forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20 lines
821 B
20 lines
821 B
# SPDX-License-Identifier: GPL-2.0-only |
|
config SECURITY_LOADPIN |
|
bool "Pin load of kernel files (modules, fw, etc) to one filesystem" |
|
depends on SECURITY && BLOCK |
|
help |
|
Any files read through the kernel file reading interface |
|
(kernel modules, firmware, kexec images, security policy) |
|
can be pinned to the first filesystem used for loading. When |
|
enabled, any files that come from other filesystems will be |
|
rejected. This is best used on systems without an initrd that |
|
have a root filesystem backed by a read-only device such as |
|
dm-verity or a CDROM. |
|
|
|
config SECURITY_LOADPIN_ENFORCE |
|
bool "Enforce LoadPin at boot" |
|
depends on SECURITY_LOADPIN |
|
help |
|
If selected, LoadPin will enforce pinning at boot. If not |
|
selected, it can be enabled at boot with the kernel parameter |
|
"loadpin.enforce=1".
|
|
|