diff options
| author | Alejandro Colomar <alx.manpages@gmail.com> | 2022-09-09 14:15:08 +0200 |
|---|---|---|
| committer | Alejandro Colomar <alx.manpages@gmail.com> | 2022-09-09 14:15:08 +0200 |
| commit | 96e72ec1fbadd13cbcbc2b263540e4f5e9e09d7c (patch) | |
| tree | 70686b943e33a6e939ad265acb7ddfef70b91f32 /man/man7/kernel_lockdown.7 | |
| parent | 8f4ed6463206e8ede815c72085c7305dafc2e4fc (diff) | |
| download | man-pages-96e72ec1fbadd13cbcbc2b263540e4f5e9e09d7c.tar.gz | |
Revert "src.mk, All pages: Move man* to man/"
This reverts commit 70ac1c4785fc1e158ab2349a962dba2526bf4fbc.
Link: <https://lore.kernel.org/linux-man/YxcV4h+Xn7cd6+q2@pevik/T/>
Reported-by: Petr Vorel <pvorel@suse.cz>
Reported-by: Jakub Wilk <jwilk@jwilk.net>
Cc: Stefan Puiu <stefan.puiu@gmail.com>
Signed-off-by: Alex Colomar <alx.manpages@gmail.com>
Diffstat (limited to 'man/man7/kernel_lockdown.7')
| -rw-r--r-- | man/man7/kernel_lockdown.7 | 109 |
1 files changed, 0 insertions, 109 deletions
diff --git a/man/man7/kernel_lockdown.7 b/man/man7/kernel_lockdown.7 deleted file mode 100644 index 8176ea6eaf..0000000000 --- a/man/man7/kernel_lockdown.7 +++ /dev/null @@ -1,109 +0,0 @@ -.\" -.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. -.\" Written by David Howells (dhowells@redhat.com) -.\" -.\" SPDX-License-Identifier: GPL-2.0-or-later -.\" -.TH KERNEL_LOCKDOWN 7 2021-06-20 "Linux man-pages (unreleased)" -.SH NAME -kernel_lockdown \- kernel image access prevention feature -.SH DESCRIPTION -The Kernel Lockdown feature is designed to prevent both direct and indirect -access to a running kernel image, attempting to protect against unauthorized -modification of the kernel image and to prevent access to security and -cryptographic data located in kernel memory, whilst still permitting driver -modules to be loaded. -.PP -If a prohibited or restricted feature is accessed or used, the kernel will emit -a message that looks like: -.PP -.in +4n -.EX -Lockdown: X: Y is restricted, see man kernel_lockdown.7 -.EE -.in -.PP -where X indicates the process name and Y indicates what is restricted. -.PP -On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled -if the system boots in EFI Secure Boot mode. -.\" -.SS Coverage -When lockdown is in effect, a number of features are disabled or have their -use restricted. -This includes special device files and kernel services that allow -direct access of the kernel image: -.PP -.RS -/dev/mem -.br -/dev/kmem -.br -/dev/kcore -.br -/dev/ioports -.br -BPF -.br -kprobes -.RE -.PP -and the ability to directly configure and control devices, so as to prevent -the use of a device to access or modify a kernel image: -.IP \(bu 2 -The use of module parameters that directly specify hardware parameters to -drivers through the kernel command line or when loading a module. -.IP \(bu -The use of direct PCI BAR access. -.IP \(bu -The use of the ioperm and iopl instructions on x86. -.IP \(bu -The use of the KD*IO console ioctls. -.IP \(bu -The use of the TIOCSSERIAL serial ioctl. -.IP \(bu -The alteration of MSR registers on x86. -.IP \(bu -The replacement of the PCMCIA CIS. -.IP \(bu -The overriding of ACPI tables. -.IP \(bu -The use of ACPI error injection. -.IP \(bu -The specification of the ACPI RDSP address. -.IP \(bu -The use of ACPI custom methods. -.PP -Certain facilities are restricted: -.IP \(bu 2 -Only validly signed modules may be loaded (waived if the module file being -loaded is vouched for by IMA appraisal). -.IP \(bu -Only validly signed binaries may be kexec'd (waived if the binary image file -to be executed is vouched for by IMA appraisal). -.IP \(bu -Unencrypted hibernation/suspend to swap are disallowed as the kernel image is -saved to a medium that can then be accessed. -.IP \(bu -Use of debugfs is not permitted as this allows a whole range of actions -including direct configuration of, access to and driving of hardware. -.IP \(bu -IMA requires the addition of the "secure_boot" rules to the policy, -whether or not they are specified on the command line, -for both the built-in and custom policies in secure boot lockdown mode. -.SH VERSIONS -The Kernel Lockdown feature was added in Linux 5.4. -.SH NOTES -The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM. -The -.I lsm=lsm1,...,lsmN -command line parameter controls the sequence of the initialization of -Linux Security Modules. -It must contain the string -.I lockdown -to enable the Kernel Lockdown feature. -If the command line parameter is not specified, -the initialization falls back to the value of the deprecated -.I security= -command line parameter and further to the value of CONFIG_LSM. -.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449 |