diff options
| author | Alejandro Colomar <alx@kernel.org> | 2024-04-26 15:06:49 +0200 |
|---|---|---|
| committer | Alejandro Colomar <alx@kernel.org> | 2024-05-02 01:24:19 +0200 |
| commit | dcde2f70372b49ec43efc5db864c9ff585d0a2dd (patch) | |
| tree | 78b9b7425130e4a5858e4c01a524d802423879ed /man/man7/kernel_lockdown.7 | |
| parent | 12aca537ce78a41bbcdaf485209691e10f8002d7 (diff) | |
| download | man-pages-dcde2f70372b49ec43efc5db864c9ff585d0a2dd.tar.gz | |
man/, share/mk/: Move man*/ to man/
This is a scripted change:
$ mkdir man/;
$ mv man* man/;
$ ln -st . man/man*;
$ find share/mk/ -type f \
| xargs grep -l '^MANDIR *:=' \
| xargs sed -i '/^MANDIR *:=/s,$,/man,';
$ find share/mk/dist/ -type f \
| xargs grep -l man \
| xargs sed -i 's,man%,man/%,g';
Link: <https://lore.kernel.org/linux-man/YxcV4h+Xn7cd6+q2@pevik/T/>
Cc: Petr Vorel <pvorel@suse.cz>
Cc: Jakub Wilk <jwilk@jwilk.net>
Cc: Stefan Puiu <stefan.puiu@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Diffstat (limited to 'man/man7/kernel_lockdown.7')
| -rw-r--r-- | man/man7/kernel_lockdown.7 | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/man/man7/kernel_lockdown.7 b/man/man7/kernel_lockdown.7 new file mode 100644 index 0000000000..1dcb583d4d --- /dev/null +++ b/man/man7/kernel_lockdown.7 @@ -0,0 +1,109 @@ +.\" +.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" SPDX-License-Identifier: GPL-2.0-or-later +.\" +.TH kernel_lockdown 7 (date) "Linux man-pages (unreleased)" +.SH NAME +kernel_lockdown \- kernel image access prevention feature +.SH DESCRIPTION +The Kernel Lockdown feature is designed to prevent both direct and indirect +access to a running kernel image, attempting to protect against unauthorized +modification of the kernel image and to prevent access to security and +cryptographic data located in kernel memory, whilst still permitting driver +modules to be loaded. +.P +If a prohibited or restricted feature is accessed or used, the kernel will emit +a message that looks like: +.P +.in +4n +.EX +Lockdown: X: Y is restricted, see man kernel_lockdown.7 +.EE +.in +.P +where X indicates the process name and Y indicates what is restricted. +.P +On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled +if the system boots in EFI Secure Boot mode. +.\" +.SS Coverage +When lockdown is in effect, a number of features are disabled or have their +use restricted. +This includes special device files and kernel services that allow +direct access of the kernel image: +.P +.RS +/dev/mem +.br +/dev/kmem +.br +/dev/kcore +.br +/dev/ioports +.br +BPF +.br +kprobes +.RE +.P +and the ability to directly configure and control devices, so as to prevent +the use of a device to access or modify a kernel image: +.IP \[bu] 3 +The use of module parameters that directly specify hardware parameters to +drivers through the kernel command line or when loading a module. +.IP \[bu] +The use of direct PCI BAR access. +.IP \[bu] +The use of the ioperm and iopl instructions on x86. +.IP \[bu] +The use of the KD*IO console ioctls. +.IP \[bu] +The use of the TIOCSSERIAL serial ioctl. +.IP \[bu] +The alteration of MSR registers on x86. +.IP \[bu] +The replacement of the PCMCIA CIS. +.IP \[bu] +The overriding of ACPI tables. +.IP \[bu] +The use of ACPI error injection. +.IP \[bu] +The specification of the ACPI RDSP address. +.IP \[bu] +The use of ACPI custom methods. +.P +Certain facilities are restricted: +.IP \[bu] 3 +Only validly signed modules may be loaded (waived if the module file being +loaded is vouched for by IMA appraisal). +.IP \[bu] +Only validly signed binaries may be kexec'd (waived if the binary image file +to be executed is vouched for by IMA appraisal). +.IP \[bu] +Unencrypted hibernation/suspend to swap are disallowed as the kernel image is +saved to a medium that can then be accessed. +.IP \[bu] +Use of debugfs is not permitted as this allows a whole range of actions +including direct configuration of, access to and driving of hardware. +.IP \[bu] +IMA requires the addition of the "secure_boot" rules to the policy, +whether or not they are specified on the command line, +for both the built-in and custom policies in secure boot lockdown mode. +.SH VERSIONS +The Kernel Lockdown feature was added in Linux 5.4. +.SH NOTES +The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM. +The +.I lsm=lsm1,...,lsmN +command line parameter controls the sequence of the initialization of +Linux Security Modules. +It must contain the string +.I lockdown +to enable the Kernel Lockdown feature. +If the command line parameter is not specified, +the initialization falls back to the value of the deprecated +.I security= +command line parameter and further to the value of CONFIG_LSM. +.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449 |