Smuzhiyun dm-verity or a CDROM. 13*4882a593Smuzhiyun 14*4882a593Smuzhiyunconfig SECURITY_LOADPIN_ENFORCE 15*4882a593Smuzhiyun bool "Enforce LoadPin at boot" 16*4882a593Smuzhiyun depends on SECURITY_LOADPIN 17*4882a593Smuzhiyun help 18*4882a593Smuzhiyun If selected, LoadPin will enforce pinning at boot. If not 19*4882a593Smuzhiyun selected, it can be enabled at boot with the kernel parameter 20*4882a593Smuzhiyun "loadpin.enforce=1". 21