Re: [PATCH 1/1] kernel_lockdown.7: new file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Heinrich,

On 10/16/20 1:28 PM, Heinrich Schuchardt wrote:
> Provide a man-page for kernel_lockdown. The content is taken from a patch
> for the Fedora 34 man-pages available at
> 
> https://kojipkgs.fedoraproject.org//packages/man-pages/5.08/1.fc34/src/man-pages-5.08-1.fc34.src.rpm
> 
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@xxxxxx>

Thanks. I've applied this, done a few light edits, and pushed.

Cheers,

Michael

> ---
>  man7/kernel_lockdown.7 | 107 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 107 insertions(+)
>  create mode 100644 man7/kernel_lockdown.7
> 
> diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7
> new file mode 100644
> index 000000000..5ec4289be
> --- /dev/null
> +++ b/man7/kernel_lockdown.7
> @@ -0,0 +1,107 @@
> +.\"
> +.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
> +.\" Written by David Howells (dhowells@xxxxxxxxxx)
> +.\"
> +.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
> +.\" This program is free software; you can redistribute it and/or
> +.\" modify it under the terms of the GNU General Public License
> +.\" as published by the Free Software Foundation; either version
> +.\" 2 of the License, or (at your option) any later version.
> +.\" %%%LICENSE_END
> +.\"
> +.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
> +.SH NAME
> +Kernel Lockdown \- Kernel image access prevention feature
> +.SH DESCRIPTION
> +The Kernel Lockdown feature is designed to prevent both direct and indirect
> +access to a running kernel image, attempting to protect against unauthorised
> +modification of the kernel image and to prevent access to security and
> +cryptographic data located in kernel memory, whilst still permitting driver
> +modules to be loaded.
> +.P
> +Lockdown is typically enabled during boot and may be terminated, if configured,
> +by typing a special key combination on a directly attached physical keyboard.
> +.P
> +If a prohibited or restricted feature is accessed or used, the kernel will emit
> +a message that looks like:
> +.P
> +.RS
> + Lockdown: X: Y is restricted, see man kernel_lockdown.7
> +.RE
> +.P
> +where X indicates the process name and Y indicates what is restricted.
> +.P
> +On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
> +if the system boots in EFI Secure Boot mode.
> +.P
> +If the kernel is appropriately configured, lockdown may be lifted by typing the
> +appropriate sequence on a directly attached physical keyboard.  For x86
> +machines, this is
> +.IR SysRq+x .
> +.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
> +.SH COVERAGE
> +When lockdown is in effect, a number of features are disabled or have their use
> +restricted.  This includes special device files and kernel services that allow
> +direct access of the kernel image:
> +.P
> +.RS
> +/dev/mem
> +.br
> +/dev/kmem
> +.br
> +/dev/kcore
> +.br
> +/dev/ioports
> +.br
> +BPF
> +.br
> +kprobes
> +.RE
> +.P
> +and the ability to directly configure and control devices, so as to prevent the
> +use of a device to access or modify a kernel image:
> +.P
> +.RS
> +The use of module parameters that directly specify hardware parameters to
> +drivers through the kernel command line or when loading a module.
> +.P
> +The use of direct PCI BAR access.
> +.P
> +The use of the ioperm and iopl instructions on x86.
> +.P
> +The use of the KD*IO console ioctls.
> +.P
> +The use of the TIOCSSERIAL serial ioctl.
> +.P
> +The alteration of MSR registers on x86.
> +.P
> +The replacement of the PCMCIA CIS.
> +.P
> +The overriding of ACPI tables.
> +.P
> +The use of ACPI error injection.
> +.P
> +The specification of the ACPI RDSP address.
> +.P
> +The use of ACPI custom methods.
> +.RE
> +.P
> +Certain facilities are restricted:
> +.P
> +.RS
> +Only validly signed modules may be loaded (waived if the module file being
> +loaded is vouched for by IMA appraisal).
> +.P
> +Only validly signed binaries may be kexec'd (waived if the binary image file to
> +be executed is vouched for by IMA appraisal).
> +.P
> +Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
> +saved to a medium that can then be accessed.
> +.P
> +Use of debugfs is not permitted as this allows a whole range of actions
> +including direct configuration of, access to and driving of hardware.
> +.P
> +IMA requires the addition of the "secure_boot" rules to the policy, whether or
> +not they are specified on the command line, for both the builtin and custom
> +policies in secure boot lockdown mode.
> +.RE
> --
> 2.28.0
> 
> .
> 


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/



[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux