19b091556SKees Cookconfig SECURITY_LOADPIN 29b091556SKees Cook bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 39b091556SKees Cook depends on SECURITY && BLOCK 49b091556SKees Cook help 59b091556SKees Cook Any files read through the kernel file reading interface 6*b937190cSKees Cook (kernel modules, firmware, kexec images, security policy) 7*b937190cSKees Cook can be pinned to the first filesystem used for loading. When 8*b937190cSKees Cook enabled, any files that come from other filesystems will be 9*b937190cSKees Cook rejected. This is best used on systems without an initrd that 10*b937190cSKees Cook have a root filesystem backed by a read-only device such as 11*b937190cSKees Cook dm-verity or a CDROM. 12*b937190cSKees Cook 13*b937190cSKees Cookconfig SECURITY_LOADPIN_ENABLED 14*b937190cSKees Cook bool "Enforce LoadPin at boot" 15*b937190cSKees Cook depends on SECURITY_LOADPIN 16*b937190cSKees Cook help 17*b937190cSKees Cook If selected, LoadPin will enforce pinning at boot. If not 18*b937190cSKees Cook selected, it can be enabled at boot with the kernel parameter 19*b937190cSKees Cook "loadpin.enabled=1". 20