Announcement

Collapse
No announcement yet.

Kernel Lockdown Patches Published (LOCK_DOWN_KERNEL)

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    Kernel Lockdown Patches Published (LOCK_DOWN_KERNEL)

    Phoronix: Kernel Lockdown Patches Published (LOCK_DOWN_KERNEL)

    Red Hat developer David Howells has wrangled up a set of patches by him and other developers to provide a "Kernel Lockdown" mode to prevent the user-space from the possibility of modifying the running kernel image...

    Kernel Lockdown Patches Published (LOCK_DOWN_KERNEL) - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Kernel-Lockdown-Patches
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Seems targeting for hosting services to improve physical(virtual) security of the servers. Makes sense, on a long run may decrease paranoid security requirements for datacentres.

    Comment

    • #3
      ensuring only signed modules load would be a great thing on desktops as well, however no system hibernation makes it less useful in that area.

      Comment

      • #4
        why not just compile the kernel without all these features? much much more secure. And if its unlockable there is possibly a exploit there.

        Comment

        • #5
          Originally posted by bitman View Post
          ensuring only signed modules load would be a great thing on desktops as well, however no system hibernation makes it less useful in that area.
          well, there is still suspend. and hibernation is indeed a bigger security risk than suspend. Well the kernel could try to verify the written RAM image on the disc, but I doubt this is doable at all.

          Comment

          • #6
            Originally posted by bitman View Post
            ensuring only signed modules load would be a great thing on desktops as well, however no system hibernation makes it less useful in that area.
            Never really saw the point of hibernation. My laptop takes ~10 seconds to boot anyways and suspend doesnt take much more energy.
            • Likes 1

            Comment

            • #7
              Originally posted by SaucyJack View Post

              Never really saw the point of hibernation. My laptop takes ~10 seconds to boot anyways and suspend doesnt take much more energy.
              if you don't have a SSD, it makes a difference and Boot time isn't everything. There is also the disc cache if you have enough RAM (>=6GB). If you want to measure real world scenario, then measure the time until you loaded a web page with a normal browser.

              Comment

              • #8
                Originally posted by cj.wijtmans View Post
                why not just compile the kernel without all these features? much much more secure. And if its unlockable there is possibly a exploit there.
                You mean without loadable modules? Are you serious?

                Comment

                • #9
                  Originally posted by bitman View Post
                  ensuring only signed modules load would be a great thing on desktops as well, however no system hibernation makes it less useful in that area.
                  There is already feature like that implement, check out CONFIG_MODULE_SIG_FORCE

                  Comment

                  • #10
                    Seems really useful for embedded devices, IoT, the cloud, and virtual machines.

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X