Kernel Lockdown Patches Published (LOCK_DOWN_KERNEL)

Written by Michael Larabel in Linux Kernel on 17 November 2016 at 06:00 AM EST. 20 Comments
LINUX KERNEL
Red Hat developer David Howells has wrangled up a set of patches by him and other developers to provide a "Kernel Lockdown" mode to prevent the user-space from the possibility of modifying the running kernel image.

The kernel lockdown mode is built into the kernel via a new CONFIG_LOCK_DOWN_KERNEL Kconfig switch and can then be activated via UEFI Secure Boot, assuming a secure shim. There's support for removing the lockdown mode, assuming the user has physical access to the system with a keyboard and is running root and the ALLOW_LOCKDOWN_LIFT Kconfig option is enabled.

The kernel lockdown mode ensures that no unsigned modules (or modules not matching a known key) are loaded, no writing to /dev/mem or /dev/kmem, no system hibernation, restricting PCI BAR access, restricting MSR access, no kexec_load() support, some ACPI restrictions, and restricting the DebugFS interface.

The LOCK_DOWN_KERNEL option officially puts the feature as:
Allow the kernel to be locked down under certain circumstances, for instance if UEFI secure boot is enabled. Locking down the kernel turns off various features that might otherwise allow access to the kernel image (eg. setting MSR registers).

The patches for now are residing on the kernel mailing list.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week