[thirdparty/man-pages.git] / man7 / kernel_lockdown.7

.\"
.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" SPDX-License-Identifier: GPL-2.0-or-later
.\"
.TH KERNEL_LOCKDOWN 7 (date) "Linux man-pages (unreleased)"
.SH NAME
kernel_lockdown \- kernel image access prevention feature
.SH DESCRIPTION
The Kernel Lockdown feature is designed to prevent both direct and indirect
access to a running kernel image, attempting to protect against unauthorized
modification of the kernel image and to prevent access to security and
cryptographic data located in kernel memory, whilst still permitting driver
modules to be loaded.
.PP
If a prohibited or restricted feature is accessed or used, the kernel will emit
a message that looks like:
.PP
.in +4n
.EX
Lockdown: X: Y is restricted, see man kernel_lockdown.7
.EE
.in
.PP
where X indicates the process name and Y indicates what is restricted.
.PP
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
if the system boots in EFI Secure Boot mode.
.\"
.SS Coverage
When lockdown is in effect, a number of features are disabled or have their
use restricted.
This includes special device files and kernel services that allow
direct access of the kernel image:
.PP
.RS
/dev/mem
.br
/dev/kmem
.br
/dev/kcore
.br
/dev/ioports
.br
BPF
.br
kprobes
.RE
.PP
and the ability to directly configure and control devices, so as to prevent
the use of a device to access or modify a kernel image:
.IP \(bu 2
The use of module parameters that directly specify hardware parameters to
drivers through the kernel command line or when loading a module.
.IP \(bu
The use of direct PCI BAR access.
.IP \(bu
The use of the ioperm and iopl instructions on x86.
.IP \(bu
The use of the KD*IO console ioctls.
.IP \(bu
The use of the TIOCSSERIAL serial ioctl.
.IP \(bu
The alteration of MSR registers on x86.
.IP \(bu
The replacement of the PCMCIA CIS.
.IP \(bu
The overriding of ACPI tables.
.IP \(bu
The use of ACPI error injection.
.IP \(bu
The specification of the ACPI RDSP address.
.IP \(bu
The use of ACPI custom methods.
.PP
Certain facilities are restricted:
.IP \(bu 2
Only validly signed modules may be loaded (waived if the module file being
loaded is vouched for by IMA appraisal).
.IP \(bu
Only validly signed binaries may be kexec'd (waived if the binary image file
to be executed is vouched for by IMA appraisal).
.IP \(bu
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
saved to a medium that can then be accessed.
.IP \(bu
Use of debugfs is not permitted as this allows a whole range of actions
including direct configuration of, access to and driving of hardware.
.IP \(bu
IMA requires the addition of the "secure_boot" rules to the policy,
whether or not they are specified on the command line,
for both the built-in and custom policies in secure boot lockdown mode.
.SH VERSIONS
The Kernel Lockdown feature was added in Linux 5.4.
.SH NOTES
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
The
.I lsm=lsm1,...,lsmN
command line parameter controls the sequence of the initialization of
Linux Security Modules.
It must contain the string
.I lockdown
to enable the Kernel Lockdown feature.
If the command line parameter is not specified,
the initialization falls back to the value of the deprecated
.I security=
command line parameter and further to the value of CONFIG_LSM.
.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449
Commit	Line	Data
bb509e6f HS	1	.\"
	2	.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
	3	.\" Written by David Howells (dhowells@redhat.com)
	4	.\"
e4a74ca8	5	.\" SPDX-License-Identifier: GPL-2.0-or-later
bb509e6f	6	.\"
ab47278f	7	.TH KERNEL_LOCKDOWN 7 (date) "Linux man-pages (unreleased)"
bb509e6f	8	.SH NAME
ae53794d	9	kernel_lockdown \- kernel image access prevention feature
bb509e6f HS	10	.SH DESCRIPTION
bb509e6f HS	11	The Kernel Lockdown feature is designed to prevent both direct and indirect
ae53794d	12	access to a running kernel image, attempting to protect against unauthorized
bb509e6f HS	13	modification of the kernel image and to prevent access to security and
	14	cryptographic data located in kernel memory, whilst still permitting driver
	15	modules to be loaded.
ae53794d	16	.PP
bb509e6f HS	17	If a prohibited or restricted feature is accessed or used, the kernel will emit
bb509e6f HS	18	a message that looks like:
ae53794d	19	.PP
1ae6b2c7 AC	20	.in +4n
	21	.EX
	22	Lockdown: X: Y is restricted, see man kernel_lockdown.7
	23	.EE
	24	.in
ae53794d	25	.PP
bb509e6f	26	where X indicates the process name and Y indicates what is restricted.
ae53794d	27	.PP
bb509e6f HS	28	On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
bb509e6f HS	29	if the system boots in EFI Secure Boot mode.
ae53794d MK	30	.\"
	31	.SS Coverage
	32	When lockdown is in effect, a number of features are disabled or have their
	33	use restricted.
	34	This includes special device files and kernel services that allow
bb509e6f	35	direct access of the kernel image:
ae53794d	36	.PP
bb509e6f HS	37	.RS
	38	/dev/mem
	39	.br
	40	/dev/kmem
	41	.br
	42	/dev/kcore
	43	.br
	44	/dev/ioports
	45	.br
	46	BPF
	47	.br
	48	kprobes
	49	.RE
ae53794d MK	50	.PP
	51	and the ability to directly configure and control devices, so as to prevent
	52	the use of a device to access or modify a kernel image:
	53	.IP \(bu 2
bb509e6f HS	54	The use of module parameters that directly specify hardware parameters to
bb509e6f HS	55	drivers through the kernel command line or when loading a module.
ae53794d	56	.IP \(bu
bb509e6f	57	The use of direct PCI BAR access.
ae53794d	58	.IP \(bu
bb509e6f	59	The use of the ioperm and iopl instructions on x86.
ae53794d	60	.IP \(bu
bb509e6f	61	The use of the KD*IO console ioctls.
ae53794d	62	.IP \(bu
bb509e6f	63	The use of the TIOCSSERIAL serial ioctl.
ae53794d	64	.IP \(bu
bb509e6f	65	The alteration of MSR registers on x86.
ae53794d	66	.IP \(bu
bb509e6f	67	The replacement of the PCMCIA CIS.
ae53794d	68	.IP \(bu
bb509e6f	69	The overriding of ACPI tables.
ae53794d	70	.IP \(bu
bb509e6f	71	The use of ACPI error injection.
ae53794d	72	.IP \(bu
bb509e6f	73	The specification of the ACPI RDSP address.
ae53794d	74	.IP \(bu
bb509e6f	75	The use of ACPI custom methods.
ae53794d	76	.PP
bb509e6f	77	Certain facilities are restricted:
ae53794d	78	.IP \(bu 2
bb509e6f HS	79	Only validly signed modules may be loaded (waived if the module file being
bb509e6f HS	80	loaded is vouched for by IMA appraisal).
ae53794d MK	81	.IP \(bu
	82	Only validly signed binaries may be kexec'd (waived if the binary image file
	83	to be executed is vouched for by IMA appraisal).
	84	.IP \(bu
bb509e6f HS	85	Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
bb509e6f HS	86	saved to a medium that can then be accessed.
ae53794d	87	.IP \(bu
bb509e6f HS	88	Use of debugfs is not permitted as this allows a whole range of actions
bb509e6f HS	89	including direct configuration of, access to and driving of hardware.
ae53794d MK	90	.IP \(bu
	91	IMA requires the addition of the "secure_boot" rules to the policy,
	92	whether or not they are specified on the command line,
	93	for both the built-in and custom policies in secure boot lockdown mode.
d2bbc4b7 MK	94	.SH VERSIONS
d2bbc4b7 MK	95	The Kernel Lockdown feature was added in Linux 5.4.
7a737de2 HS	96	.SH NOTES
	97	The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
	98	The
	99	.I lsm=lsm1,...,lsmN
	100	command line parameter controls the sequence of the initialization of
	101	Linux Security Modules.
	102	It must contain the string
	103	.I lockdown
	104	to enable the Kernel Lockdown feature.
	105	If the command line parameter is not specified,
	106	the initialization falls back to the value of the deprecated
	107	.I security=
	108	command line parameter and further to the value of CONFIG_LSM.
d2bbc4b7	109	.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449