1ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 29b091556SKees Cookconfig SECURITY_LOADPIN 39b091556SKees Cook bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 49b091556SKees Cook depends on SECURITY && BLOCK 59b091556SKees Cook help 69b091556SKees Cook Any files read through the kernel file reading interface 7b937190cSKees Cook (kernel modules, firmware, kexec images, security policy) 8b937190cSKees Cook can be pinned to the first filesystem used for loading. When 9b937190cSKees Cook enabled, any files that come from other filesystems will be 10b937190cSKees Cook rejected. This is best used on systems without an initrd that 11b937190cSKees Cook have a root filesystem backed by a read-only device such as 12b937190cSKees Cook dm-verity or a CDROM. 13b937190cSKees Cook 1413523befSKees Cookconfig SECURITY_LOADPIN_ENFORCE 15b937190cSKees Cook bool "Enforce LoadPin at boot" 16b937190cSKees Cook depends on SECURITY_LOADPIN 17*ce0d73efSStephen Boyd # Module compression breaks LoadPin unless modules are decompressed in 18*ce0d73efSStephen Boyd # the kernel. 19*ce0d73efSStephen Boyd depends on !MODULES || (MODULE_COMPRESS_NONE || MODULE_DECOMPRESS) 20b937190cSKees Cook help 21b937190cSKees Cook If selected, LoadPin will enforce pinning at boot. If not 22b937190cSKees Cook selected, it can be enabled at boot with the kernel parameter 2313523befSKees Cook "loadpin.enforce=1". 243f805f8cSMatthias Kaehlcke 253f805f8cSMatthias Kaehlckeconfig SECURITY_LOADPIN_VERITY 263f805f8cSMatthias Kaehlcke bool "Allow reading files from certain other filesystems that use dm-verity" 273f805f8cSMatthias Kaehlcke depends on SECURITY_LOADPIN && DM_VERITY=y && SECURITYFS 283f805f8cSMatthias Kaehlcke help 293f805f8cSMatthias Kaehlcke If selected LoadPin can allow reading files from filesystems 303f805f8cSMatthias Kaehlcke that use dm-verity. LoadPin maintains a list of verity root 313f805f8cSMatthias Kaehlcke digests it considers trusted. A verity backed filesystem is 323f805f8cSMatthias Kaehlcke considered trusted if its root digest is found in the list 333f805f8cSMatthias Kaehlcke of trusted digests. 343f805f8cSMatthias Kaehlcke 353f805f8cSMatthias Kaehlcke The list of trusted verity can be populated through an ioctl 363f805f8cSMatthias Kaehlcke on the LoadPin securityfs entry 'dm-verity'. The ioctl 373f805f8cSMatthias Kaehlcke expects a file descriptor of a file with verity digests as 383f805f8cSMatthias Kaehlcke parameter. The file must be located on the pinned root and 396e42aec7SMatthias Kaehlcke start with the line: 406e42aec7SMatthias Kaehlcke 416e42aec7SMatthias Kaehlcke # LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS 426e42aec7SMatthias Kaehlcke 436e42aec7SMatthias Kaehlcke This is followed by the verity digests, with one digest per 446e42aec7SMatthias Kaehlcke line. 45