LOCKDOWN Aiming To Be In Linux 5.2 For Tightening Up Hardware/Kernel Access

Written by Michael Larabel in Linux Kernel on 25 March 2019 at 08:01 PM EDT. 13 Comments
Google developer Matthew Garrett recently took over work on the long-standing "LOCKDOWN" kernel patches with a goal of preventing the running kernel image from being modified and strengthen the boundary between UID 0 and the kernel. These patches, which have been around for years and shipped by some Linux distributions, didn't make it into the recent Linux 5.1 merge window but now a pull request has been issued in trying to ship it with Linux 5.2.

These patches don't enforce the restricted/locked-down behavior by default but is commonly paired with UEFI SecureBoot. When the LOCKDOWN mode is active, there is no support for writing to /dev/mem, PCI BAR and MSR access is restricted, not allowing kernel module parameters that set hardware settings, locking down KProbes, restricted DebugFS, and even disabling system hibernation support, along with other means of restricting the system state. Obviously this mode is really destined for just very security sensitive environments and most conventional users will not be interested in a kernel that's locked down to this extent, especially enthusiasts/developers who may find broken functionality otherwise.

On a patched kernel -- or potentially with Linux 5.2 if the pull request is finally honored -- the behavior can also be turned on by passing "lockdown" as a kernel command line option.

This latest pull request, which is currently at a batch of 27 patches, is currently sitting on the kernel mailing list while waiting to see if it will be queued for Linux 5.2.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week