On Fri, 11 Oct 2019 23:46:20 +0200 Florian Weimer <fw@xxxxxxxxxxxxx> wrote: > * Steven Rostedt: > > > Once locked down is set, can it ever be undone without rebooting? > > I think this is the original intent with such patches, yes. But then > reality interferes and people add some escape hatch, so that it's > possible again to load arbitrary kernel modules. And for servers, you > can't have a meaningful physical presence check, so you end up with a > lot of complexity for something that offers absolutely zero gains in > security. > > The other practical issue is that general-purpose Linux distributions > cannot prevent kernel downgrades, so even if there's a > cryptographically signed chain from the firmware to the kernel, you > can boot last year's kernel, use a root-to-ring-0 exploit to disable > its particular implementation of lockdown, and then kexec the real > kernel with lockdown disabled. > > I'm sure that kernel lockdown has applications somewhere, but for > general-purpose distributions (who usually want to support third-party > kernel modules), it's an endless source of problems that wouldn't > exist without it. I just decided to keep the two separate. The tracing_disable is permanent (unless you actually do something that writes into kernel memory to change the variable). When set, there's nothing to clear it. Thus, I decided not to couple that with lockdown, and let the lockdown folks do whatever they damn well please ;-) -- Steve
