1KERNEL_LOCKDOWN(7)         Linux Programmer's Manual        KERNEL_LOCKDOWN(7)
2
3
4

NAME

6       kernel_lockdown - kernel image access prevention feature
7

DESCRIPTION

9       The  Kernel Lockdown feature is designed to prevent both direct and in‐
10       direct access to a running kernel image, attempting to protect  against
11       unauthorized  modification of the kernel image and to prevent access to
12       security and cryptographic data located in kernel memory, whilst  still
13       permitting driver modules to be loaded.
14
15       Lockdown  is  typically  enabled  during boot and may be terminated, if
16       configured, by typing a special key combination on a directly  attached
17       physical keyboard.
18
19       If  a  prohibited or restricted feature is accessed or used, the kernel
20       will emit a message that looks like:
21
22               Lockdown: X: Y is restricted, see man kernel_lockdown.7
23
24       where X indicates the process name and Y indicates what is restricted.
25
26       On an EFI-enabled x86 or arm64 machine, lockdown will be  automatically
27       enabled if the system boots in EFI Secure Boot mode.
28
29       If  the  kernel  is appropriately configured, lockdown may be lifted by
30       typing the appropriate sequence on a directly  attached  physical  key‐
31       board.  For x86 machines, this is SysRq+x.
32
33   Coverage
34       When  lockdown  is in effect, a number of features are disabled or have
35       their use restricted.  This includes special device  files  and  kernel
36       services that allow direct access of the kernel image:
37
38              /dev/mem
39              /dev/kmem
40              /dev/kcore
41              /dev/ioports
42              BPF
43              kprobes
44
45       and  the  ability  to  directly configure and control devices, so as to
46       prevent the use of a device to access or modify a kernel image:
47
48       • The use of module parameters that directly specify  hardware  parame‐
49         ters  to  drivers  through  the kernel command line or when loading a
50         module.
51
52       • The use of direct PCI BAR access.
53
54       • The use of the ioperm and iopl instructions on x86.
55
56       • The use of the KD*IO console ioctls.
57
58       • The use of the TIOCSSERIAL serial ioctl.
59
60       • The alteration of MSR registers on x86.
61
62       • The replacement of the PCMCIA CIS.
63
64       • The overriding of ACPI tables.
65
66       • The use of ACPI error injection.
67
68       • The specification of the ACPI RDSP address.
69
70       • The use of ACPI custom methods.
71
72       Certain facilities are restricted:
73
74       • Only validly signed modules may be loaded (waived if the module  file
75         being loaded is vouched for by IMA appraisal).
76
77       • Only validly signed binaries may be kexec'd (waived if the binary im‐
78         age file to be executed is vouched for by IMA appraisal).
79
80       • Unencrypted hibernation/suspend to swap are disallowed as the  kernel
81         image is saved to a medium that can then be accessed.
82
83       • Use  of  debugfs is not permitted as this allows a whole range of ac‐
84         tions including direct configuration of, access  to  and  driving  of
85         hardware.
86
87       • IMA  requires  the addition of the "secure_boot" rules to the policy,
88         whether or not they are specified on the command line, for  both  the
89         built-in and custom policies in secure boot lockdown mode.
90

VERSIONS

92       The Kernel Lockdown feature was added in Linux 5.4.
93

NOTES

95       The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
96       The lsm=lsm1,...,lsmN command line parameter controls the  sequence  of
97       the  initialization  of  Linux  Security  Modules.  It must contain the
98       string lockdown to enable the Kernel Lockdown feature.  If the  command
99       line  parameter  is not specified, the initialization falls back to the
100       value of the deprecated security= command line parameter and further to
101       the value of CONFIG_LSM.
102

COLOPHON

104       This  page  is  part of release 5.10 of the Linux man-pages project.  A
105       description of the project, information about reporting bugs,  and  the
106       latest     version     of     this    page,    can    be    found    at
107       https://www.kernel.org/doc/man-pages/.
108
109
110
111Linux                             2020-11-01                KERNEL_LOCKDOWN(7)
Impressum