mirror of https://github.com/mkerrisk/man-pages
kernel_lockdown.7: Various minor edits to bring this page closer to man-pages stype
No content changes... Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk
parent
bb509e6fcb
commit
ae53794d61
|
|
@ -9,41 +9,42 @@
|
|||
.\" 2 of the License, or (at your option) any later version.
|
||||
.\" %%%LICENSE_END
|
||||
.\"
|
||||
.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
|
||||
.TH "KERNEL_LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
|
||||
.SH NAME
|
||||
Kernel Lockdown \- Kernel image access prevention feature
|
||||
kernel_lockdown \- kernel image access prevention feature
|
||||
.SH DESCRIPTION
|
||||
The Kernel Lockdown feature is designed to prevent both direct and indirect
|
||||
access to a running kernel image, attempting to protect against unauthorised
|
||||
access to a running kernel image, attempting to protect against unauthorized
|
||||
modification of the kernel image and to prevent access to security and
|
||||
cryptographic data located in kernel memory, whilst still permitting driver
|
||||
modules to be loaded.
|
||||
.P
|
||||
.PP
|
||||
Lockdown is typically enabled during boot and may be terminated, if configured,
|
||||
by typing a special key combination on a directly attached physical keyboard.
|
||||
.P
|
||||
.PP
|
||||
If a prohibited or restricted feature is accessed or used, the kernel will emit
|
||||
a message that looks like:
|
||||
.P
|
||||
.PP
|
||||
.RS
|
||||
Lockdown: X: Y is restricted, see man kernel_lockdown.7
|
||||
.RE
|
||||
.P
|
||||
.PP
|
||||
where X indicates the process name and Y indicates what is restricted.
|
||||
.P
|
||||
.PP
|
||||
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
|
||||
if the system boots in EFI Secure Boot mode.
|
||||
.P
|
||||
If the kernel is appropriately configured, lockdown may be lifted by typing the
|
||||
appropriate sequence on a directly attached physical keyboard. For x86
|
||||
machines, this is
|
||||
.PP
|
||||
If the kernel is appropriately configured, lockdown may be lifted by typing
|
||||
the appropriate sequence on a directly attached physical keyboard.
|
||||
For x86 machines, this is
|
||||
.IR SysRq+x .
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.SH COVERAGE
|
||||
When lockdown is in effect, a number of features are disabled or have their use
|
||||
restricted. This includes special device files and kernel services that allow
|
||||
.\"
|
||||
.SS Coverage
|
||||
When lockdown is in effect, a number of features are disabled or have their
|
||||
use restricted.
|
||||
This includes special device files and kernel services that allow
|
||||
direct access of the kernel image:
|
||||
.P
|
||||
.PP
|
||||
.RS
|
||||
/dev/mem
|
||||
.br
|
||||
|
|
@ -57,51 +58,47 @@ BPF
|
|||
.br
|
||||
kprobes
|
||||
.RE
|
||||
.P
|
||||
and the ability to directly configure and control devices, so as to prevent the
|
||||
use of a device to access or modify a kernel image:
|
||||
.P
|
||||
.RS
|
||||
.PP
|
||||
and the ability to directly configure and control devices, so as to prevent
|
||||
the use of a device to access or modify a kernel image:
|
||||
.IP \(bu 2
|
||||
The use of module parameters that directly specify hardware parameters to
|
||||
drivers through the kernel command line or when loading a module.
|
||||
.P
|
||||
.IP \(bu
|
||||
The use of direct PCI BAR access.
|
||||
.P
|
||||
.IP \(bu
|
||||
The use of the ioperm and iopl instructions on x86.
|
||||
.P
|
||||
.IP \(bu
|
||||
The use of the KD*IO console ioctls.
|
||||
.P
|
||||
.IP \(bu
|
||||
The use of the TIOCSSERIAL serial ioctl.
|
||||
.P
|
||||
.IP \(bu
|
||||
The alteration of MSR registers on x86.
|
||||
.P
|
||||
.IP \(bu
|
||||
The replacement of the PCMCIA CIS.
|
||||
.P
|
||||
.IP \(bu
|
||||
The overriding of ACPI tables.
|
||||
.P
|
||||
.IP \(bu
|
||||
The use of ACPI error injection.
|
||||
.P
|
||||
.IP \(bu
|
||||
The specification of the ACPI RDSP address.
|
||||
.P
|
||||
.IP \(bu
|
||||
The use of ACPI custom methods.
|
||||
.RE
|
||||
.P
|
||||
.PP
|
||||
Certain facilities are restricted:
|
||||
.P
|
||||
.RS
|
||||
.IP \(bu 2
|
||||
Only validly signed modules may be loaded (waived if the module file being
|
||||
loaded is vouched for by IMA appraisal).
|
||||
.P
|
||||
Only validly signed binaries may be kexec'd (waived if the binary image file to
|
||||
be executed is vouched for by IMA appraisal).
|
||||
.P
|
||||
.IP \(bu
|
||||
Only validly signed binaries may be kexec'd (waived if the binary image file
|
||||
to be executed is vouched for by IMA appraisal).
|
||||
.IP \(bu
|
||||
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
|
||||
saved to a medium that can then be accessed.
|
||||
.P
|
||||
.IP \(bu
|
||||
Use of debugfs is not permitted as this allows a whole range of actions
|
||||
including direct configuration of, access to and driving of hardware.
|
||||
.P
|
||||
IMA requires the addition of the "secure_boot" rules to the policy, whether or
|
||||
not they are specified on the command line, for both the builtin and custom
|
||||
policies in secure boot lockdown mode.
|
||||
.RE
|
||||
.IP \(bu
|
||||
IMA requires the addition of the "secure_boot" rules to the policy,
|
||||
whether or not they are specified on the command line,
|
||||
for both the built-in and custom policies in secure boot lockdown mode.
|
||||
|
|
|
|||
Loading…
Reference in New Issue