1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 29b091556SKees Cookconfig SECURITY_LOADPIN 39b091556SKees Cook bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 49b091556SKees Cook depends on SECURITY && BLOCK 59b091556SKees Cook help 69b091556SKees Cook Any files read through the kernel file reading interface 7b937190cSKees Cook (kernel modules, firmware, kexec images, security policy) 8b937190cSKees Cook can be pinned to the first filesystem used for loading. When 9b937190cSKees Cook enabled, any files that come from other filesystems will be 10b937190cSKees Cook rejected. This is best used on systems without an initrd that 11b937190cSKees Cook have a root filesystem backed by a read-only device such as 12b937190cSKees Cook dm-verity or a CDROM. 13b937190cSKees Cook 1413523befSKees Cookconfig SECURITY_LOADPIN_ENFORCE 15b937190cSKees Cook bool "Enforce LoadPin at boot" 16b937190cSKees Cook depends on SECURITY_LOADPIN 17b937190cSKees Cook help 18b937190cSKees Cook If selected, LoadPin will enforce pinning at boot. If not 19b937190cSKees Cook selected, it can be enabled at boot with the kernel parameter 2013523befSKees Cook "loadpin.enforce=1". 21*3f805f8cSMatthias Kaehlcke 22*3f805f8cSMatthias Kaehlckeconfig SECURITY_LOADPIN_VERITY 23*3f805f8cSMatthias Kaehlcke bool "Allow reading files from certain other filesystems that use dm-verity" 24*3f805f8cSMatthias Kaehlcke depends on SECURITY_LOADPIN && DM_VERITY=y && SECURITYFS 25*3f805f8cSMatthias Kaehlcke help 26*3f805f8cSMatthias Kaehlcke If selected LoadPin can allow reading files from filesystems 27*3f805f8cSMatthias Kaehlcke that use dm-verity. LoadPin maintains a list of verity root 28*3f805f8cSMatthias Kaehlcke digests it considers trusted. A verity backed filesystem is 29*3f805f8cSMatthias Kaehlcke considered trusted if its root digest is found in the list 30*3f805f8cSMatthias Kaehlcke of trusted digests. 31*3f805f8cSMatthias Kaehlcke 32*3f805f8cSMatthias Kaehlcke The list of trusted verity can be populated through an ioctl 33*3f805f8cSMatthias Kaehlcke on the LoadPin securityfs entry 'dm-verity'. The ioctl 34*3f805f8cSMatthias Kaehlcke expects a file descriptor of a file with verity digests as 35*3f805f8cSMatthias Kaehlcke parameter. The file must be located on the pinned root and 36*3f805f8cSMatthias Kaehlcke contain a comma separated list of digests. 37