18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ciconfig SECURITY_LOADPIN 38c2ecf20Sopenharmony_ci bool "Pin load of kernel files (modules, fw, etc) to one filesystem" 48c2ecf20Sopenharmony_ci depends on SECURITY && BLOCK 58c2ecf20Sopenharmony_ci help 68c2ecf20Sopenharmony_ci Any files read through the kernel file reading interface 78c2ecf20Sopenharmony_ci (kernel modules, firmware, kexec images, security policy) 88c2ecf20Sopenharmony_ci can be pinned to the first filesystem used for loading. When 98c2ecf20Sopenharmony_ci enabled, any files that come from other filesystems will be 108c2ecf20Sopenharmony_ci rejected. This is best used on systems without an initrd that 118c2ecf20Sopenharmony_ci have a root filesystem backed by a read-only device such as 128c2ecf20Sopenharmony_ci dm-verity or a CDROM. 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ciconfig SECURITY_LOADPIN_ENFORCE 158c2ecf20Sopenharmony_ci bool "Enforce LoadPin at boot" 168c2ecf20Sopenharmony_ci depends on SECURITY_LOADPIN 178c2ecf20Sopenharmony_ci help 188c2ecf20Sopenharmony_ci If selected, LoadPin will enforce pinning at boot. If not 198c2ecf20Sopenharmony_ci selected, it can be enabled at boot with the kernel parameter 208c2ecf20Sopenharmony_ci "loadpin.enforce=1". 21