xref: /linux/security/loadpin/Kconfig (revision 3f805f8cc23ba35679dd01446929292911c2b469)
1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only
29b091556SKees Cookconfig SECURITY_LOADPIN
39b091556SKees Cook	bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
49b091556SKees Cook	depends on SECURITY && BLOCK
59b091556SKees Cook	help
69b091556SKees Cook	  Any files read through the kernel file reading interface
7b937190cSKees Cook	  (kernel modules, firmware, kexec images, security policy)
8b937190cSKees Cook	  can be pinned to the first filesystem used for loading. When
9b937190cSKees Cook	  enabled, any files that come from other filesystems will be
10b937190cSKees Cook	  rejected. This is best used on systems without an initrd that
11b937190cSKees Cook	  have a root filesystem backed by a read-only device such as
12b937190cSKees Cook	  dm-verity or a CDROM.
13b937190cSKees Cook
1413523befSKees Cookconfig SECURITY_LOADPIN_ENFORCE
15b937190cSKees Cook	bool "Enforce LoadPin at boot"
16b937190cSKees Cook	depends on SECURITY_LOADPIN
17b937190cSKees Cook	help
18b937190cSKees Cook	  If selected, LoadPin will enforce pinning at boot. If not
19b937190cSKees Cook	  selected, it can be enabled at boot with the kernel parameter
2013523befSKees Cook	  "loadpin.enforce=1".
21*3f805f8cSMatthias Kaehlcke
22*3f805f8cSMatthias Kaehlckeconfig SECURITY_LOADPIN_VERITY
23*3f805f8cSMatthias Kaehlcke	bool "Allow reading files from certain other filesystems that use dm-verity"
24*3f805f8cSMatthias Kaehlcke	depends on SECURITY_LOADPIN && DM_VERITY=y && SECURITYFS
25*3f805f8cSMatthias Kaehlcke	help
26*3f805f8cSMatthias Kaehlcke	  If selected LoadPin can allow reading files from filesystems
27*3f805f8cSMatthias Kaehlcke	  that use dm-verity. LoadPin maintains a list of verity root
28*3f805f8cSMatthias Kaehlcke	  digests it considers trusted. A verity backed filesystem is
29*3f805f8cSMatthias Kaehlcke	  considered trusted if its root digest is found in the list
30*3f805f8cSMatthias Kaehlcke	  of trusted digests.
31*3f805f8cSMatthias Kaehlcke
32*3f805f8cSMatthias Kaehlcke	  The list of trusted verity can be populated through an ioctl
33*3f805f8cSMatthias Kaehlcke	  on the LoadPin securityfs entry 'dm-verity'. The ioctl
34*3f805f8cSMatthias Kaehlcke	  expects a file descriptor of a file with verity digests as
35*3f805f8cSMatthias Kaehlcke	  parameter. The file must be located on the pinned root and
36*3f805f8cSMatthias Kaehlcke	  contain a comma separated list of digests.
37