2020-10-16 11:28:34 +00:00
|
|
|
.\"
|
|
|
|
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
|
|
|
.\" Written by David Howells (dhowells@redhat.com)
|
|
|
|
.\"
|
|
|
|
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
|
|
|
|
.\" This program is free software; you can redistribute it and/or
|
|
|
|
.\" modify it under the terms of the GNU General Public License
|
|
|
|
.\" as published by the Free Software Foundation; either version
|
|
|
|
.\" 2 of the License, or (at your option) any later version.
|
|
|
|
.\" %%%LICENSE_END
|
|
|
|
.\"
|
memusage.1, pldd.1, sprof.1, add_key.2, bind.2, bpf.2, clone.2, dup.2, epoll_ctl.2, eventfd.2, fanotify_init.2, fanotify_mark.2, futex.2, getdents.2, getpid.2, getrlimit.2, intro.2, ioctl_fat.2, ioctl_ns.2, kcmp.2, keyctl.2, membarrier.2, memfd_create.2, mprotect.2, msgctl.2, msgop.2, nfsservctl.2, open.2, open_by_handle_at.2, openat2.2, outb.2, perf_event_open.2, pivot_root.2, recv.2, recvmmsg.2, request_key.2, sched_setaffinity.2, sched_setattr.2, seccomp.2, select.2, send.2, signalfd.2, spu_run.2, sysctl.2, timer_create.2, userfaultfd.2, wait.2, CPU_SET.3, abs.3, argz_add.3, backtrace.3, bsearch.3, bswap.3, clock_getcpuclockid.3, cmsg.3, dl_iterate_phdr.3, dlinfo.3, dlopen.3, drand48.3, drand48_r.3, duplocale.3, encrypt.3, endian.3, envz_add.3, errno.3, ffs.3, fopencookie.3, get_phys_pages.3, getaddrinfo.3, getaddrinfo_a.3, getdate.3, getgrent_r.3, getgrouplist.3, getifaddrs.3, getline.3, getprotoent_r.3, getpwent_r.3, getpwnam.3, getservent_r.3, hsearch.3, insque.3, intro.3, lrint.3, lround.3, lseek64.3, mallinfo.3, malloc_hook.3, malloc_info.3, mbsinit.3, mbstowcs.3, mtrace.3, newlocale.3, ntp_gettime.3, offsetof.3, perror.3, posix_fallocate.3, posix_spawn.3, printf.3, psignal.3, pthread_attr_init.3, pthread_create.3, pthread_getattr_np.3, pthread_getcpuclockid.3, pthread_setaffinity_np.3, pthread_setname_np.3, pthread_sigmask.3, qsort.3, rand.3, random.3, rpc.3, rtnetlink.3, scalbln.3, shm_open.3, stdarg.3, strcat.3, strerror.3, strfmon.3, strptime.3, strsignal.3, strtod.3, strtok.3, strtol.3, strtoul.3, tsearch.3, wordexp.3, loop.4, vcs.4, veth.4, core.5, locale.5, slabinfo.5, cgroup_namespaces.7, cpuset.7, credentials.7, fanotify.7, feature_test_macros.7, inotify.7, ip.7, kernel_lockdown.7, man.7, mount_namespaces.7, namespaces.7, pid_namespaces.7, rtld-audit.7, sigevent.7, sock_diag.7, standards.7, unix.7, user_namespaces.7: tstamp
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-11-01 20:04:35 +00:00
|
|
|
.TH "KERNEL_LOCKDOWN" 7 2020-11-01 Linux "Linux Programmer's Manual"
|
2020-10-16 11:28:34 +00:00
|
|
|
.SH NAME
|
2020-10-16 16:03:16 +00:00
|
|
|
kernel_lockdown \- kernel image access prevention feature
|
2020-10-16 11:28:34 +00:00
|
|
|
.SH DESCRIPTION
|
|
|
|
The Kernel Lockdown feature is designed to prevent both direct and indirect
|
2020-10-16 16:03:16 +00:00
|
|
|
access to a running kernel image, attempting to protect against unauthorized
|
2020-10-16 11:28:34 +00:00
|
|
|
modification of the kernel image and to prevent access to security and
|
|
|
|
cryptographic data located in kernel memory, whilst still permitting driver
|
|
|
|
modules to be loaded.
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
2020-10-16 11:28:34 +00:00
|
|
|
Lockdown is typically enabled during boot and may be terminated, if configured,
|
|
|
|
by typing a special key combination on a directly attached physical keyboard.
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
2020-10-16 11:28:34 +00:00
|
|
|
If a prohibited or restricted feature is accessed or used, the kernel will emit
|
|
|
|
a message that looks like:
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
2020-10-16 11:28:34 +00:00
|
|
|
.RS
|
|
|
|
Lockdown: X: Y is restricted, see man kernel_lockdown.7
|
|
|
|
.RE
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
2020-10-16 11:28:34 +00:00
|
|
|
where X indicates the process name and Y indicates what is restricted.
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
2020-10-16 11:28:34 +00:00
|
|
|
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
|
|
|
|
if the system boots in EFI Secure Boot mode.
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
|
|
|
If the kernel is appropriately configured, lockdown may be lifted by typing
|
|
|
|
the appropriate sequence on a directly attached physical keyboard.
|
|
|
|
For x86 machines, this is
|
2020-10-16 11:28:34 +00:00
|
|
|
.IR SysRq+x .
|
2020-10-16 16:03:16 +00:00
|
|
|
.\"
|
|
|
|
.SS Coverage
|
|
|
|
When lockdown is in effect, a number of features are disabled or have their
|
|
|
|
use restricted.
|
|
|
|
This includes special device files and kernel services that allow
|
2020-10-16 11:28:34 +00:00
|
|
|
direct access of the kernel image:
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
2020-10-16 11:28:34 +00:00
|
|
|
.RS
|
|
|
|
/dev/mem
|
|
|
|
.br
|
|
|
|
/dev/kmem
|
|
|
|
.br
|
|
|
|
/dev/kcore
|
|
|
|
.br
|
|
|
|
/dev/ioports
|
|
|
|
.br
|
|
|
|
BPF
|
|
|
|
.br
|
|
|
|
kprobes
|
|
|
|
.RE
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
|
|
|
and the ability to directly configure and control devices, so as to prevent
|
|
|
|
the use of a device to access or modify a kernel image:
|
|
|
|
.IP \(bu 2
|
2020-10-16 11:28:34 +00:00
|
|
|
The use of module parameters that directly specify hardware parameters to
|
|
|
|
drivers through the kernel command line or when loading a module.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The use of direct PCI BAR access.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The use of the ioperm and iopl instructions on x86.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The use of the KD*IO console ioctls.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The use of the TIOCSSERIAL serial ioctl.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The alteration of MSR registers on x86.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The replacement of the PCMCIA CIS.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The overriding of ACPI tables.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The use of ACPI error injection.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The specification of the ACPI RDSP address.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
The use of ACPI custom methods.
|
2020-10-16 16:03:16 +00:00
|
|
|
.PP
|
2020-10-16 11:28:34 +00:00
|
|
|
Certain facilities are restricted:
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu 2
|
2020-10-16 11:28:34 +00:00
|
|
|
Only validly signed modules may be loaded (waived if the module file being
|
|
|
|
loaded is vouched for by IMA appraisal).
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
|
|
|
Only validly signed binaries may be kexec'd (waived if the binary image file
|
|
|
|
to be executed is vouched for by IMA appraisal).
|
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
|
|
|
|
saved to a medium that can then be accessed.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
2020-10-16 11:28:34 +00:00
|
|
|
Use of debugfs is not permitted as this allows a whole range of actions
|
|
|
|
including direct configuration of, access to and driving of hardware.
|
2020-10-16 16:03:16 +00:00
|
|
|
.IP \(bu
|
|
|
|
IMA requires the addition of the "secure_boot" rules to the policy,
|
|
|
|
whether or not they are specified on the command line,
|
|
|
|
for both the built-in and custom policies in secure boot lockdown mode.
|
2020-10-16 16:08:34 +00:00
|
|
|
.SH VERSIONS
|
|
|
|
The Kernel Lockdown feature was added in Linux 5.4.
|
2020-10-16 19:03:37 +00:00
|
|
|
.SH NOTES
|
|
|
|
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
|
|
|
|
The
|
|
|
|
.I lsm=lsm1,...,lsmN
|
|
|
|
command line parameter controls the sequence of the initialization of
|
|
|
|
Linux Security Modules.
|
|
|
|
It must contain the string
|
|
|
|
.I lockdown
|
|
|
|
to enable the Kernel Lockdown feature.
|
|
|
|
If the command line parameter is not specified,
|
|
|
|
the initialization falls back to the value of the deprecated
|
|
|
|
.I security=
|
|
|
|
command line parameter and further to the value of CONFIG_LSM.
|
2020-10-16 16:08:34 +00:00
|
|
|
.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449
|