910adacdbc
- resolves: #1797591
114 lines
3.6 KiB
Diff
114 lines
3.6 KiB
Diff
diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7
|
|
new file mode 100644
|
|
index 0000000..5ec4289
|
|
--- /dev/null
|
|
+++ b/man7/kernel_lockdown.7
|
|
@@ -0,0 +1,107 @@
|
|
+.\"
|
|
+.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
|
|
+.\" Written by David Howells (dhowells@redhat.com)
|
|
+.\"
|
|
+.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
|
|
+.\" This program is free software; you can redistribute it and/or
|
|
+.\" modify it under the terms of the GNU General Public License
|
|
+.\" as published by the Free Software Foundation; either version
|
|
+.\" 2 of the License, or (at your option) any later version.
|
|
+.\" %%%LICENSE_END
|
|
+.\"
|
|
+.TH "KERNEL LOCKDOWN" 7 2017-10-05 Linux "Linux Programmer's Manual"
|
|
+.SH NAME
|
|
+Kernel Lockdown \- Kernel image access prevention feature
|
|
+.SH DESCRIPTION
|
|
+The Kernel Lockdown feature is designed to prevent both direct and indirect
|
|
+access to a running kernel image, attempting to protect against unauthorised
|
|
+modification of the kernel image and to prevent access to security and
|
|
+cryptographic data located in kernel memory, whilst still permitting driver
|
|
+modules to be loaded.
|
|
+.P
|
|
+Lockdown is typically enabled during boot and may be terminated, if configured,
|
|
+by typing a special key combination on a directly attached physical keyboard.
|
|
+.P
|
|
+If a prohibited or restricted feature is accessed or used, the kernel will emit
|
|
+a message that looks like:
|
|
+.P
|
|
+.RS
|
|
+ Lockdown: X: Y is restricted, see man kernel_lockdown.7
|
|
+.RE
|
|
+.P
|
|
+where X indicates the process name and Y indicates what is restricted.
|
|
+.P
|
|
+On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
|
|
+if the system boots in EFI Secure Boot mode.
|
|
+.P
|
|
+If the kernel is appropriately configured, lockdown may be lifted by typing the
|
|
+appropriate sequence on a directly attached physical keyboard. For x86
|
|
+machines, this is
|
|
+.IR SysRq+x .
|
|
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
|
+.SH COVERAGE
|
|
+When lockdown is in effect, a number of features are disabled or have their use
|
|
+restricted. This includes special device files and kernel services that allow
|
|
+direct access of the kernel image:
|
|
+.P
|
|
+.RS
|
|
+/dev/mem
|
|
+.br
|
|
+/dev/kmem
|
|
+.br
|
|
+/dev/kcore
|
|
+.br
|
|
+/dev/ioports
|
|
+.br
|
|
+BPF
|
|
+.br
|
|
+kprobes
|
|
+.RE
|
|
+.P
|
|
+and the ability to directly configure and control devices, so as to prevent the
|
|
+use of a device to access or modify a kernel image:
|
|
+.P
|
|
+.RS
|
|
+The use of module parameters that directly specify hardware parameters to
|
|
+drivers through the kernel command line or when loading a module.
|
|
+.P
|
|
+The use of direct PCI BAR access.
|
|
+.P
|
|
+The use of the ioperm and iopl instructions on x86.
|
|
+.P
|
|
+The use of the KD*IO console ioctls.
|
|
+.P
|
|
+The use of the TIOCSSERIAL serial ioctl.
|
|
+.P
|
|
+The alteration of MSR registers on x86.
|
|
+.P
|
|
+The replacement of the PCMCIA CIS.
|
|
+.P
|
|
+The overriding of ACPI tables.
|
|
+.P
|
|
+The use of ACPI error injection.
|
|
+.P
|
|
+The specification of the ACPI RDSP address.
|
|
+.P
|
|
+The use of ACPI custom methods.
|
|
+.RE
|
|
+.P
|
|
+Certain facilities are restricted:
|
|
+.P
|
|
+.RS
|
|
+Only validly signed modules may be loaded (waived if the module file being
|
|
+loaded is vouched for by IMA appraisal).
|
|
+.P
|
|
+Only validly signed binaries may be kexec'd (waived if the binary image file to
|
|
+be executed is vouched for by IMA appraisal).
|
|
+.P
|
|
+Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
|
|
+saved to a medium that can then be accessed.
|
|
+.P
|
|
+Use of debugfs is not permitted as this allows a whole range of actions
|
|
+including direct configuration of, access to and driving of hardware.
|
|
+.P
|
|
+IMA requires the addition of the "secure_boot" rules to the policy, whether or
|
|
+not they are specified on the command line, for both the builtin and custom
|
|
+policies in secure boot lockdown mode.
|
|
+.RE
|