diff options
Diffstat (limited to 'security/loadpin/Kconfig')
-rw-r--r-- | security/loadpin/Kconfig | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig index 91be65dec2ab..6724eaba3d36 100644 --- a/security/loadpin/Kconfig +++ b/security/loadpin/Kconfig @@ -18,3 +18,24 @@ config SECURITY_LOADPIN_ENFORCE If selected, LoadPin will enforce pinning at boot. If not selected, it can be enabled at boot with the kernel parameter "loadpin.enforce=1". + +config SECURITY_LOADPIN_VERITY + bool "Allow reading files from certain other filesystems that use dm-verity" + depends on SECURITY_LOADPIN && DM_VERITY=y && SECURITYFS + help + If selected LoadPin can allow reading files from filesystems + that use dm-verity. LoadPin maintains a list of verity root + digests it considers trusted. A verity backed filesystem is + considered trusted if its root digest is found in the list + of trusted digests. + + The list of trusted verity can be populated through an ioctl + on the LoadPin securityfs entry 'dm-verity'. The ioctl + expects a file descriptor of a file with verity digests as + parameter. The file must be located on the pinned root and + start with the line: + + # LOADPIN_TRUSTED_VERITY_ROOT_DIGESTS + + This is followed by the verity digests, with one digest per + line. |