Garrett: Linux kernel lockdown, integrity, and confidentiality
([Kernel] Apr 21, 2020 22:02 UTC (Tue) (corbet))
- Reference: 0000818277
- News link: https://lwn.net/Articles/818277/
- Source link:
Matthew Garrett has posted [1]an overview of the kernel lockdown capability merged in 5.4. " If you verify your boot chain but allow root to modify that kernel, the benefits of the verified boot chain are significantly reduced. Even if root can't modify the on-disk kernel, root can just hot-patch the kernel and then make this persistent by dropping a binary that repeats the process on system boot. Lockdown is intended as a mechanism to avoid that, by providing an optional policy that closes off interfaces that allow root to modify the kernel. "
[1] https://mjg59.dreamwidth.org/55105.html
[1] https://mjg59.dreamwidth.org/55105.html