kernel_lockdown(top10.html) - phpMan

KERNEL LOCKDOWN(7)         Linux Programmer's Manual        KERNEL LOCKDOWN(7)
NAME
       Kernel Lockdown - Kernel image access prevention feature
DESCRIPTION
       The  Kernel  Lockdown  feature  is  designed to prevent both direct and
       indirect access to  a  running  kernel  image,  attempting  to  protect
       against  unauthorised  modification  of the kernel image and to prevent
       access to security and cryptographic data  located  in  kernel  memory,
       whilst still permitting driver modules to be loaded.
       Lockdown  is  typically  enabled  during boot and may be terminated, if
       configured, by typing a special key combination on a directly  attached
       physical keyboard.
       If  a  prohibited or restricted feature is accessed or used, the kernel
       will emit a message that looks like:
               Lockdown: X: Y is restricted, see man kernel_lockdown.7
       where X indicates the process name and Y indicates what is restricted.
       On an EFI-enabled x86 or arm64 machine, lockdown will be  automatically
       enabled if the system boots in EFI Secure Boot mode.
COVERAGE
       When  lockdown  is in effect, a number of features are disabled or have
       their use restricted.  This includes special device  files  and  kernel
       services that allow direct access of the kernel image:
              /dev/mem
              /dev/kmem
              /dev/kcore
              /dev/ioports
              BPF
              kprobes
       and  the  ability  to  directly configure and control devices, so as to
       prevent the use of a device to access or modify a kernel image:
              The use of module  parameters  that  directly  specify  hardware
              parameters  to  drivers  through the kernel command line or when
              loading a module.
              The use of direct PCI BAR access.
              The use of the ioperm and iopl instructions on x86.
              The use of the KD*IO console ioctls.
              The use of the TIOCSSERIAL serial ioctl.
              The alteration of MSR registers on x86.
              The replacement of the PCMCIA CIS.
              The overriding of ACPI tables.
              The use of ACPI error injection.
              The specification of the ACPI RDSP address.
              The use of ACPI custom methods.
       Certain facilities are restricted:
              Only validly signed modules may be loaded (waived if the  module
              file being loaded is vouched for by IMA appraisal).
              Only  validly  signed  binaries  may  be  kexec'd (waived if the
              binary  image  file  to  be  executed  is  vouched  for  by  IMA
              appraisal).
              Unencrypted  hibernation/suspend  to  swap are disallowed as the
              kernel image is saved to a medium that can then be accessed.
              Use of debugfs is not permitted as this allows a whole range  of
              actions including direct configuration of, access to and driving
              of hardware.
              IMA requires the addition of  the  "secure_boot"  rules  to  the
              policy,  whether  or not they are specified on the command line,
              for both the builtin and custom policies in secure boot lockdown
              mode.
Linux                             2017-10-05                KERNEL LOCKDOWN(7)