mirror of https://github.com/mkerrisk/man-pages
108 lines
3.4 KiB
Groff
108 lines
3.4 KiB
Groff
|
.\"
|
||
|
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
||
|
.\" Written by David Howells (dhowells@redhat.com)
|
||
|
.\"
|
||
|
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
|
||
|
.\" This program is free software; you can redistribute it and/or
|
||
|
.\" modify it under the terms of the GNU General Public License
|
||
|
.\" as published by the Free Software Foundation; either version
|
||
|
.\" 2 of the License, or (at your option) any later version.
|
||
|
.\" %%%LICENSE_END
|
||
|
.\"
|
||
|
.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
|
||
|
.SH NAME
|
||
|
Kernel Lockdown \- Kernel image access prevention feature
|
||
|
.SH DESCRIPTION
|
||
|
The Kernel Lockdown feature is designed to prevent both direct and indirect
|
||
|
access to a running kernel image, attempting to protect against unauthorised
|
||
|
modification of the kernel image and to prevent access to security and
|
||
|
cryptographic data located in kernel memory, whilst still permitting driver
|
||
|
modules to be loaded.
|
||
|
.P
|
||
|
Lockdown is typically enabled during boot and may be terminated, if configured,
|
||
|
by typing a special key combination on a directly attached physical keyboard.
|
||
|
.P
|
||
|
If a prohibited or restricted feature is accessed or used, the kernel will emit
|
||
|
a message that looks like:
|
||
|
.P
|
||
|
.RS
|
||
|
Lockdown: X: Y is restricted, see man kernel_lockdown.7
|
||
|
.RE
|
||
|
.P
|
||
|
where X indicates the process name and Y indicates what is restricted.
|
||
|
.P
|
||
|
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
|
||
|
if the system boots in EFI Secure Boot mode.
|
||
|
.P
|
||
|
If the kernel is appropriately configured, lockdown may be lifted by typing the
|
||
|
appropriate sequence on a directly attached physical keyboard. For x86
|
||
|
machines, this is
|
||
|
.IR SysRq+x .
|
||
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||
|
.SH COVERAGE
|
||
|
When lockdown is in effect, a number of features are disabled or have their use
|
||
|
restricted. This includes special device files and kernel services that allow
|
||
|
direct access of the kernel image:
|
||
|
.P
|
||
|
.RS
|
||
|
/dev/mem
|
||
|
.br
|
||
|
/dev/kmem
|
||
|
.br
|
||
|
/dev/kcore
|
||
|
.br
|
||
|
/dev/ioports
|
||
|
.br
|
||
|
BPF
|
||
|
.br
|
||
|
kprobes
|
||
|
.RE
|
||
|
.P
|
||
|
and the ability to directly configure and control devices, so as to prevent the
|
||
|
use of a device to access or modify a kernel image:
|
||
|
.P
|
||
|
.RS
|
||
|
The use of module parameters that directly specify hardware parameters to
|
||
|
drivers through the kernel command line or when loading a module.
|
||
|
.P
|
||
|
The use of direct PCI BAR access.
|
||
|
.P
|
||
|
The use of the ioperm and iopl instructions on x86.
|
||
|
.P
|
||
|
The use of the KD*IO console ioctls.
|
||
|
.P
|
||
|
The use of the TIOCSSERIAL serial ioctl.
|
||
|
.P
|
||
|
The alteration of MSR registers on x86.
|
||
|
.P
|
||
|
The replacement of the PCMCIA CIS.
|
||
|
.P
|
||
|
The overriding of ACPI tables.
|
||
|
.P
|
||
|
The use of ACPI error injection.
|
||
|
.P
|
||
|
The specification of the ACPI RDSP address.
|
||
|
.P
|
||
|
The use of ACPI custom methods.
|
||
|
.RE
|
||
|
.P
|
||
|
Certain facilities are restricted:
|
||
|
.P
|
||
|
.RS
|
||
|
Only validly signed modules may be loaded (waived if the module file being
|
||
|
loaded is vouched for by IMA appraisal).
|
||
|
.P
|
||
|
Only validly signed binaries may be kexec'd (waived if the binary image file to
|
||
|
be executed is vouched for by IMA appraisal).
|
||
|
.P
|
||
|
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
|
||
|
saved to a medium that can then be accessed.
|
||
|
.P
|
||
|
Use of debugfs is not permitted as this allows a whole range of actions
|
||
|
including direct configuration of, access to and driving of hardware.
|
||
|
.P
|
||
|
IMA requires the addition of the "secure_boot" rules to the policy, whether or
|
||
|
not they are specified on the command line, for both the builtin and custom
|
||
|
policies in secure boot lockdown mode.
|
||
|
.RE
|