From Gentoo Wiki
Jump to:navigation Jump to:search
Warning, this page is a work in progress by JM01085758 (talk | contribs). Treat its contents with caution.

Since 5.4,[1] support has been added for integrity and confidentiality lockdown modes in the kernel. Integrity mode disables features that allow userland to modify the running kernel. Confidentiality mode does the same but goes further, also preventing userland from extracting confidential information.[2] Enabling either will prevent the loading of unsigned kernel modules as well as unencrypted hibernation or suspend to swap.[3] By default in Gentoo, neither mode is enabled, but on EFI x86 or arm64, lockdown will be automatically enabled when Secure Boot is enabled.[3]


The motivation for implementing this feature was "to enforce a distinction between running as root and the ability to run code in kernel mode".[4] To quote Matthew Garrett, "if you can run arbitrary code in the kernel then you can use the kernel to boot anything you want",[5] defeating the point of UEFI Secure Boot.


KERNEL menuconfig
Security options  ---> 
    [*] Basic module for enforcing kernel lockdown
    [*]   Enable lockdown LSM early in init
          Kernel default lockdown mode (Integrity)  --->


Lockdown modes can also be enabled via GRUB: GRUB_CMDLINE_LINUX="lockdown=integrity".[2]


Enabling one of the lockdown modes will affect one's ability to modify and/or read from the following:

A more extensive list can be seen here.[3]


Kernels prior to 5.19 contain a trivial bypass bug.[7]

See also

  • Kernel Modules — object files that contain code to extend the kernel of an operating system.
  • Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.