On Apache
Under GNU General Public License
2024-12-12 16:57 @18.222.117.9 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
KERNEL_LOCKDOWN(7) Linux Programmer's Manual KERNEL_LOCKDOWN(7)
NAME
kernel_lockdown - kernel image access prevention feature
DESCRIPTION
The Kernel Lockdown feature is designed to prevent both direct and indirect access to a
running kernel image, attempting to protect against unauthorized modification of the ker-
nel image and to prevent access to security and cryptographic data located in kernel mem-
ory, whilst still permitting driver modules to be loaded.
If a prohibited or restricted feature is accessed or used, the kernel will emit a message
that looks like:
Lockdown: X: Y is restricted, see man kernel_lockdown.7
where X indicates the process name and Y indicates what is restricted.
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the sys-
tem boots in EFI Secure Boot mode.
Coverage
When lockdown is in effect, a number of features are disabled or have their use re-
stricted. This includes special device files and kernel services that allow direct access
of the kernel image:
/dev/mem
/dev/kmem
/dev/kcore
/dev/ioports
BPF
kprobes
and the ability to directly configure and control devices, so as to prevent the use of a
device to access or modify a kernel image:
o The use of module parameters that directly specify hardware parameters to drivers
through the kernel command line or when loading a module.
o The use of direct PCI BAR access.
o The use of the ioperm and iopl instructions on x86.
o The use of the KD*IO console ioctls.
o The use of the TIOCSSERIAL serial ioctl.
o The alteration of MSR registers on x86.
o The replacement of the PCMCIA CIS.
o The overriding of ACPI tables.
o The use of ACPI error injection.
o The specification of the ACPI RDSP address.
o The use of ACPI custom methods.
Certain facilities are restricted:
o Only validly signed modules may be loaded (waived if the module file being loaded is
vouched for by IMA appraisal).
o Only validly signed binaries may be kexec'd (waived if the binary image file to be exe-
cuted is vouched for by IMA appraisal).
o Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a
medium that can then be accessed.
o Use of debugfs is not permitted as this allows a whole range of actions including direct
configuration of, access to and driving of hardware.
o IMA requires the addition of the "secure_boot" rules to the policy, whether or not they
are specified on the command line, for both the built-in and custom policies in secure
boot lockdown mode.
VERSIONS
The Kernel Lockdown feature was added in Linux 5.4.
NOTES
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM. The
lsm=lsm1,...,lsmN command line parameter controls the sequence of the initialization of
Linux Security Modules. It must contain the string lockdown to enable the Kernel Lockdown
feature. If the command line parameter is not specified, the initialization falls back to
the value of the deprecated security= command line parameter and further to the value of
CONFIG_LSM.
COLOPHON
This page is part of release 5.10 of the Linux man-pages project. A description of the
project, information about reporting bugs, and the latest version of this page, can be
found at https://www.kernel.org/doc/man-pages/.
Linux 2020-11-01 KERNEL_LOCKDOWN(7)
Generated by $Id: phpMan.php,v 4.55 2007/09/05 04:42:51 chedong Exp $ Author: Che Dong
On Apache
Under GNU General Public License
2024-12-12 16:57 @18.222.117.9 CrawledBy Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)