]>
Commit | Line | Data |
---|---|---|
bb509e6f HS |
1 | .\" |
2 | .\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. | |
3 | .\" Written by David Howells (dhowells@redhat.com) | |
4 | .\" | |
e4a74ca8 | 5 | .\" SPDX-License-Identifier: GPL-2.0-or-later |
bb509e6f | 6 | .\" |
ab47278f | 7 | .TH KERNEL_LOCKDOWN 7 (date) "Linux man-pages (unreleased)" |
bb509e6f | 8 | .SH NAME |
ae53794d | 9 | kernel_lockdown \- kernel image access prevention feature |
bb509e6f HS |
10 | .SH DESCRIPTION |
11 | The Kernel Lockdown feature is designed to prevent both direct and indirect | |
ae53794d | 12 | access to a running kernel image, attempting to protect against unauthorized |
bb509e6f HS |
13 | modification of the kernel image and to prevent access to security and |
14 | cryptographic data located in kernel memory, whilst still permitting driver | |
15 | modules to be loaded. | |
ae53794d | 16 | .PP |
bb509e6f HS |
17 | If a prohibited or restricted feature is accessed or used, the kernel will emit |
18 | a message that looks like: | |
ae53794d | 19 | .PP |
1ae6b2c7 AC |
20 | .in +4n |
21 | .EX | |
22 | Lockdown: X: Y is restricted, see man kernel_lockdown.7 | |
23 | .EE | |
24 | .in | |
ae53794d | 25 | .PP |
bb509e6f | 26 | where X indicates the process name and Y indicates what is restricted. |
ae53794d | 27 | .PP |
bb509e6f HS |
28 | On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled |
29 | if the system boots in EFI Secure Boot mode. | |
ae53794d MK |
30 | .\" |
31 | .SS Coverage | |
32 | When lockdown is in effect, a number of features are disabled or have their | |
33 | use restricted. | |
34 | This includes special device files and kernel services that allow | |
bb509e6f | 35 | direct access of the kernel image: |
ae53794d | 36 | .PP |
bb509e6f HS |
37 | .RS |
38 | /dev/mem | |
39 | .br | |
40 | /dev/kmem | |
41 | .br | |
42 | /dev/kcore | |
43 | .br | |
44 | /dev/ioports | |
45 | .br | |
46 | BPF | |
47 | .br | |
48 | kprobes | |
49 | .RE | |
ae53794d MK |
50 | .PP |
51 | and the ability to directly configure and control devices, so as to prevent | |
52 | the use of a device to access or modify a kernel image: | |
53 | .IP \(bu 2 | |
bb509e6f HS |
54 | The use of module parameters that directly specify hardware parameters to |
55 | drivers through the kernel command line or when loading a module. | |
ae53794d | 56 | .IP \(bu |
bb509e6f | 57 | The use of direct PCI BAR access. |
ae53794d | 58 | .IP \(bu |
bb509e6f | 59 | The use of the ioperm and iopl instructions on x86. |
ae53794d | 60 | .IP \(bu |
bb509e6f | 61 | The use of the KD*IO console ioctls. |
ae53794d | 62 | .IP \(bu |
bb509e6f | 63 | The use of the TIOCSSERIAL serial ioctl. |
ae53794d | 64 | .IP \(bu |
bb509e6f | 65 | The alteration of MSR registers on x86. |
ae53794d | 66 | .IP \(bu |
bb509e6f | 67 | The replacement of the PCMCIA CIS. |
ae53794d | 68 | .IP \(bu |
bb509e6f | 69 | The overriding of ACPI tables. |
ae53794d | 70 | .IP \(bu |
bb509e6f | 71 | The use of ACPI error injection. |
ae53794d | 72 | .IP \(bu |
bb509e6f | 73 | The specification of the ACPI RDSP address. |
ae53794d | 74 | .IP \(bu |
bb509e6f | 75 | The use of ACPI custom methods. |
ae53794d | 76 | .PP |
bb509e6f | 77 | Certain facilities are restricted: |
ae53794d | 78 | .IP \(bu 2 |
bb509e6f HS |
79 | Only validly signed modules may be loaded (waived if the module file being |
80 | loaded is vouched for by IMA appraisal). | |
ae53794d MK |
81 | .IP \(bu |
82 | Only validly signed binaries may be kexec'd (waived if the binary image file | |
83 | to be executed is vouched for by IMA appraisal). | |
84 | .IP \(bu | |
bb509e6f HS |
85 | Unencrypted hibernation/suspend to swap are disallowed as the kernel image is |
86 | saved to a medium that can then be accessed. | |
ae53794d | 87 | .IP \(bu |
bb509e6f HS |
88 | Use of debugfs is not permitted as this allows a whole range of actions |
89 | including direct configuration of, access to and driving of hardware. | |
ae53794d MK |
90 | .IP \(bu |
91 | IMA requires the addition of the "secure_boot" rules to the policy, | |
92 | whether or not they are specified on the command line, | |
93 | for both the built-in and custom policies in secure boot lockdown mode. | |
d2bbc4b7 MK |
94 | .SH VERSIONS |
95 | The Kernel Lockdown feature was added in Linux 5.4. | |
7a737de2 HS |
96 | .SH NOTES |
97 | The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM. | |
98 | The | |
99 | .I lsm=lsm1,...,lsmN | |
100 | command line parameter controls the sequence of the initialization of | |
101 | Linux Security Modules. | |
102 | It must contain the string | |
103 | .I lockdown | |
104 | to enable the Kernel Lockdown feature. | |
105 | If the command line parameter is not specified, | |
106 | the initialization falls back to the value of the deprecated | |
107 | .I security= | |
108 | command line parameter and further to the value of CONFIG_LSM. | |
d2bbc4b7 | 109 | .\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449 |