xref: /openbmc/linux/Documentation/admin-guide/LSM/LoadPin.rst (revision 0ff9848067b7b950a4ed70de7f5028600a2157e3)
130da4f77SKees Cook=======
230da4f77SKees CookLoadPin
330da4f77SKees Cook=======
430da4f77SKees Cook
530da4f77SKees CookLoadPin is a Linux Security Module that ensures all kernel-loaded files
630da4f77SKees Cook(modules, firmware, etc) all originate from the same filesystem, with
730da4f77SKees Cookthe expectation that such a filesystem is backed by a read-only device
830da4f77SKees Cooksuch as dm-verity or CDROM. This allows systems that have a verified
930da4f77SKees Cookand/or unchangeable filesystem to enforce module and firmware loading
1030da4f77SKees Cookrestrictions without needing to sign the files individually.
1130da4f77SKees Cook
1230da4f77SKees CookThe LSM is selectable at build-time with ``CONFIG_SECURITY_LOADPIN``, and
1330da4f77SKees Cookcan be controlled at boot-time with the kernel command line option
1430da4f77SKees Cook"``loadpin.enabled``". By default, it is enabled, but can be disabled at
1530da4f77SKees Cookboot ("``loadpin.enabled=0``").
1630da4f77SKees Cook
1730da4f77SKees CookLoadPin starts pinning when it sees the first file loaded. If the
1830da4f77SKees Cookblock device backing the filesystem is not read-only, a sysctl is
1930da4f77SKees Cookcreated to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having
2030da4f77SKees Cooka mutable filesystem means pinning is mutable too, but having the
2130da4f77SKees Cooksysctl allows for easy testing on systems with a mutable filesystem.)
22*0ff98480SKe Wu
23*0ff98480SKe WuIt's also possible to exclude specific file types from LoadPin using kernel
24*0ff98480SKe Wucommand line option "``loadpin.exclude``". By default, all files are
25*0ff98480SKe Wuincluded, but they can be excluded using kernel command line option such
26*0ff98480SKe Wuas "``loadpin.exclude=kernel-module,kexec-image``". This allows to use
27*0ff98480SKe Wudifferent mechanisms such as ``CONFIG_MODULE_SIG`` and
28*0ff98480SKe Wu``CONFIG_KEXEC_VERIFY_SIG`` to verify kernel module and kernel image while
29*0ff98480SKe Wustill use LoadPin to protect the integrity of other files kernel loads. The
30*0ff98480SKe Wufull list of valid file types can be found in ``kernel_read_file_str``
31*0ff98480SKe Wudefined in ``include/linux/fs.h``.
32