| Kees Cook | 9b09155 | 2016-04-20 15:46:28 -0700 | [diff] [blame] | 1 | config SECURITY_LOADPIN |
| 2 | bool "Pin load of kernel files (modules, fw, etc) to one filesystem" |
| 3 | depends on SECURITY && BLOCK |
| 4 | help |
| 5 | Any files read through the kernel file reading interface |
| 6 | (kernel modules, firmware, kexec images, security policy) will |
| 7 | be pinned to the first filesystem used for loading. Any files |
| 8 | that come from other filesystems will be rejected. This is best |
| 9 | used on systems without an initrd that have a root filesystem |
| 10 | backed by a read-only device such as dm-verity or a CDROM. |