summaryrefslogtreecommitdiffstats
path: root/man7/kernel_lockdown.7
diff options
context:
space:
mode:
Diffstat (limited to 'man7/kernel_lockdown.7')
-rw-r--r--man7/kernel_lockdown.7109
1 files changed, 0 insertions, 109 deletions
diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7
deleted file mode 100644
index cb8aa7c..0000000
--- a/man7/kernel_lockdown.7
+++ /dev/null
@@ -1,109 +0,0 @@
-.\"
-.\" Copyright (C) 2017 Red Hat, Inc. All Rights Reserved.
-.\" Written by David Howells (dhowells@redhat.com)
-.\"
-.\" SPDX-License-Identifier: GPL-2.0-or-later
-.\"
-.TH kernel_lockdown 7 2023-10-31 "Linux man-pages 6.7"
-.SH NAME
-kernel_lockdown \- kernel image access prevention feature
-.SH DESCRIPTION
-The Kernel Lockdown feature is designed to prevent both direct and indirect
-access to a running kernel image, attempting to protect against unauthorized
-modification of the kernel image and to prevent access to security and
-cryptographic data located in kernel memory, whilst still permitting driver
-modules to be loaded.
-.P
-If a prohibited or restricted feature is accessed or used, the kernel will emit
-a message that looks like:
-.P
-.in +4n
-.EX
-Lockdown: X: Y is restricted, see man kernel_lockdown.7
-.EE
-.in
-.P
-where X indicates the process name and Y indicates what is restricted.
-.P
-On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled
-if the system boots in EFI Secure Boot mode.
-.\"
-.SS Coverage
-When lockdown is in effect, a number of features are disabled or have their
-use restricted.
-This includes special device files and kernel services that allow
-direct access of the kernel image:
-.P
-.RS
-/dev/mem
-.br
-/dev/kmem
-.br
-/dev/kcore
-.br
-/dev/ioports
-.br
-BPF
-.br
-kprobes
-.RE
-.P
-and the ability to directly configure and control devices, so as to prevent
-the use of a device to access or modify a kernel image:
-.IP \[bu] 3
-The use of module parameters that directly specify hardware parameters to
-drivers through the kernel command line or when loading a module.
-.IP \[bu]
-The use of direct PCI BAR access.
-.IP \[bu]
-The use of the ioperm and iopl instructions on x86.
-.IP \[bu]
-The use of the KD*IO console ioctls.
-.IP \[bu]
-The use of the TIOCSSERIAL serial ioctl.
-.IP \[bu]
-The alteration of MSR registers on x86.
-.IP \[bu]
-The replacement of the PCMCIA CIS.
-.IP \[bu]
-The overriding of ACPI tables.
-.IP \[bu]
-The use of ACPI error injection.
-.IP \[bu]
-The specification of the ACPI RDSP address.
-.IP \[bu]
-The use of ACPI custom methods.
-.P
-Certain facilities are restricted:
-.IP \[bu] 3
-Only validly signed modules may be loaded (waived if the module file being
-loaded is vouched for by IMA appraisal).
-.IP \[bu]
-Only validly signed binaries may be kexec'd (waived if the binary image file
-to be executed is vouched for by IMA appraisal).
-.IP \[bu]
-Unencrypted hibernation/suspend to swap are disallowed as the kernel image is
-saved to a medium that can then be accessed.
-.IP \[bu]
-Use of debugfs is not permitted as this allows a whole range of actions
-including direct configuration of, access to and driving of hardware.
-.IP \[bu]
-IMA requires the addition of the "secure_boot" rules to the policy,
-whether or not they are specified on the command line,
-for both the built-in and custom policies in secure boot lockdown mode.
-.SH VERSIONS
-The Kernel Lockdown feature was added in Linux 5.4.
-.SH NOTES
-The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
-The
-.I lsm=lsm1,...,lsmN
-command line parameter controls the sequence of the initialization of
-Linux Security Modules.
-It must contain the string
-.I lockdown
-to enable the Kernel Lockdown feature.
-If the command line parameter is not specified,
-the initialization falls back to the value of the deprecated
-.I security=
-command line parameter and further to the value of CONFIG_LSM.
-.\" commit 000d388ed3bbed745f366ce71b2bb7c2ee70f449