Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
9b091556 KC |
2 | config SECURITY_LOADPIN |
3 | bool "Pin load of kernel files (modules, fw, etc) to one filesystem" | |
4 | depends on SECURITY && BLOCK | |
5 | help | |
6 | Any files read through the kernel file reading interface | |
b937190c KC |
7 | (kernel modules, firmware, kexec images, security policy) |
8 | can be pinned to the first filesystem used for loading. When | |
9 | enabled, any files that come from other filesystems will be | |
10 | rejected. This is best used on systems without an initrd that | |
11 | have a root filesystem backed by a read-only device such as | |
12 | dm-verity or a CDROM. | |
13 | ||
13523bef | 14 | config SECURITY_LOADPIN_ENFORCE |
b937190c KC |
15 | bool "Enforce LoadPin at boot" |
16 | depends on SECURITY_LOADPIN | |
17 | help | |
18 | If selected, LoadPin will enforce pinning at boot. If not | |
19 | selected, it can be enabled at boot with the kernel parameter | |
13523bef | 20 | "loadpin.enforce=1". |
3f805f8c MK |
21 | |
22 | config SECURITY_LOADPIN_VERITY | |
23 | bool "Allow reading files from certain other filesystems that use dm-verity" | |
24 | depends on SECURITY_LOADPIN && DM_VERITY=y && SECURITYFS | |
25 | help | |
26 | If selected LoadPin can allow reading files from filesystems | |
27 | that use dm-verity. LoadPin maintains a list of verity root | |
28 | digests it considers trusted. A verity backed filesystem is | |
29 | considered trusted if its root digest is found in the list | |
30 | of trusted digests. | |
31 | ||
32 | The list of trusted verity can be populated through an ioctl | |
33 | on the LoadPin securityfs entry 'dm-verity'. The ioctl | |
34 | expects a file descriptor of a file with verity digests as | |
35 | parameter. The file must be located on the pinned root and | |
36 | contain a comma separated list of digests. |