19b091556SKees Cookconfig SECURITY_LOADPIN 29b091556SKees Cook bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 39b091556SKees Cook depends on SECURITY && BLOCK 49b091556SKees Cook help 59b091556SKees Cook Any files read through the kernel file reading interface 6b937190cSKees Cook (kernel modules, firmware, kexec images, security policy) 7b937190cSKees Cook can be pinned to the first filesystem used for loading. When 8b937190cSKees Cook enabled, any files that come from other filesystems will be 9b937190cSKees Cook rejected. This is best used on systems without an initrd that 10b937190cSKees Cook have a root filesystem backed by a read-only device such as 11b937190cSKees Cook dm-verity or a CDROM. 12b937190cSKees Cook 13*13523befSKees Cookconfig SECURITY_LOADPIN_ENFORCE 14b937190cSKees Cook bool "Enforce LoadPin at boot" 15b937190cSKees Cook depends on SECURITY_LOADPIN 16b937190cSKees Cook help 17b937190cSKees Cook If selected, LoadPin will enforce pinning at boot. If not 18b937190cSKees Cook selected, it can be enabled at boot with the kernel parameter 19*13523befSKees Cook "loadpin.enforce=1". 20