xref: /openbmc/linux/security/loadpin/Kconfig (revision fb8d6c8d)
1# SPDX-License-Identifier: GPL-2.0-only
2config SECURITY_LOADPIN
3	bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
4	depends on SECURITY && BLOCK
5	help
6	  Any files read through the kernel file reading interface
7	  (kernel modules, firmware, kexec images, security policy)
8	  can be pinned to the first filesystem used for loading. When
9	  enabled, any files that come from other filesystems will be
10	  rejected. This is best used on systems without an initrd that
11	  have a root filesystem backed by a read-only device such as
12	  dm-verity or a CDROM.
13
14config SECURITY_LOADPIN_ENFORCE
15	bool "Enforce LoadPin at boot"
16	depends on SECURITY_LOADPIN
17	help
18	  If selected, LoadPin will enforce pinning at boot. If not
19	  selected, it can be enabled at boot with the kernel parameter
20	  "loadpin.enforce=1".
21