Announcement

Collapse
No announcement yet.

LOCKDOWN Aiming To Be In Linux 5.2 For Tightening Up Hardware/Kernel Access

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • LOCKDOWN Aiming To Be In Linux 5.2 For Tightening Up Hardware/Kernel Access

    Phoronix: LOCKDOWN Aiming To Be In Linux 5.2 For Tightening Up Hardware/Kernel Access

    Google developer Matthew Garrett recently took over work on the long-standing "LOCKDOWN" kernel patches with a goal of preventing the running kernel image from being modified and strengthen the boundary between UID 0 and the kernel. These patches, which have been around for years and shipped by some Linux distributions, didn't make it into the recent Linux 5.1 merge window but now a pull request has been issued in trying to ship it with Linux 5.2...

    http://www.phoronix.com/scan.php?pag...-For-Linux-5.2

  • #2
    Originally posted by phoronix View Post
    this mode is really destined for just very security sensitive environments and...
    ...DRM for companies that l'ove locking down their devices. (I may be wrong)

    Comment


    • #3
      Originally posted by tildearrow View Post

      ...DRM for companies that l'ove locking down their devices. (I may be wrong)
      an interesting take... At the same time security for when it is required (yes, I would love my server to be more resistant to attack)

      Comment


      • #4
        Originally posted by tildearrow View Post

        ...DRM for companies that l'ove locking down their devices. (I may be wrong)
        I work as software developer in financial sector.. I can easily imagine this to be used by banks in order to increase security..

        Also, there are public computers and school computers, which also would utilize this..
        ​​​​​​
        ​​​​

        Comment


        • #5
          Obviously this mode is really destined for just very security sensitive environments and most conventional users will not be interested in a kernel that's locked down to this extent
          Particularly the next version of Android / ChromeOS to keep users from rooting their systems.

          Comment


          • #6
            Originally posted by calc View Post

            Particularly the next version of Android / ChromeOS to keep users from rooting their systems.
            You can always unlock your bootloader on most devices.

            Google has a duty to prevent root exploits on Android.

            Comment


            • #7
              Originally posted by Britoid View Post
              You can always unlock your bootloader on most devices.
              Which usually leads to self-destruction of any DRM keys stored in the TA (Trim Area) partition, meaning you'll lose quite some functionality (e.g.: Netflix will refuse to play HD because the device isn't certified for Widevine L1), and manufacturer might try to refuse servicing a phone under warranty, under the pretext that unlocking voids the warranty (luckily the excuse is not considered receivable here around in Europe).

              Some phone didn't even function correctly after that (e.g.: a wiped TA used to cause broken camera on some Sony Xperia. Luckily this finally got fixed in recent upgrades).

              To the point that the normal procedure nowadays is :
              - buy a not so recent phone
              - down-grade to the older possible firmware
              - use a temporary root exploit
              - backup TA
              - *then only* unlock the boot loader
              - install your favorite after market Android variant (e.g.: Lineago OS) or full blown GNU/Linux (e.g.: Sailfish OS)
              - optionally use the backed up TA and some patching to restore functionnality.
              - revert back to locked state using your TA before sending the phone for warranty.

              Comment


              • #8
                Originally posted by DrYak View Post
                Which usually leads to self-destruction of any DRM keys stored in the TA (Trim Area) partition, meaning you'll lose quite some functionality (e.g.: Netflix will refuse to play HD because the device isn't certified for Widevine L1)
                I don't see that as an issue at all. Don't consume entertainment with shitty DRM.

                and manufacturer might try to refuse servicing a phone under warranty, under the pretext that unlocking voids the warranty (luckily the excuse is not considered receivable here around in Europe).
                In EU it's the seller warranty (i.e. it is the seller that has to honor any warranty), the manufacturer can do whatever he wants with his own "manufacturer warranty".

                Comment


                • #9
                  Originally posted by calc View Post
                  Particularly the next version of Android / ChromeOS to keep users from rooting their systems.
                  if you are able to root your system without unlocking the bootloader and flashing a custom firmware (or doing the usual switch to enable developer mode, remove a write-protect screw contact and then change or even reflash whole the Coreboot board firmware on a Chromebook), then your device is unsafe shit as any other application can do the same to escalate privileges to root.

                  Comment


                  • #10
                    Originally posted by tildearrow View Post

                    ...DRM for companies that l'ove locking down their devices. (I may be wrong)
                    eh, safe/DRM embedded commonly ship a kernel with all these "unsafe" features disabled, all modules built in the kernel, using a static configuration chosen at compile time, and module loading disabled.

                    This is a legit feature for security.

                    Comment

                    Working...
                    X