LoadPin: Enable loading from trusted dm-verity devices

[linux-2.6-microblaze.git] / security / loadpin / Kconfig

diff --git a/security/loadpin/Kconfig b/security/loadpin/Kconfig
index 91be65d..70e7985 100644 (file)
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -18,3 +18,19 @@ config SECURITY_LOADPIN_ENFORCE
          If selected, LoadPin will enforce pinning at boot. If not
          selected, it can be enabled at boot with the kernel parameter
          "loadpin.enforce=1".
+
+config SECURITY_LOADPIN_VERITY
+       bool "Allow reading files from certain other filesystems that use dm-verity"
+       depends on SECURITY_LOADPIN && DM_VERITY=y && SECURITYFS
+       help
+         If selected LoadPin can allow reading files from filesystems
+         that use dm-verity. LoadPin maintains a list of verity root
+         digests it considers trusted. A verity backed filesystem is
+         considered trusted if its root digest is found in the list
+         of trusted digests.
+
+         The list of trusted verity can be populated through an ioctl
+         on the LoadPin securityfs entry 'dm-verity'. The ioctl
+         expects a file descriptor of a file with verity digests as
+         parameter. The file must be located on the pinned root and
+         contain a comma separated list of digests.