mirror of https://github.com/mkerrisk/man-pages
121 lines
4.0 KiB
Groff
121 lines
4.0 KiB
Groff
.\"
|
|
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
|
.\" Written by David Howells (dhowells@redhat.com)
|
|
.\"
|
|
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
|
|
.\" This program is free software; you can redistribute it and/or
|
|
.\" modify it under the terms of the GNU General Public License
|
|
.\" as published by the Free Software Foundation; either version
|
|
.\" 2 of the License, or (at your option) any later version.
|
|
.\" %%%LICENSE_END
|
|
.\"
|
|
.TH KERNEL_LOCKDOWN 7 2020-11-01 Linux "Linux Programmer's Manual"
|
|
.SH NAME
|
|
kernel_lockdown \- kernel image access prevention feature
|
|
.SH DESCRIPTION
|
|
The Kernel Lockdown feature is designed to prevent both direct and indirect
|
|
access to a running kernel image, attempting to protect against unauthorized
|
|
modification of the kernel image and to prevent access to security and
|
|
cryptographic data located in kernel memory, whilst still permitting driver
|
|
modules to be loaded.
|
|
.PP
|
|
Lockdown is typically enabled during boot and may be terminated, if configured,
|
|
by typing a special key combination on a directly attached physical keyboard.
|
|
.PP
|
|
If a prohibited or restricted feature is accessed or used, the kernel will emit
|
|
a message that looks like:
|
|
.PP
|
|
.RS
|
|
Lockdown: X: Y is restricted, see man kernel_lockdown.7
|
|
.RE
|
|
.PP
|
|
where X indicates the process name and Y indicates what is restricted.
|
|
.PP
|
|
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
|
|
if the system boots in EFI Secure Boot mode.
|
|
.PP
|
|
If the kernel is appropriately configured, lockdown may be lifted by typing
|
|
the appropriate sequence on a directly attached physical keyboard.
|
|
For x86 machines, this is
|
|
.IR SysRq+x .
|
|
.\"
|
|
.SS Coverage
|
|
When lockdown is in effect, a number of features are disabled or have their
|
|
use restricted.
|
|
This includes special device files and kernel services that allow
|
|
direct access of the kernel image:
|
|
.PP
|
|
.RS
|
|
/dev/mem
|
|
.br
|
|
/dev/kmem
|
|
.br
|
|
/dev/kcore
|
|
.br
|
|
/dev/ioports
|
|
.br
|
|
BPF
|
|
.br
|
|
kprobes
|
|
.RE
|
|
.PP
|
|
and the ability to directly configure and control devices, so as to prevent
|
|
the use of a device to access or modify a kernel image:
|
|
.IP \(bu 2
|
|
The use of module parameters that directly specify hardware parameters to
|
|
drivers through the kernel command line or when loading a module.
|
|
.IP \(bu
|
|
The use of direct PCI BAR access.
|
|
.IP \(bu
|
|
The use of the ioperm and iopl instructions on x86.
|
|
.IP \(bu
|
|
The use of the KD*IO console ioctls.
|
|
.IP \(bu
|
|
The use of the TIOCSSERIAL serial ioctl.
|
|
.IP \(bu
|
|
The alteration of MSR registers on x86.
|
|
.IP \(bu
|
|
The replacement of the PCMCIA CIS.
|
|
.IP \(bu
|
|
The overriding of ACPI tables.
|
|
.IP \(bu
|
|
The use of ACPI error injection.
|
|
.IP \(bu
|
|
The specification of the ACPI RDSP address.
|
|
.IP \(bu
|
|
The use of ACPI custom methods.
|
|
.PP
|
|
Certain facilities are restricted:
|
|
.IP \(bu 2
|
|
Only validly signed modules may be loaded (waived if the module file being
|
|
loaded is vouched for by IMA appraisal).
|
|
.IP \(bu
|
|
Only validly signed binaries may be kexec'd (waived if the binary image file
|
|
to be executed is vouched for by IMA appraisal).
|
|
.IP \(bu
|
|
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
|
|
saved to a medium that can then be accessed.
|
|
.IP \(bu
|
|
Use of debugfs is not permitted as this allows a whole range of actions
|
|
including direct configuration of, access to and driving of hardware.
|
|
.IP \(bu
|
|
IMA requires the addition of the "secure_boot" rules to the policy,
|
|
whether or not they are specified on the command line,
|
|
for both the built-in and custom policies in secure boot lockdown mode.
|
|
.SH VERSIONS
|
|
The Kernel Lockdown feature was added in Linux 5.4.
|
|
.SH NOTES
|
|
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
|
|
The
|
|
.I lsm=lsm1,...,lsmN
|
|
command line parameter controls the sequence of the initialization of
|
|
Linux Security Modules.
|
|
It must contain the string
|
|
.I lockdown
|
|
to enable the Kernel Lockdown feature.
|
|
If the command line parameter is not specified,
|
|
the initialization falls back to the value of the deprecated
|
|
.I security=
|
|
command line parameter and further to the value of CONFIG_LSM.
|
|
.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449
|