| .\" |
| .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. |
| .\" Written by David Howells (dhowells@redhat.com) |
| .\" |
| .\" %%%LICENSE_START(GPLv2+_SW_ONEPARA) |
| .\" This program is free software; you can redistribute it and/or |
| .\" modify it under the terms of the GNU General Public License |
| .\" as published by the Free Software Foundation; either version |
| .\" 2 of the License, or (at your option) any later version. |
| .\" %%%LICENSE_END |
| .\" |
| .TH KERNEL_LOCKDOWN 7 2020-11-01 Linux "Linux Programmer's Manual" |
| .SH NAME |
| kernel_lockdown \- kernel image access prevention feature |
| .SH DESCRIPTION |
| The Kernel Lockdown feature is designed to prevent both direct and indirect |
| access to a running kernel image, attempting to protect against unauthorized |
| modification of the kernel image and to prevent access to security and |
| cryptographic data located in kernel memory, whilst still permitting driver |
| modules to be loaded. |
| .PP |
| Lockdown is typically enabled during boot and may be terminated, if configured, |
| by typing a special key combination on a directly attached physical keyboard. |
| .PP |
| If a prohibited or restricted feature is accessed or used, the kernel will emit |
| a message that looks like: |
| .PP |
| .RS |
| Lockdown: X: Y is restricted, see man kernel_lockdown.7 |
| .RE |
| .PP |
| where X indicates the process name and Y indicates what is restricted. |
| .PP |
| On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled |
| if the system boots in EFI Secure Boot mode. |
| .PP |
| If the kernel is appropriately configured, lockdown may be lifted by typing |
| the appropriate sequence on a directly attached physical keyboard. |
| For x86 machines, this is |
| .IR SysRq+x . |
| .\" |
| .SS Coverage |
| When lockdown is in effect, a number of features are disabled or have their |
| use restricted. |
| This includes special device files and kernel services that allow |
| direct access of the kernel image: |
| .PP |
| .RS |
| /dev/mem |
| .br |
| /dev/kmem |
| .br |
| /dev/kcore |
| .br |
| /dev/ioports |
| .br |
| BPF |
| .br |
| kprobes |
| .RE |
| .PP |
| and the ability to directly configure and control devices, so as to prevent |
| the use of a device to access or modify a kernel image: |
| .IP \(bu 2 |
| The use of module parameters that directly specify hardware parameters to |
| drivers through the kernel command line or when loading a module. |
| .IP \(bu |
| The use of direct PCI BAR access. |
| .IP \(bu |
| The use of the ioperm and iopl instructions on x86. |
| .IP \(bu |
| The use of the KD*IO console ioctls. |
| .IP \(bu |
| The use of the TIOCSSERIAL serial ioctl. |
| .IP \(bu |
| The alteration of MSR registers on x86. |
| .IP \(bu |
| The replacement of the PCMCIA CIS. |
| .IP \(bu |
| The overriding of ACPI tables. |
| .IP \(bu |
| The use of ACPI error injection. |
| .IP \(bu |
| The specification of the ACPI RDSP address. |
| .IP \(bu |
| The use of ACPI custom methods. |
| .PP |
| Certain facilities are restricted: |
| .IP \(bu 2 |
| Only validly signed modules may be loaded (waived if the module file being |
| loaded is vouched for by IMA appraisal). |
| .IP \(bu |
| Only validly signed binaries may be kexec'd (waived if the binary image file |
| to be executed is vouched for by IMA appraisal). |
| .IP \(bu |
| Unencrypted hibernation/suspend to swap are disallowed as the kernel image is |
| saved to a medium that can then be accessed. |
| .IP \(bu |
| Use of debugfs is not permitted as this allows a whole range of actions |
| including direct configuration of, access to and driving of hardware. |
| .IP \(bu |
| IMA requires the addition of the "secure_boot" rules to the policy, |
| whether or not they are specified on the command line, |
| for both the built-in and custom policies in secure boot lockdown mode. |
| .SH VERSIONS |
| The Kernel Lockdown feature was added in Linux 5.4. |
| .SH NOTES |
| The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM. |
| The |
| .I lsm=lsm1,...,lsmN |
| command line parameter controls the sequence of the initialization of |
| Linux Security Modules. |
| It must contain the string |
| .I lockdown |
| to enable the Kernel Lockdown feature. |
| If the command line parameter is not specified, |
| the initialization falls back to the value of the deprecated |
| .I security= |
| command line parameter and further to the value of CONFIG_LSM. |
| .\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449 |