LoadPin¶

LoadPin is a Linux Security Module that ensures all kernel-loaded files(modules, firmware, etc) all originate from the same filesystem, withthe expectation that such a filesystem is backed by a read-only devicesuch as dm-verity or CDROM. This allows systems that have a verifiedand/or unchangeable filesystem to enforce module and firmware loadingrestrictions without needing to sign the files individually.

The LSM is selectable at build-time withCONFIG_SECURITY_LOADPIN, andcan be controlled at boot-time with the kernel command line option“loadpin.enabled”. By default, it is enabled, but can be disabled atboot (“loadpin.enabled=0”).

LoadPin starts pinning when it sees the first file loaded. If theblock device backing the filesystem is not read-only, a sysctl iscreated to toggle pinning:/proc/sys/kernel/loadpin/enabled. (Havinga mutable filesystem means pinning is mutable too, but having thesysctl allows for easy testing on systems with a mutable filesystem.)

It’s also possible to exclude specific file types from LoadPin using kernelcommand line option “loadpin.exclude”. By default, all files areincluded, but they can be excluded using kernel command line option suchas “loadpin.exclude=kernel-module,kexec-image”. This allows to usedifferent mechanisms such asCONFIG_MODULE_SIG andCONFIG_KEXEC_VERIFY_SIG to verify kernel module and kernel image whilestill use LoadPin to protect the integrity of other files kernel loads. Thefull list of valid file types can be found inkernel_read_file_strdefined ininclude/linux/fs.h.