1KERNEL_LOCKDOWN(7) Linux Programmer's Manual KERNEL_LOCKDOWN(7)
2
3
4
6 kernel_lockdown - kernel image access prevention feature
7
9 The Kernel Lockdown feature is designed to prevent both direct and in‐
10 direct access to a running kernel image, attempting to protect against
11 unauthorized modification of the kernel image and to prevent access to
12 security and cryptographic data located in kernel memory, whilst still
13 permitting driver modules to be loaded.
14
15 If a prohibited or restricted feature is accessed or used, the kernel
16 will emit a message that looks like:
17
18 Lockdown: X: Y is restricted, see man kernel_lockdown.7
19
20 where X indicates the process name and Y indicates what is restricted.
21
22 On an EFI-enabled x86 or arm64 machine, lockdown will be automatically
23 enabled if the system boots in EFI Secure Boot mode.
24
25 Coverage
26 When lockdown is in effect, a number of features are disabled or have
27 their use restricted. This includes special device files and kernel
28 services that allow direct access of the kernel image:
29
30 /dev/mem
31 /dev/kmem
32 /dev/kcore
33 /dev/ioports
34 BPF
35 kprobes
36
37 and the ability to directly configure and control devices, so as to
38 prevent the use of a device to access or modify a kernel image:
39
40 • The use of module parameters that directly specify hardware parame‐
41 ters to drivers through the kernel command line or when loading a
42 module.
43
44 • The use of direct PCI BAR access.
45
46 • The use of the ioperm and iopl instructions on x86.
47
48 • The use of the KD*IO console ioctls.
49
50 • The use of the TIOCSSERIAL serial ioctl.
51
52 • The alteration of MSR registers on x86.
53
54 • The replacement of the PCMCIA CIS.
55
56 • The overriding of ACPI tables.
57
58 • The use of ACPI error injection.
59
60 • The specification of the ACPI RDSP address.
61
62 • The use of ACPI custom methods.
63
64 Certain facilities are restricted:
65
66 • Only validly signed modules may be loaded (waived if the module file
67 being loaded is vouched for by IMA appraisal).
68
69 • Only validly signed binaries may be kexec'd (waived if the binary im‐
70 age file to be executed is vouched for by IMA appraisal).
71
72 • Unencrypted hibernation/suspend to swap are disallowed as the kernel
73 image is saved to a medium that can then be accessed.
74
75 • Use of debugfs is not permitted as this allows a whole range of ac‐
76 tions including direct configuration of, access to and driving of
77 hardware.
78
79 • IMA requires the addition of the "secure_boot" rules to the policy,
80 whether or not they are specified on the command line, for both the
81 built-in and custom policies in secure boot lockdown mode.
82
84 The Kernel Lockdown feature was added in Linux 5.4.
85
87 The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
88 The lsm=lsm1,...,lsmN command line parameter controls the sequence of
89 the initialization of Linux Security Modules. It must contain the
90 string lockdown to enable the Kernel Lockdown feature. If the command
91 line parameter is not specified, the initialization falls back to the
92 value of the deprecated security= command line parameter and further to
93 the value of CONFIG_LSM.
94
96 This page is part of release 5.13 of the Linux man-pages project. A
97 description of the project, information about reporting bugs, and the
98 latest version of this page, can be found at
99 https://www.kernel.org/doc/man-pages/.
100
101
102
103Linux 2021-06-20 KERNEL_LOCKDOWN(7)