Phoronix: Linux Lock-Down Kernel Patches Get Revived, Seeking Mainline Inclusion
An effort ongoing for a few years now has been the CONFIG_LOCK_DOWN_KERNEL patches to prevent user-space from being able to modify the kernel image with blocking the ability to load unsigned kernel modules, no writing to /dev/mem, restricting PCI BAR and MSR access, ACPI restrictions, and more. Some Linux distributions are are already carrying this work in some form and enabling it with UEFI SecureBoot, but it hasn't been mainlined although could soon change...
An effort ongoing for a few years now has been the CONFIG_LOCK_DOWN_KERNEL patches to prevent user-space from being able to modify the kernel image with blocking the ability to load unsigned kernel modules, no writing to /dev/mem, restricting PCI BAR and MSR access, ACPI restrictions, and more. Some Linux distributions are are already carrying this work in some form and enabling it with UEFI SecureBoot, but it hasn't been mainlined although could soon change...
Comment