David Howells of Red Hat has posted a 24-part patch to the Linux-(Kernel,EFI) lists, which hardens Linux from some firmware attacks.
These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include:
(*) No unsigned modules and no modules for which can’t validate the signature.
(*) No use of ioperm(), iopl() and no writing to /dev/port.
(*) No writing to /dev/mem or /dev/kmem.
(*) No hibernation.
(*) Restrict PCI BAR access.
(*) Restrict MSR access.
(*) No kexec_load().
(*) Certain ACPI restrictions.
(*) Restrict debugfs interface to ASUS WMI.
The lock-down can be configured to be triggered by the EFI secure boot status, provided the shim isn’t insecure. The lock-down can be lifted by typing SysRq+x on a keyboard attached to the system.[…]
See the full patch for more info: