Linux Kernel "LOCKDOWN" Ported To Being An LSM, Still Undergoing Review

Written by Michael Larabel in Linux Security on 23 June 2019 at 04:45 AM EDT. 3 Comments
LINUX SECURITY
It didn't make it for the Linux 5.2 kernel and now it's up to its 33rd revision on the Linux kernel mailing list... The "lockdown" patches for locking down access to various kernel hardware features has been reworked now and is a Linux Security Module (LSM) as it still tries to get enough endorsements to be mainlined.

The Lockdown effort has been most recently led by Google's Matthew Garrett and with this 33rd revision he reworked the code to serve as an LSM module. The Lockdown functionality prohibits writing to /dev/mem, restricts PCI BAR and CPU MSR access, doesn't allow kernel module parameters that touch hardware settings, drops system hibernation support, and disables other functionality that could potentially change the hardware state or running Linux kernel image.

Locking down the kernel is primarily of interest for UEFI SecureBoot and other privacy/security-minded use-cases. Some Linux distributions already carry these patches as an option but it's been a long struggle getting this functionality into mainline.

The goal isn't to force these restrictions by default but would be toggled via a kernel command-line option or paths to enabling it.

These LOCKDOWN v33 patches are up on the kernel mailing list for review. It's too early to see yet if there are any chances of getting this code into the upcoming Linux 5.3 kernel merge window.
3 Comments
Related News
Red Hat Working On Delayed Module Signature Verification To Speed-Up Linux Boot Times
SELinux In Linux 6.6 Removes References To Its Origins At The US NSA
Linux 6.6 Adding Randomized Kmalloc Caches For Further System Hardening
Linux 6.5 Patches Merged For Intel GDS/DOWNFALL, AMD INCEPTION
Linux 6.1 To 6.5 Git Quietly Patched For "StackRot" Privilege Escalation Vulnerability
Microsoft Aims For Greater Script Execution Control On Linux
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Valve Is A Wonderful Upstream Contributor To Linux & The Open-Source Community
The Maintainer Of The NVIDIA Open-Source "Nouveau" Linux Kernel Driver Resigns
Linux Terminal Emulators Have The Potential Of Being Much Faster
Intel To Further Collaborate With Red Hat, Canonical & SUSE For Intel-Optimized Linux Distros
Microsoft Releases A Big Update To Windows Subsystem For Linux, New Experimental Options
Fedora 40 Eyes Dropping GNOME X11 Session Support
GNOME 45 Released With New Apps, New Activities Indicator
Wine Wayland Driver Updated With Basic Window Management Capabilities