]>
Commit | Line | Data |
---|---|---|
1 | config SECURITY_LOADPIN | |
2 | bool "Pin load of kernel files (modules, fw, etc) to one filesystem" | |
3 | depends on SECURITY && BLOCK | |
4 | help | |
5 | Any files read through the kernel file reading interface | |
6 | (kernel modules, firmware, kexec images, security policy) | |
7 | can be pinned to the first filesystem used for loading. When | |
8 | enabled, any files that come from other filesystems will be | |
9 | rejected. This is best used on systems without an initrd that | |
10 | have a root filesystem backed by a read-only device such as | |
11 | dm-verity or a CDROM. | |
12 | ||
13 | config SECURITY_LOADPIN_ENABLED | |
14 | bool "Enforce LoadPin at boot" | |
15 | depends on SECURITY_LOADPIN | |
16 | help | |
17 | If selected, LoadPin will enforce pinning at boot. If not | |
18 | selected, it can be enabled at boot with the kernel parameter | |
19 | "loadpin.enabled=1". |