xref: /openbmc/linux/Documentation/admin-guide/LSM/LoadPin.rst (revision 30da4f77aae99bf9ae5905d0ef89668391eea315)
1*30da4f77SKees Cook=======
2*30da4f77SKees CookLoadPin
3*30da4f77SKees Cook=======
4*30da4f77SKees Cook
5*30da4f77SKees CookLoadPin is a Linux Security Module that ensures all kernel-loaded files
6*30da4f77SKees Cook(modules, firmware, etc) all originate from the same filesystem, with
7*30da4f77SKees Cookthe expectation that such a filesystem is backed by a read-only device
8*30da4f77SKees Cooksuch as dm-verity or CDROM. This allows systems that have a verified
9*30da4f77SKees Cookand/or unchangeable filesystem to enforce module and firmware loading
10*30da4f77SKees Cookrestrictions without needing to sign the files individually.
11*30da4f77SKees Cook
12*30da4f77SKees CookThe LSM is selectable at build-time with ``CONFIG_SECURITY_LOADPIN``, and
13*30da4f77SKees Cookcan be controlled at boot-time with the kernel command line option
14*30da4f77SKees Cook"``loadpin.enabled``". By default, it is enabled, but can be disabled at
15*30da4f77SKees Cookboot ("``loadpin.enabled=0``").
16*30da4f77SKees Cook
17*30da4f77SKees CookLoadPin starts pinning when it sees the first file loaded. If the
18*30da4f77SKees Cookblock device backing the filesystem is not read-only, a sysctl is
19*30da4f77SKees Cookcreated to toggle pinning: ``/proc/sys/kernel/loadpin/enabled``. (Having
20*30da4f77SKees Cooka mutable filesystem means pinning is mutable too, but having the
21*30da4f77SKees Cooksysctl allows for easy testing on systems with a mutable filesystem.)
22