Linux Lock-Down Kernel Patches Get Revived, Seeking Mainline Inclusion
An effort ongoing for a few years now has been the CONFIG_LOCK_DOWN_KERNEL patches to prevent user-space from being able to modify the kernel image with blocking the ability to load unsigned kernel modules, no writing to /dev/mem, restricting PCI BAR and MSR access, ACPI restrictions, and more. Some Linux distributions are already carrying this work in some form and enabling it with UEFI SecureBoot, but it hasn't been mainlined although could soon change.
Since 2016 these patches have gone through several rounds of improvements for tightening up access to different kernel bits in the name of security. But it's never managed to cross the finish line of being accepted into the mainline kernel even though it's used in different distribution kernels. Well known kernel developer Matthew Garrett at Google is working to carry this code over the finish line.
David Howells who previously was pushing along this code is busy elsewhere in kernel space, so Matthew Garrett sent out a pull request on Thursday trying to get this mainlined. Over previous revisions, the newest patches add a CONFIG_KERNEL_LOCK_DOWN_FORCE mode that would always enable this functionality and not allow the lock-down mode to be disabled via a kernel parameter, like can be done so otherwise. IMA integration was also removed for now.
If the pull request is honored, it's possible we could see CONFIG_LOCK_DOWN_KERNEL finally land with the upcoming Linux 5.1 kernel cycle. Other restrictions imposed when lock-down mode is activated include prohibiting PCMCIA CIS storage, not allowing kernel module parameters that specify hardware parameters, locking down the MMIO tracing test module, blocking /proc/kcore, locking down KProbes, locking down the perf subsystem, restricting DebugFS access, disabling the system hibernation support, disabling ACPI table overrides, and similar restrictions that could affect the running kernel.
Since 2016 these patches have gone through several rounds of improvements for tightening up access to different kernel bits in the name of security. But it's never managed to cross the finish line of being accepted into the mainline kernel even though it's used in different distribution kernels. Well known kernel developer Matthew Garrett at Google is working to carry this code over the finish line.
David Howells who previously was pushing along this code is busy elsewhere in kernel space, so Matthew Garrett sent out a pull request on Thursday trying to get this mainlined. Over previous revisions, the newest patches add a CONFIG_KERNEL_LOCK_DOWN_FORCE mode that would always enable this functionality and not allow the lock-down mode to be disabled via a kernel parameter, like can be done so otherwise. IMA integration was also removed for now.
If the pull request is honored, it's possible we could see CONFIG_LOCK_DOWN_KERNEL finally land with the upcoming Linux 5.1 kernel cycle. Other restrictions imposed when lock-down mode is activated include prohibiting PCMCIA CIS storage, not allowing kernel module parameters that specify hardware parameters, locking down the MMIO tracing test module, blocking /proc/kcore, locking down KProbes, locking down the perf subsystem, restricting DebugFS access, disabling the system hibernation support, disabling ACPI table overrides, and similar restrictions that could affect the running kernel.
2 Comments