Kernel Lockdown Feature Will Try To Land For Linux 5.4

Written by Michael Larabel in Linux Security on 13 September 2019 at 08:47 AM EDT. 8 Comments
LINUX SECURITY
After going through 40+ rounds of revisions and review, the Linux kernel "LOCKDOWN" feature might finally make it into the Linux 5.4 mainline kernel.

While not yet acted upon by Linus Torvalds with the Linux 5.4 merge window not opening until next week, James Morris has submitted a pull request introducing the kernel lockdown mode for Linux 5.4.

The kernel lockdown support was previously rejected from mainline but since then it's been separated from the EFI Secure Boot code as well as being implemented as a Linux security module (LSM) to address some of the earlier concerns over the code. There's also been other improvements to the design of this module.

The Linux Lockdown code is about restricting access to the underlying hardware and bits that could modify the running kernel image. When in the optional lockdown mode, there is restricted access to the CPU machine specific registers, hibernation is disabled, kernel module parameters touching hardware settings are blocked, writes to /dev/mem are not even allowed as root, and various other restrictions.

This optional mode really locks down the system hard but is only opt-in and aimed for pairing with UEFI Secure Boot or other security-minded environments.

We'll see in the next few days of the kernel lockdown code is accepted for Linux 5.4 mainline. Given the improvements made and that most tier-one Linux distributions are carrying "lockdown" support in some form, it does stand good chances of finally meeting the mainline tree.
8 Comments
Related News
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
Linux 6.9 Sees Further Security Hardening
GhostRace Detailed - Speculative Race Conditions Affecting All Major CPUs / ISAs
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Linus Torvalds Injects Tabs To Thwart Kconfig Parsers Not Correctly Handling Them
Linux 6.10 To Merge NTSYNC Driver For Emulating Windows NT Synchronization Primitives
Former Nouveau Lead Developer Joins NVIDIA, Continues Working On Open-Source Driver
Fedora 41 Looks To "-O3" Optimizations For Its Python Build
APT 2.9 Released: Debian's APT 3.0 To Have A New UI With Colors, Columnar Display & More
Rust-Written LAVD Kernel Scheduler Shows Promising Results For Linux Gaming
Open-Source Radeon Driver Enables Support For Vulkan Video H.264/H.265 Encode
Ubuntu 24.04 Beta Now Available For Testing