linux/security/loadpin/Kconfig

config SECURITY_LOADPIN
	bool "Pin load of kernel files (modules, fw, etc) to one filesystem"
	depends on SECURITY && BLOCK
	help
	  Any files read through the kernel file reading interface
	  (kernel modules, firmware, kexec images, security policy) will
	  be pinned to the first filesystem used for loading. Any files
	  that come from other filesystems will be rejected. This is best
	  used on systems without an initrd that have a root filesystem
	  backed by a read-only device such as dm-verity or a CDROM.
LSM: LoadPin for kernel file loading restrictions This LSM enforces that kernel-loaded files (modules, firmware, etc) must all come from the same filesystem, with the expectation that such a filesystem is backed by a read-only device such as dm-verity or CDROM. This allows systems that have a verified and/or unchangeable filesystem to enforce module and firmware loading restrictions without needing to sign the files individually. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com> 2016-04-21 06:46:28 +08:00			`config SECURITY_LOADPIN`
			`bool "Pin load of kernel files (modules, fw, etc) to one filesystem"`
			`depends on SECURITY && BLOCK`
			`help`
			`Any files read through the kernel file reading interface`
			`(kernel modules, firmware, kexec images, security policy) will`
			`be pinned to the first filesystem used for loading. Any files`
			`that come from other filesystems will be rejected. This is best`
			`used on systems without an initrd that have a root filesystem`
			`backed by a read-only device such as dm-verity or a CDROM.`