Kernel Lockdown Feature Will Try To Land For Linux 5.4
While not yet acted upon by Linus Torvalds with the Linux 5.4 merge window not opening until next week, James Morris has submitted a pull request introducing the kernel lockdown mode for Linux 5.4.
The kernel lockdown support was previously rejected from mainline but since then it's been separated from the EFI Secure Boot code as well as being implemented as a Linux security module (LSM) to address some of the earlier concerns over the code. There's also been other improvements to the design of this module.
The Linux Lockdown code is about restricting access to the underlying hardware and bits that could modify the running kernel image. When in the optional lockdown mode, there is restricted access to the CPU machine specific registers, hibernation is disabled, kernel module parameters touching hardware settings are blocked, writes to /dev/mem are not even allowed as root, and various other restrictions.
This optional mode really locks down the system hard but is only opt-in and aimed for pairing with UEFI Secure Boot or other security-minded environments.
We'll see in the next few days of the kernel lockdown code is accepted for Linux 5.4 mainline. Given the improvements made and that most tier-one Linux distributions are carrying "lockdown" support in some form, it does stand good chances of finally meeting the mainline tree.