kernel_lockdown(7)

1KERNEL LOCKDOWN(7)         Linux Programmer's Manual        KERNEL LOCKDOWN(7)
2
3
4

NAME

6       Kernel Lockdown - Kernel image access prevention feature
7

DESCRIPTION

9       The  Kernel  Lockdown  feature  is  designed to prevent both direct and
10       indirect access to  a  running  kernel  image,  attempting  to  protect
11       against  unauthorised  modification  of the kernel image and to prevent
12       access to security and cryptographic data  located  in  kernel  memory,
13       whilst still permitting driver modules to be loaded.
14
15       Lockdown  is  typically  enabled  during boot and may be terminated, if
16       configured, by typing a special key combination on a directly  attached
17       physical keyboard.
18
19       If  a  prohibited or restricted feature is accessed or used, the kernel
20       will emit a message that looks like:
21
22               Lockdown: X: Y is restricted, see man kernel_lockdown.7
23
24       where X indicates the process name and Y indicates what is restricted.
25
26       On an EFI-enabled x86 or arm64 machine, lockdown will be  automatically
27       enabled if the system boots in EFI Secure Boot mode.
28
29       If  the  kernel  is appropriately configured, lockdown may be lifted by
30       typing the appropriate sequence on a directly  attached  physical  key‐
31       board.  For x86 machines, this is SysRq+x.
32

COVERAGE

34       When  lockdown  is in effect, a number of features are disabled or have
35       their use restricted.  This includes special device  files  and  kernel
36       services that allow direct access of the kernel image:
37
38              /dev/mem
39              /dev/kmem
40              /dev/kcore
41              /dev/ioports
42              BPF
43              kprobes
44
45       and  the  ability  to  directly configure and control devices, so as to
46       prevent the use of a device to access or modify a kernel image:
47
48              The use of module  parameters  that  directly  specify  hardware
49              parameters  to  drivers  through the kernel command line or when
50              loading a module.
51
52              The use of direct PCI BAR access.
53
54              The use of the ioperm and iopl instructions on x86.
55
56              The use of the KD*IO console ioctls.
57
58              The use of the TIOCSSERIAL serial ioctl.
59
60              The alteration of MSR registers on x86.
61
62              The replacement of the PCMCIA CIS.
63
64              The overriding of ACPI tables.
65
66              The use of ACPI error injection.
67
68              The specification of the ACPI RDSP address.
69
70              The use of ACPI custom methods.
71
72       Certain facilities are restricted:
73
74              Only validly signed modules may be loaded (waived if the  module
75              file being loaded is vouched for by IMA appraisal).
76
77              Only  validly  signed  binaries  may  be  kexec'd (waived if the
78              binary  image  file  to  be  executed  is  vouched  for  by  IMA
79              appraisal).
80
81              Unencrypted  hibernation/suspend  to  swap are disallowed as the
82              kernel image is saved to a medium that can then be accessed.
83
84              Use of debugfs is not permitted as this allows a whole range  of
85              actions including direct configuration of, access to and driving
86              of hardware.
87
88              IMA requires the addition of the "secure_boot" rules to the pol‐
89              icy,  whether or not they are specified on the command line, for
90              both the builtin and custom policies  in  secure  boot  lockdown
91              mode.
92
93
94
95Linux                             2017-10-05                KERNEL LOCKDOWN(7)