linux/security/loadpin/Kconfig
<<
>>
Prefs
   1# SPDX-License-Identifier: GPL-2.0-only
   2config SECURITY_LOADPIN
   3        bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
   4        depends on SECURITY && BLOCK
   5        help
   6          Any files read through the kernel file reading interface
   7          (kernel modules, firmware, kexec images, security policy)
   8          can be pinned to the first filesystem used for loading. When
   9          enabled, any files that come from other filesystems will be
  10          rejected. This is best used on systems without an initrd that
  11          have a root filesystem backed by a read-only device such as
  12          dm-verity or a CDROM.
  13
  14config SECURITY_LOADPIN_ENFORCE
  15        bool "Enforce LoadPin at boot"
  16        depends on SECURITY_LOADPIN
  17        help
  18          If selected, LoadPin will enforce pinning at boot. If not
  19          selected, it can be enabled at boot with the kernel parameter
  20          "loadpin.enforce=1".
  21