User:JM01085758/lockdown
Since kernel version 5.4,[1] support has been added for integrity and confidentiality lockdown modes. Lockdown is a Linux Security Module (LSM) which expands the traditional LSM focus on control once userspace is active to having an LSM enabled very early in the boot sequence, even before kmalloc() can request memory.[2] Integrity mode disables features that allow userspace to modify the running kernel. Confidentiality mode does the same but goes further, also preventing extraction of confidential information.[3] Enabling either will prevent the loading of unsigned kernel modules as well as unencrypted hibernation or suspend to swap.[4] By default in Gentoo, neither mode is enabled, but on EFI x86 or arm64 with other distributions, lockdown may be automatically enabled when Secure Boot is enabled.[4]
Background
The motivation for implementing this feature was "to enforce a distinction between running as root and the ability to run code in kernel mode".[5] To quote Matthew Garrett, "if you can run arbitrary code in the kernel then you can use the kernel to boot anything you want",[6] defeating the point of UEFI Secure Boot. Work on the lockdown LSM began in the early 2010s.[7]
Kernel
Security options --->
[*] Basic module for enforcing kernel lockdown
[*] Enable lockdown LSM early in init
Kernel default lockdown mode (Integrity) --->
GRUB
Lockdown modes can also be enabled via GRUB: GRUB_CMDLINE_LINUX="lockdown=integrity".[3]
Impact
Enabling one of the lockdown modes will affect one's ability to modify and/or read from the following:
- Model-specific registers (MSRs)
A more extensive list can be seen here.[4]
Vulnerabilities
Kernels prior to 5.19 contain a trivial bypass bug, CVE-2022-21505.[9][10]
CVE-2022-21499, patched in May 2022.[11]
See also
- Kernel Modules — object files that contain code to extend the kernel of an operating system.
- Signed kernel module support — allows further hardening of the system by disallowing unsigned kernel modules, or kernel modules signed with the wrong key, to be loaded.
- Extended Verification Module — used to validate security-sensitive extended attributes before allowing operations on the files.
- Integrity Measurement Architecture — is responsible for calculating the hashes of files and programs before they are loaded
External resources
References
- ↑ https://www.phoronix.com/news/Linux-5.4-Adds-Lockdown
- ↑ https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode
- ↑ 3.0 3.1 https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
- ↑ 4.0 4.1 4.2 https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html
- ↑ https://lwn.net/Articles/751061/
- ↑ https://mjg59.dreamwidth.org/50577.html
- ↑ https://www.zdnet.com/article/linux-to-get-kernel-lockdown-feature/
- ↑ In the manpage, "/dev/ioports" is a typo.
- ↑ https://www.phoronix.com/news/Linux-Fix-CVE-2022-21505
- ↑ https://access.redhat.com/security/cve/CVE-2022-21505
- ↑ https://nvd.nist.gov/vuln/detail/CVE-2022-21499