On 16.10.20 13:28, Heinrich Schuchardt wrote: > Provide a man-page for kernel_lockdown. The content is taken from a patch > for the Fedora 34 man-pages available at > > https://kojipkgs.fedoraproject.org//packages/man-pages/5.08/1.fc34/src/man-pages-5.08-1.fc34.src.rpm > > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > Signed-off-by: Heinrich Schuchardt <xypron.glpk@xxxxxx> > --- > man7/kernel_lockdown.7 | 107 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 107 insertions(+) > create mode 100644 man7/kernel_lockdown.7 > > diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 > new file mode 100644 > index 000000000..5ec4289be > --- /dev/null > +++ b/man7/kernel_lockdown.7 > @@ -0,0 +1,107 @@ > +.\" > +.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. > +.\" Written by David Howells (dhowells@xxxxxxxxxx) > +.\" > +.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA) > +.\" This program is free software; you can redistribute it and/or > +.\" modify it under the terms of the GNU General Public License > +.\" as published by the Free Software Foundation; either version > +.\" 2 of the License, or (at your option) any later version. > +.\" %%%LICENSE_END > +.\" > +.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual" > +.SH NAME > +Kernel Lockdown \- Kernel image access prevention feature > +.SH DESCRIPTION > +The Kernel Lockdown feature is designed to prevent both direct and indirect > +access to a running kernel image, attempting to protect against unauthorised > +modification of the kernel image and to prevent access to security and > +cryptographic data located in kernel memory, whilst still permitting driver > +modules to be loaded. > +.P > +Lockdown is typically enabled during boot and may be terminated, if configured, > +by typing a special key combination on a directly attached physical keyboard. > +.P > +If a prohibited or restricted feature is accessed or used, the kernel will emit > +a message that looks like: > +.P > +.RS > + Lockdown: X: Y is restricted, see man kernel_lockdown.7 > +.RE > +.P > +where X indicates the process name and Y indicates what is restricted. > +.P > +On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled > +if the system boots in EFI Secure Boot mode. > +.P > +If the kernel is appropriately configured, lockdown may be lifted by typing the > +appropriate sequence on a directly attached physical keyboard. For x86 > +machines, this is > +.IR SysRq+x . > +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" > +.SH COVERAGE > +When lockdown is in effect, a number of features are disabled or have their use > +restricted. This includes special device files and kernel services that allow > +direct access of the kernel image: > +.P > +.RS > +/dev/mem > +.br > +/dev/kmem > +.br > +/dev/kcore > +.br > +/dev/ioports > +.br > +BPF > +.br > +kprobes > +.RE > +.P > +and the ability to directly configure and control devices, so as to prevent the > +use of a device to access or modify a kernel image: > +.P > +.RS > +The use of module parameters that directly specify hardware parameters to > +drivers through the kernel command line or when loading a module. > +.P > +The use of direct PCI BAR access. > +.P > +The use of the ioperm and iopl instructions on x86. > +.P > +The use of the KD*IO console ioctls. > +.P > +The use of the TIOCSSERIAL serial ioctl. > +.P > +The alteration of MSR registers on x86. > +.P > +The replacement of the PCMCIA CIS. > +.P > +The overriding of ACPI tables. > +.P > +The use of ACPI error injection. > +.P > +The specification of the ACPI RDSP address. > +.P > +The use of ACPI custom methods. > +.RE > +.P > +Certain facilities are restricted: > +.P > +.RS > +Only validly signed modules may be loaded (waived if the module file being > +loaded is vouched for by IMA appraisal). > +.P > +Only validly signed binaries may be kexec'd (waived if the binary image file to > +be executed is vouched for by IMA appraisal). > +.P > +Unencrypted hibernation/suspend to swap are disallowed as the kernel image is > +saved to a medium that can then be accessed. > +.P > +Use of debugfs is not permitted as this allows a whole range of actions > +including direct configuration of, access to and driving of hardware. > +.P > +IMA requires the addition of the "secure_boot" rules to the policy, whether or > +not they are specified on the command line, for both the builtin and custom > +policies in secure boot lockdown mode. > +.RE > -- > 2.28.0 > We should explain in this context: * string "lockdown" in CONFIG_LSM * CONFIG_SECURITY_LOCKDOWN_LSM * CONFIG_SECURITY_LOCKDOWN_LSM_EARLY * CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE * CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY * CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY The relationship between CONFIG_LSM and CONFIG_SECURITY_LOCKDOWN_LSM is not obvious in the Kconfig menu as CONFIG_LSM does not mention which modules are available and CONFIG_SECURITY_LOCKDOWN_LSM does not mention that it depends on CONFIG_LSM. Best regards Heinrich
