1 files changed, 109 insertions, 0 deletions
diff --git a/man/man7/kernel_lockdown.7 b/man/man7/kernel_lockdown.7
new file mode 100644
index 0000000000..8176ea6eaf
--- /dev/null
+++ b/man/man7/kernel_lockdown.7
@@ -0,0 +1,109 @@
+.\"
+.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" SPDX-License-Identifier: GPL-2.0-or-later
+.\"
+.TH KERNEL_LOCKDOWN 7 2021-06-20 "Linux man-pages (unreleased)"
+.SH NAME
+kernel_lockdown \- kernel image access prevention feature
+.SH DESCRIPTION
+The Kernel Lockdown feature is designed to prevent both direct and indirect
+access to a running kernel image, attempting to protect against unauthorized
+modification of the kernel image and to prevent access to security and
+cryptographic data located in kernel memory, whilst still permitting driver
+modules to be loaded.
+.PP
+If a prohibited or restricted feature is accessed or used, the kernel will emit
+a message that looks like:
+.PP
+.in +4n
+.EX
+Lockdown: X: Y is restricted, see man kernel_lockdown.7
+.EE
+.in
+.PP
+where X indicates the process name and Y indicates what is restricted.
+.PP
+On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
+if the system boots in EFI Secure Boot mode.
+.\"
+.SS Coverage
+When lockdown is in effect, a number of features are disabled or have their
+use restricted.
+This includes special device files and kernel services that allow
+direct access of the kernel image:
+.PP
+.RS
+/dev/mem
+.br
+/dev/kmem
+.br
+/dev/kcore
+.br
+/dev/ioports
+.br
+BPF
+.br
+kprobes
+.RE
+.PP
+and the ability to directly configure and control devices, so as to prevent
+the use of a device to access or modify a kernel image:
+.IP \(bu 2
+The use of module parameters that directly specify hardware parameters to
+drivers through the kernel command line or when loading a module.
+.IP \(bu
+The use of direct PCI BAR access.
+.IP \(bu
+The use of the ioperm and iopl instructions on x86.
+.IP \(bu
+The use of the KD*IO console ioctls.
+.IP \(bu
+The use of the TIOCSSERIAL serial ioctl.
+.IP \(bu
+The alteration of MSR registers on x86.
+.IP \(bu
+The replacement of the PCMCIA CIS.
+.IP \(bu
+The overriding of ACPI tables.
+.IP \(bu
+The use of ACPI error injection.
+.IP \(bu
+The specification of the ACPI RDSP address.
+.IP \(bu
+The use of ACPI custom methods.
+.PP
+Certain facilities are restricted:
+.IP \(bu 2
+Only validly signed modules may be loaded (waived if the module file being
+loaded is vouched for by IMA appraisal).
+.IP \(bu
+Only validly signed binaries may be kexec'd (waived if the binary image file
+to be executed is vouched for by IMA appraisal).
+.IP \(bu
+Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
+saved to a medium that can then be accessed.
+.IP \(bu
+Use of debugfs is not permitted as this allows a whole range of actions
+including direct configuration of, access to and driving of hardware.
+.IP \(bu
+IMA requires the addition of the "secure_boot" rules to the policy,
+whether or not they are specified on the command line,
+for both the built-in and custom policies in secure boot lockdown mode.
+.SH VERSIONS
+The Kernel Lockdown feature was added in Linux 5.4.
+.SH NOTES
+The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
+The
+.I lsm=lsm1,...,lsmN
+command line parameter controls the sequence of the initialization of
+Linux Security Modules.
+It must contain the string
+.I lockdown
+to enable the Kernel Lockdown feature.
+If the command line parameter is not specified,
+the initialization falls back to the value of the deprecated
+.I security=
+command line parameter and further to the value of CONFIG_LSM.
+.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449