32nd Time The Charm? Latest Linux Lockdown Patches Posted
Written by Michael Larabel in Linux Kernel on 4 April 2019 at 08:56 AM EDT. 3 Comments
LINUX KERNEL --
The Linux "Lockdown" patches to restrict the running kernel image from being modified and to strengthen the boundary between UID 0 and the kernel continues to be revised. Matthew Garrett at Google who is now leading this Linux security effort is hoping to get the code into Linux 5.2 but that remains to be seen -- on Wednesday the thirty-second revision to these patches were posted.

The proposed LOCKDOWN mode forbids writing to /dev/mem, restricts access to PCI BAR and MSRs, doesn't allow kernel module parameters to be used that set hardware settings, disables system hibernation, and other kernel features that could allow changing the hardware state. The lockdown mode isn't enabled by default but is intended to be paired with UEFI SecureBoot and the like within security sensitive environments.

With the 32nd revision to these patches, TraceFS is now locked down as well while the DebugFS changes have been reverted to an earlier implementation. There is also more documentation and other code alterations in trying to get this feature squared away for the next kernel cycle.

With there still being several weeks until the Linux 5.2 merge window kicks off, it's still looking quite probable and likely this feature will be merged for the next kernel cycle given the number of active upstream developers involved in this effort, assuming no other major items are uncovered.

About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 10,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Related Linux Kernel News
Popular News This Week