From 3af6d22bb3850ab2bac67287e3a3d3b0e32868e5 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 21:41:07 +0200 Subject: Merging upstream version 6.7. Signed-off-by: Daniel Baumann --- man7/kernel_lockdown.7 | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'man7/kernel_lockdown.7') diff --git a/man7/kernel_lockdown.7 b/man7/kernel_lockdown.7 index aac19aa..cb8aa7c 100644 --- a/man7/kernel_lockdown.7 +++ b/man7/kernel_lockdown.7 @@ -4,7 +4,7 @@ .\" .\" SPDX-License-Identifier: GPL-2.0-or-later .\" -.TH kernel_lockdown 7 2023-02-05 "Linux man-pages 6.05.01" +.TH kernel_lockdown 7 2023-10-31 "Linux man-pages 6.7" .SH NAME kernel_lockdown \- kernel image access prevention feature .SH DESCRIPTION @@ -13,18 +13,18 @@ access to a running kernel image, attempting to protect against unauthorized modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, whilst still permitting driver modules to be loaded. -.PP +.P If a prohibited or restricted feature is accessed or used, the kernel will emit a message that looks like: -.PP +.P .in +4n .EX Lockdown: X: Y is restricted, see man kernel_lockdown.7 .EE .in -.PP +.P where X indicates the process name and Y indicates what is restricted. -.PP +.P On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode. .\" @@ -33,7 +33,7 @@ When lockdown is in effect, a number of features are disabled or have their use restricted. This includes special device files and kernel services that allow direct access of the kernel image: -.PP +.P .RS /dev/mem .br @@ -47,7 +47,7 @@ BPF .br kprobes .RE -.PP +.P and the ability to directly configure and control devices, so as to prevent the use of a device to access or modify a kernel image: .IP \[bu] 3 @@ -73,7 +73,7 @@ The use of ACPI error injection. The specification of the ACPI RDSP address. .IP \[bu] The use of ACPI custom methods. -.PP +.P Certain facilities are restricted: .IP \[bu] 3 Only validly signed modules may be loaded (waived if the module file being -- cgit v1.2.3