Linux Kernel "LOCKDOWN" Ported To Being An LSM, Still Undergoing Review
The Lockdown effort has been most recently led by Google's Matthew Garrett and with this 33rd revision he reworked the code to serve as an LSM module. The Lockdown functionality prohibits writing to /dev/mem, restricts PCI BAR and CPU MSR access, doesn't allow kernel module parameters that touch hardware settings, drops system hibernation support, and disables other functionality that could potentially change the hardware state or running Linux kernel image.
Locking down the kernel is primarily of interest for UEFI SecureBoot and other privacy/security-minded use-cases. Some Linux distributions already carry these patches as an option but it's been a long struggle getting this functionality into mainline.
The goal isn't to force these restrictions by default but would be toggled via a kernel command-line option or paths to enabling it.
These LOCKDOWN v33 patches are up on the kernel mailing list for review. It's too early to see yet if there are any chances of getting this code into the upcoming Linux 5.3 kernel merge window.