[Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot

Jani Nikula jani.nikula at intel.com
Thu Sep 6 10:00:36 UTC 2018


On Wed, 05 Sep 2018, Andy Lutomirski <luto at kernel.org> wrote:
> 2. What exactly does lockdown do?
>
> #2 is a bigger deal.  At least one version that shipped in a Fedora
> kernel actually broke systemd, and that's not cool.  And I really
> think we need to make lockdown non-binary to get this right.  I've
> proposed LOCKDOWN_PROTECT_INTEGRITY (i.e. try to prevent root from
> modifying the running kernel) and LOCKDOWN_PROTECT_SECRECY (try to
> prevent root from reading kernel memory), and no one seems to have
> actually objected.

Clueless bystander comment: I spent a while debugging a bug reporter's
-EPERM issue on direct PCI bar access. Took me a while to realize this
was caused by kernel lockdown on the user's distro. I expect more issues
like this to pop up as the use of lockdown proliferates, and I don't
think it's necessarily obvious when lockdown changes behaviour.

I guess I'm asking, have you considered an audit log for lockdown
blocked access, and if you've rejected the idea, why?

BR,
Jani.

-- 
Jani Nikula, Intel Open Source Graphics Center


More information about the Ksummit-discuss mailing list