130da4f77SKees Cook======= 230da4f77SKees CookLoadPin 330da4f77SKees Cook======= 430da4f77SKees Cook 530da4f77SKees CookLoadPin is a Linux Security Module that ensures all kernel-loaded files 630da4f77SKees Cook(modules, firmware, etc) all originate from the same filesystem, with 730da4f77SKees Cookthe expectation that such a filesystem is backed by a read-only device 830da4f77SKees Cooksuch as dm-verity or CDROM. This allows systems that have a verified 930da4f77SKees Cookand/or unchangeable filesystem to enforce module and firmware loading 1030da4f77SKees Cookrestrictions without needing to sign the files individually. 1130da4f77SKees Cook 1230da4f77SKees CookThe LSM is selectable at build-time with ``CONFIG_SECURITY_LOADPIN``, and 1330da4f77SKees Cookcan be controlled at boot-time with the kernel command line option 1430da4f77SKees Cook"``loadpin.enabled``". By default, it is enabled, but can be disabled at 1530da4f77SKees Cookboot ("``loadpin.enabled=0``"). 1630da4f77SKees Cook 1730da4f77SKees CookLoadPin starts pinning when it sees the first file loaded. If the 1830da4f77SKees Cookblock device backing the filesystem is not read-only, a sysctl is 1930da4f77SKees Cookcreated to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having 2030da4f77SKees Cooka mutable filesystem means pinning is mutable too, but having the 2130da4f77SKees Cooksysctl allows for easy testing on systems with a mutable filesystem.) 22*0ff98480SKe Wu 23*0ff98480SKe WuIt's also possible to exclude specific file types from LoadPin using kernel 24*0ff98480SKe Wucommand line option "``loadpin.exclude``". By default, all files are 25*0ff98480SKe Wuincluded, but they can be excluded using kernel command line option such 26*0ff98480SKe Wuas "``loadpin.exclude=kernel-module,kexec-image``". This allows to use 27*0ff98480SKe Wudifferent mechanisms such as ``CONFIG_MODULE_SIG`` and 28*0ff98480SKe Wu``CONFIG_KEXEC_VERIFY_SIG`` to verify kernel module and kernel image while 29*0ff98480SKe Wustill use LoadPin to protect the integrity of other files kernel loads. The 30*0ff98480SKe Wufull list of valid file types can be found in ``kernel_read_file_str`` 31*0ff98480SKe Wudefined in ``include/linux/fs.h``. 32