Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Written by Michael Larabel in Linux Kernel on 3 April 2018 at 07:23 PM EDT. 40 Comments
LINUX KERNEL
The kernel lockdown feature further restricts access to the kernel by user-space with what can be accessed or modified, including different /dev points, ACPI restrictions, not allowing unsigned modules, and various other restrictions in the name of greater security. Pairing that with UEFI SecureBoot unconditionally is meeting some resistance by Linus Torvalds.

This thread is what has Linus Torvalds fired up today.

The goal of kernel lockdown, which Linus Torvalds doesn't have a problem with at all, comes down to "prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorised modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still permitting driver modules to be loaded." But what has the Linux kernel creator upset with are developers trying to pair this unconditionally with UEFI SecureBoot.

Linus describes Secure Boot as being "pushed in your face by people with an agenda." But his real problem is that Secure Boot would then imply Kernel Lockdown mode. Here's the meat of his argument:
Look at it this way: maybe lockdown breaks some application because that app does something odd. I get a report of that happening, and it so happens that the reporter is running the same distro I am, so I try it with his exact kernel configuration, and it works for me.

It is *entirely* non-obvious that the reporter happened to run a distro kernel that had secure boot enabled, and I obviously do not.

See what the problem is? Tying these things magically together IS A BAD IDEA.

See that aforelinked thread if you want more drama, but his most recent message ends with, "This discussion is over until you give an actual honest-to-goodness reason for why you tied the two features together. No more "Why not?" crap."
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week