1# SPDX-License-Identifier: GPL-2.0-only 2config SECURITY_LOADPIN 3 bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 4 depends on SECURITY && BLOCK 5 help 6 Any files read through the kernel file reading interface 7 (kernel modules, firmware, kexec images, security policy) 8 can be pinned to the first filesystem used for loading. When 9 enabled, any files that come from other filesystems will be 10 rejected. This is best used on systems without an initrd that 11 have a root filesystem backed by a read-only device such as 12 dm-verity or a CDROM. 13 14config SECURITY_LOADPIN_ENFORCE 15 bool "Enforce LoadPin at boot" 16 depends on SECURITY_LOADPIN 17 help 18 If selected, LoadPin will enforce pinning at boot. If not 19 selected, it can be enabled at boot with the kernel parameter 20 "loadpin.enforce=1". 21