1*30da4f77SKees Cook======= 2*30da4f77SKees CookLoadPin 3*30da4f77SKees Cook======= 4*30da4f77SKees Cook 5*30da4f77SKees CookLoadPin is a Linux Security Module that ensures all kernel-loaded files 6*30da4f77SKees Cook(modules, firmware, etc) all originate from the same filesystem, with 7*30da4f77SKees Cookthe expectation that such a filesystem is backed by a read-only device 8*30da4f77SKees Cooksuch as dm-verity or CDROM. This allows systems that have a verified 9*30da4f77SKees Cookand/or unchangeable filesystem to enforce module and firmware loading 10*30da4f77SKees Cookrestrictions without needing to sign the files individually. 11*30da4f77SKees Cook 12*30da4f77SKees CookThe LSM is selectable at build-time with ``CONFIG_SECURITY_LOADPIN``, and 13*30da4f77SKees Cookcan be controlled at boot-time with the kernel command line option 14*30da4f77SKees Cook"``loadpin.enabled``". By default, it is enabled, but can be disabled at 15*30da4f77SKees Cookboot ("``loadpin.enabled=0``"). 16*30da4f77SKees Cook 17*30da4f77SKees CookLoadPin starts pinning when it sees the first file loaded. If the 18*30da4f77SKees Cookblock device backing the filesystem is not read-only, a sysctl is 19*30da4f77SKees Cookcreated to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having 20*30da4f77SKees Cooka mutable filesystem means pinning is mutable too, but having the 21*30da4f77SKees Cooksysctl allows for easy testing on systems with a mutable filesystem.) 22