LOCKDOWN Aiming To Be In Linux 5.2 For Tightening Up Hardware/Kernel Access

Google developer Matthew Garrett recently took over work on the long-standing "LOCKDOWN" kernel patches with a goal of preventing the running kernel image from being modified and strengthen the boundary between UID 0 and the kernel. These patches, which have been around for years and shipped by some Linux distributions, didn't make it into the recent Linux 5.1 merge window but now a pull request has been issued in trying to ship it with Linux 5.2.

These patches don't enforce the restricted/locked-down behavior by default but is commonly paired with UEFI SecureBoot. When the LOCKDOWN mode is active, there is no support for writing to /dev/mem, PCI BAR and MSR access is restricted, not allowing kernel module parameters that set hardware settings, locking down KProbes, restricted DebugFS, and even disabling system hibernation support, along with other means of restricting the system state. Obviously this mode is really destined for just very security sensitive environments and most conventional users will not be interested in a kernel that's locked down to this extent, especially enthusiasts/developers who may find broken functionality otherwise.

On a patched kernel -- or potentially with Linux 5.2 if the pull request is finally honored -- the behavior can also be turned on by passing "lockdown" as a kernel command line option.

This latest pull request, which is currently at a batch of 27 patches, is currently sitting on the kernel mailing list while waiting to see if it will be queued for Linux 5.2.