1*9b091556SKees Cookconfig SECURITY_LOADPIN 2*9b091556SKees Cook bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 3*9b091556SKees Cook depends on SECURITY && BLOCK 4*9b091556SKees Cook help 5*9b091556SKees Cook Any files read through the kernel file reading interface 6*9b091556SKees Cook (kernel modules, firmware, kexec images, security policy) will 7*9b091556SKees Cook be pinned to the first filesystem used for loading. Any files 8*9b091556SKees Cook that come from other filesystems will be rejected. This is best 9*9b091556SKees Cook used on systems without an initrd that have a root filesystem 10*9b091556SKees Cook backed by a read-only device such as dm-verity or a CDROM. 11