The Linux Kernel Prepares To Be Further Locked Down When Under UEFI Secure Boot

Written by Michael Larabel in Linux Kernel on 1 March 2018 at 11:43 AM EST. 69 Comments
For more than the past year we have reported on kernel work to further lock down the Linux kernel with UEFI Secure Boot and it's looking now like that work may finally be close to being mainlined.

Among the further restrictions that would be placed on the Linux kernel when running with UEFI Secure Boot enabled is blocking access to kernel module parameters that end up dealing with hardware settings, blocking access to some areas of /dev that could manipulate the kernel or hardware state, etc.

This is an effort from letting userspace manipulate the kernel image directly or indirectly and to prevent userspace from accessing crypto data stored in the kernel. This work is led by Red Hat and again would only affect those Linux systems booting with UEFI Secure Boot enabled.

As a sign that this kernel lockdown series could be trying for mainline in the next kernel release cycle or two, David Howells who has been involved with this work has called for it to be pulled into the linux-next branch for testing. We'll see how that testing goes to see if these KERNEL_LOCKDOWN patches then get queued for Linux 4.17~4.18 or so.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week