User:JM01085758/lockdown

Since 5.4,^[1] support has been added for integrity and confidentiality lockdown modes in the kernel. Integrity mode disables features that allow userland to modify the running kernel. Confidentiality mode does the same but goes further, also preventing userland from extracting confidential information.^[2] Enabling either will prevent the loading of unsigned kernel modules as well as unencrypted hibernation or suspend to swap.^[3] By default in Gentoo, neither mode is enabled, but on EFI x86 or arm64, lockdown will be automatically enabled when Secure Boot is enabled.^[3]

Background

The motivation for implementing this feature was "to enforce a distinction between running as root and the ability to run code in kernel mode".^[4] To quote Matthew Garrett, "if you can run arbitrary code in the kernel then you can use the kernel to boot anything you want",^[5] defeating the point of UEFI Secure Boot.

Kernel

Security options  ---> 
    [*] Basic module for enforcing kernel lockdown
    [*]   Enable lockdown LSM early in init
          Kernel default lockdown mode (Integrity)  --->

GRUB

Lockdown modes can also be enabled via GRUB: GRUB_CMDLINE_LINUX="lockdown=integrity".^[2]

Impact

Enabling one of the lockdown modes will affect one's ability to modify and/or read from the following:

• /dev/mem

• /dev/kmem

• /dev/kcore

• /dev/port^[6]

• Model-specific registers (MSRs)

• debugfs

A more extensive list can be seen here.^[3]

Vulnerabilities

Kernels prior to 5.19 contain a trivial bypass bug.^[7]

See also

• Kernel Modules — object files that contain code to extend the kernel of an operating system.
• Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.

References