1*ec8f24b7SThomas Gleixner# SPDX-License-Identifier: GPL-2.0-only 29b091556SKees Cookconfig SECURITY_LOADPIN 39b091556SKees Cook bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 49b091556SKees Cook depends on SECURITY && BLOCK 59b091556SKees Cook help 69b091556SKees Cook Any files read through the kernel file reading interface 7b937190cSKees Cook (kernel modules, firmware, kexec images, security policy) 8b937190cSKees Cook can be pinned to the first filesystem used for loading. When 9b937190cSKees Cook enabled, any files that come from other filesystems will be 10b937190cSKees Cook rejected. This is best used on systems without an initrd that 11b937190cSKees Cook have a root filesystem backed by a read-only device such as 12b937190cSKees Cook dm-verity or a CDROM. 13b937190cSKees Cook 1413523befSKees Cookconfig SECURITY_LOADPIN_ENFORCE 15b937190cSKees Cook bool "Enforce LoadPin at boot" 16b937190cSKees Cook depends on SECURITY_LOADPIN 17b937190cSKees Cook help 18b937190cSKees Cook If selected, LoadPin will enforce pinning at boot. If not 19b937190cSKees Cook selected, it can be enabled at boot with the kernel parameter 2013523befSKees Cook "loadpin.enforce=1". 21