The Linux Kernel Prepares To Be Further Locked Down When Under UEFI Secure Boot

For more than the past year we have reported on kernel work to further lock down the Linux kernel with UEFI Secure Boot and it's looking now like that work may finally be close to being mainlined.

Among the further restrictions that would be placed on the Linux kernel when running with UEFI Secure Boot enabled is blocking access to kernel module parameters that end up dealing with hardware settings, blocking access to some areas of /dev that could manipulate the kernel or hardware state, etc.

This is an effort from letting userspace manipulate the kernel image directly or indirectly and to prevent userspace from accessing crypto data stored in the kernel. This work is led by Red Hat and again would only affect those Linux systems booting with UEFI Secure Boot enabled.

As a sign that this kernel lockdown series could be trying for mainline in the next kernel release cycle or two, David Howells who has been involved with this work has called for it to be pulled into the linux-next branch for testing. We'll see how that testing goes to see if these KERNEL_LOCKDOWN patches then get queued for Linux 4.17~4.18 or so.