32nd Time The Charm? Latest Linux Lockdown Patches Posted

Written by Michael Larabel in Linux Kernel on 4 April 2019 at 08:56 AM EDT. 3 Comments
LINUX KERNEL
The Linux "Lockdown" patches to restrict the running kernel image from being modified and to strengthen the boundary between UID 0 and the kernel continues to be revised. Matthew Garrett at Google who is now leading this Linux security effort is hoping to get the code into Linux 5.2 but that remains to be seen -- on Wednesday the thirty-second revision to these patches were posted.

The proposed LOCKDOWN mode forbids writing to /dev/mem, restricts access to PCI BAR and MSRs, doesn't allow kernel module parameters to be used that set hardware settings, disables system hibernation, and other kernel features that could allow changing the hardware state. The lockdown mode isn't enabled by default but is intended to be paired with UEFI SecureBoot and the like within security sensitive environments.

With the 32nd revision to these patches, TraceFS is now locked down as well while the DebugFS changes have been reverted to an earlier implementation. There is also more documentation and other code alterations in trying to get this feature squared away for the next kernel cycle.

With there still being several weeks until the Linux 5.2 merge window kicks off, it's still looking quite probable and likely this feature will be merged for the next kernel cycle given the number of active upstream developers involved in this effort, assuming no other major items are uncovered.
3 Comments
Related News
Linux 6.6.66 LTS Kernel Released With New Hardware Support & Many Fixes
NTSYNC Linux Driver Updated With API Design Improvements
New Linux Patch Establishes "CONFIG_X86_64_NATIVE" For -march=native Kernel Builds
Perf Support For 2,048 CPU Cores Is Becoming Not Enough - Patches Bump Kernel Limit
Linux 6.13-rc2 Released With An Initial Batch Of Fixes
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries