Uncategorized

Linux Kernel lockdown

David Howells of Red Hat has posted a 24-part patch to the Linux-(Kernel,EFI) lists, which hardens Linux from some firmware attacks.

These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include:
 (*) No unsigned modules and no modules for which can’t validate the signature.
 (*) No use of ioperm(), iopl() and no writing to /dev/port.
 (*) No writing to /dev/mem or /dev/kmem.
 (*) No hibernation.
 (*) Restrict PCI BAR access.
 (*) Restrict MSR access.
 (*) No kexec_load().
 (*) Certain ACPI restrictions.
 (*) Restrict debugfs interface to ASUS WMI.

The lock-down can be configured to be triggered by the EFI secure boot status, provided the shim isn’t insecure.  The lock-down can be lifted by typing SysRq+x on a keyboard attached to the system.[…]

See the full patch for more info:

http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown
http://vger.kernel.org/majordomo-info.html

Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s