mirror of https://github.com/mkerrisk/man-pages
kernel_lockdown.7: New page documenting the Kernel Lockdown feature
Provide a man-page for kernel_lockdown. The content is taken from a patch for the Fedora 34 man-pages available at https://kojipkgs.fedoraproject.org//packages/man-pages/5.08/1.fc34/src/man-pages-5.08-1.fc34.src.rpm Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
02667b1ee5
commit
bb509e6fcb
|
@ -0,0 +1,107 @@
|
|||
.\"
|
||||
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
||||
.\" Written by David Howells (dhowells@redhat.com)
|
||||
.\"
|
||||
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
|
||||
.\" This program is free software; you can redistribute it and/or
|
||||
.\" modify it under the terms of the GNU General Public License
|
||||
.\" as published by the Free Software Foundation; either version
|
||||
.\" 2 of the License, or (at your option) any later version.
|
||||
.\" %%%LICENSE_END
|
||||
.\"
|
||||
.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
|
||||
.SH NAME
|
||||
Kernel Lockdown \- Kernel image access prevention feature
|
||||
.SH DESCRIPTION
|
||||
The Kernel Lockdown feature is designed to prevent both direct and indirect
|
||||
access to a running kernel image, attempting to protect against unauthorised
|
||||
modification of the kernel image and to prevent access to security and
|
||||
cryptographic data located in kernel memory, whilst still permitting driver
|
||||
modules to be loaded.
|
||||
.P
|
||||
Lockdown is typically enabled during boot and may be terminated, if configured,
|
||||
by typing a special key combination on a directly attached physical keyboard.
|
||||
.P
|
||||
If a prohibited or restricted feature is accessed or used, the kernel will emit
|
||||
a message that looks like:
|
||||
.P
|
||||
.RS
|
||||
Lockdown: X: Y is restricted, see man kernel_lockdown.7
|
||||
.RE
|
||||
.P
|
||||
where X indicates the process name and Y indicates what is restricted.
|
||||
.P
|
||||
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
|
||||
if the system boots in EFI Secure Boot mode.
|
||||
.P
|
||||
If the kernel is appropriately configured, lockdown may be lifted by typing the
|
||||
appropriate sequence on a directly attached physical keyboard. For x86
|
||||
machines, this is
|
||||
.IR SysRq+x .
|
||||
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||
.SH COVERAGE
|
||||
When lockdown is in effect, a number of features are disabled or have their use
|
||||
restricted. This includes special device files and kernel services that allow
|
||||
direct access of the kernel image:
|
||||
.P
|
||||
.RS
|
||||
/dev/mem
|
||||
.br
|
||||
/dev/kmem
|
||||
.br
|
||||
/dev/kcore
|
||||
.br
|
||||
/dev/ioports
|
||||
.br
|
||||
BPF
|
||||
.br
|
||||
kprobes
|
||||
.RE
|
||||
.P
|
||||
and the ability to directly configure and control devices, so as to prevent the
|
||||
use of a device to access or modify a kernel image:
|
||||
.P
|
||||
.RS
|
||||
The use of module parameters that directly specify hardware parameters to
|
||||
drivers through the kernel command line or when loading a module.
|
||||
.P
|
||||
The use of direct PCI BAR access.
|
||||
.P
|
||||
The use of the ioperm and iopl instructions on x86.
|
||||
.P
|
||||
The use of the KD*IO console ioctls.
|
||||
.P
|
||||
The use of the TIOCSSERIAL serial ioctl.
|
||||
.P
|
||||
The alteration of MSR registers on x86.
|
||||
.P
|
||||
The replacement of the PCMCIA CIS.
|
||||
.P
|
||||
The overriding of ACPI tables.
|
||||
.P
|
||||
The use of ACPI error injection.
|
||||
.P
|
||||
The specification of the ACPI RDSP address.
|
||||
.P
|
||||
The use of ACPI custom methods.
|
||||
.RE
|
||||
.P
|
||||
Certain facilities are restricted:
|
||||
.P
|
||||
.RS
|
||||
Only validly signed modules may be loaded (waived if the module file being
|
||||
loaded is vouched for by IMA appraisal).
|
||||
.P
|
||||
Only validly signed binaries may be kexec'd (waived if the binary image file to
|
||||
be executed is vouched for by IMA appraisal).
|
||||
.P
|
||||
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
|
||||
saved to a medium that can then be accessed.
|
||||
.P
|
||||
Use of debugfs is not permitted as this allows a whole range of actions
|
||||
including direct configuration of, access to and driving of hardware.
|
||||
.P
|
||||
IMA requires the addition of the "secure_boot" rules to the policy, whether or
|
||||
not they are specified on the command line, for both the builtin and custom
|
||||
policies in secure boot lockdown mode.
|
||||
.RE
|
Loading…
Reference in New Issue