Kernel Lockdown Patches Published (LOCK_DOWN_KERNEL)
Red Hat developer David Howells has wrangled up a set of patches by him and other developers to provide a "Kernel Lockdown" mode to prevent the user-space from the possibility of modifying the running kernel image.
The kernel lockdown mode is built into the kernel via a new CONFIG_LOCK_DOWN_KERNEL Kconfig switch and can then be activated via UEFI Secure Boot, assuming a secure shim. There's support for removing the lockdown mode, assuming the user has physical access to the system with a keyboard and is running root and the ALLOW_LOCKDOWN_LIFT Kconfig option is enabled.
The kernel lockdown mode ensures that no unsigned modules (or modules not matching a known key) are loaded, no writing to /dev/mem or /dev/kmem, no system hibernation, restricting PCI BAR access, restricting MSR access, no kexec_load() support, some ACPI restrictions, and restricting the DebugFS interface.
The LOCK_DOWN_KERNEL option officially puts the feature as:
The patches for now are residing on the kernel mailing list.
The kernel lockdown mode is built into the kernel via a new CONFIG_LOCK_DOWN_KERNEL Kconfig switch and can then be activated via UEFI Secure Boot, assuming a secure shim. There's support for removing the lockdown mode, assuming the user has physical access to the system with a keyboard and is running root and the ALLOW_LOCKDOWN_LIFT Kconfig option is enabled.
The kernel lockdown mode ensures that no unsigned modules (or modules not matching a known key) are loaded, no writing to /dev/mem or /dev/kmem, no system hibernation, restricting PCI BAR access, restricting MSR access, no kexec_load() support, some ACPI restrictions, and restricting the DebugFS interface.
The LOCK_DOWN_KERNEL option officially puts the feature as:
Allow the kernel to be locked down under certain circumstances, for instance if UEFI secure boot is enabled. Locking down the kernel turns off various features that might otherwise allow access to the kernel image (eg. setting MSR registers).
The patches for now are residing on the kernel mailing list.
20 Comments