Linux kernel 5.4 to get lockdown functionality

Linux Kernel 5.4 stable should get released in late November or early December.

After years of review and deliberation, Linux creator and principal developer Linus Torvalds approved a new security feature for the Linux kernel, referred to as ‘lockdown.’

Torvalds said:

“When enabled, various pieces of kernel functionality are restricted. This includes restricting access to kernel features that may allow arbitrary code execution via code supplied by user-land processes; blocking processes from writing or reading /dev/mem and /dev/kmem memory; block access to opening /dev/port to prevent raw port access; enforcing kernel module signatures; and many more others.”

This functionality should be included in the soon-to-be-released Linux kernel 5.4 branches and should ship as an LSM (Linux Security Module).  Usage is optional as their exists risks that the new feature could break existing systems.

The lockdown function strengthens the divide between user-land processes and kernel code.  The function accomplishes this by preventing all accounts, including the root account, from interacting with kernel code.  It is something never done before, at least by design, until now.

This latest functionality is welcome news for conscious security users and affords much-requested additional security for applications like UEFI SecureBoot.  The feature is opt-in and limits the bits the kernel can touch.

Lockdown places no restrictions by default. Lockdown support functionality is activated with the lockdown= kernel parameter. Setting lockdown=integrity blocks kernel features that allow user-space to modify the running kernel.  Additionally, setting lockdown=confidentiality blocks user-space from extracting “confidential information” from the running kernel.  The Kconfig SECURITY_LOCKDOWN_LSM option enables the Linux security module, while the SECURITY_LOCKDOWN_LSM_EARLY provides the ability to force the integrity/confidentiality lockdown modes permanently.

Limitations enforced by the newly approved feature include blocking kernel module parameters that manipulate hardware setting, hibernation, and support prevention. Also, blocking writes to /dev/mem (even when root), CPU MSRs access restrictions, and a host of other safeguards.

Other significant features for the Linux 5.4 branch include:

  • DM-Clone as a new mans of remotely replicating block devices
  • Initial Microsoft exFAT file-system support
  • Case-insensitive F2FS support
  • Support for several new AMD RadCon GPU targets
  • A kernel fixes around UMIP to help various Windows applications in Wine.
  • A host of other new hardware support

Expect the official release of the Linux 5.4 kernel as stable in late November or early December.

Liked the article? Don't forget to share it with your friends!

Travis Rose
Hi, I'm M Travis Rose, a contributor to FOSS Linux. I have over thirty years of experience in the IT arena, at least fifteen of which has been working with Linux. I enjoy converting existing Windows users to the wonderful world of Linux. I guess you could call me a Linux-evangelist. Long live Linux!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

23,662FansLike
359FollowersFollow
16SubscribersSubscribe

LATEST ARTICLES

MUST READ

Linux is growing faster than ever. As per the latest report, there is a drop in the Windows 10 market share for the first time, and Linux's market share has improved to 2.87% this month. Most of the features in the list were rolled out in the Pop OS 20.04. Let's a detailed look into the new features, how to upgrade, and a ride through video.
Elementary OS 5.1 Hera has received a point release with a handful of new features and bug fixes, and we will be reviewing the significant changes in this article. For those new to elementary OS, this Ubuntu-based Linux distribution uses their inhouse built Pantheon desktop environment and AppCenter.

6 Essential Command-Line Utilities Every Linux User Should Know

Last week, we shared with you several "cool and fun" commands to get comfortable and confident with the Linux command-line. In our quest to further aid Linux users with mastery of the command line, or CLI, we present you with a variety of command-line utilities essential for all Linux users, regardless of proficiency level.

How to clone hard disk on Linux using Clonezilla

Disk cloning refers to the process of copying data from one disk to another, thus creating a one-to-one copy of the drive. Technically, this process is possible using the copy-and-paste method.

What is FOSS, and how does it differ from Freeware

The rise of the Linux operating system, in all its various distributions, over the past few decades has catapulted the popularity of Free or Open Source Software (FOSS). Let's guide you in understanding what is FOSS, how it differs from freeware and is Linux a FOSS.

5 Best Notepad++ Alternatives for Linux

Notepad++ has been the de facto standard for source code editors for nearly 16 years, almost since its creation in 2003.  For Windows users, that is.  For years, Linux users had no source code editor that compared to Notepad++ with all its bells and whistles, such as code folding, scripting, markup languages, syntax highlighting, auto-completion for programming (limited).