Linux kernel 5.4 to get lockdown functionality

Linux Kernel 5.4 stable should get released in late November or early December.

After years of review and deliberation, Linux creator and principal developer Linus Torvalds approved a new security feature for the Linux kernel, referred to as ‘lockdown.’

Torvalds said:

“When enabled, various pieces of kernel functionality are restricted. This includes restricting access to kernel features that may allow arbitrary code execution via code supplied by user-land processes; blocking processes from writing or reading /dev/mem and /dev/kmem memory; block access to opening /dev/port to prevent raw port access; enforcing kernel module signatures; and many more others.”

This functionality should be included in the soon-to-be-released Linux kernel 5.4 branches and should ship as an LSM (Linux Security Module).  Usage is optional as their exists risks that the new feature could break existing systems.

The lockdown function strengthens the divide between user-land processes and kernel code.  The function accomplishes this by preventing all accounts, including the root account, from interacting with kernel code.  It is something never done before, at least by design, until now.

This latest functionality is welcome news for conscious security users and affords much-requested additional security for applications like UEFI SecureBoot.  The feature is opt-in and limits the bits the kernel can touch.

Lockdown places no restrictions by default. Lockdown support functionality is activated with the lockdown= kernel parameter. Setting lockdown=integrity blocks kernel features that allow user-space to modify the running kernel.  Additionally, setting lockdown=confidentiality blocks user-space from extracting “confidential information” from the running kernel.  The Kconfig SECURITY_LOCKDOWN_LSM option enables the Linux security module, while the SECURITY_LOCKDOWN_LSM_EARLY provides the ability to force the integrity/confidentiality lockdown modes permanently.

Limitations enforced by the newly approved feature include blocking kernel module parameters that manipulate hardware setting, hibernation, and support prevention. Also, blocking writes to /dev/mem (even when root), CPU MSRs access restrictions, and a host of other safeguards.

Other significant features for the Linux 5.4 branch include:

  • DM-Clone as a new mans of remotely replicating block devices
  • Initial Microsoft exFAT file-system support
  • Case-insensitive F2FS support
  • Support for several new AMD RadCon GPU targets
  • A kernel fixes around UMIP to help various Windows applications in Wine.
  • A host of other new hardware support

Expect the official release of the Linux 5.4 kernel as stable in late November or early December.

Travis Rose
Hi, I'm M Travis Rose, a contributor to FOSS Linux. I have over thirty years of experience in the IT arena, at least fifteen of which has been working with Linux. I enjoy converting existing Windows users to the wonderful world of Linux. I guess you could call me a Linux-evangelist. Long live Linux!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

STAY CONNECTED

23,437FansLike
375FollowersFollow
16SubscribersSubscribe

LATEST ARTICLES

How to change Hostname on Ubuntu

Generally, a hostname is just an assigned name to a computer, laptop, or any other connected device to a network. You can say a hostname is a computer's nickname, and it is used to identify the machine over the network uniquely.

Manjaro vs. Ubuntu – which is better for you?

If you are a person associated with Computer technology and spend most of the time in the open-source arena, you must have heard or worked with some of the popular Linux distributions we have in the market. Some of the names that you will never miss are; Ubuntu, Arch Linux, Debian, and Mint.

9 Useful Tips Working with Operating System using Python

There are several situations when we want to work with the operating system using python. We may want to see the user details or want to do some tasks with the files and directories. If you are a system administrator, you will find it useful to work with Operating System as one can easily automate some repeating tasks of the Operating System using python.

System76 Lemur Pro Review

Buyers who wish to go for a machine that is based on Linux often show interest in Chromebooks due to the form factor and extended battery life capabilities. Although ChromeOS power these machines, users can still miss out on a more genuine Linux experience. For those who happen to agree, the new Lemur Pro by System76 might get some heads turning.

Top 10 New Features in Linux Kernel 5.8

Linus Torvalds recently announced the release of Linux Kernel 5.8, and he seems delighted with it. He has pointed it out as the most significant release of all time. To developers, this new kernel comes with an addition of 800,000 new code lines and more than 14,000 changed files. To the average user, you might not see many eye-candy changes, as seen in the earlier releases.

How to install Flutter on Linux

Do you want to install Flutter and start creating awesome Android and iOS applications? Then you have come to the right place. Here is a comprehensive tutorial on how to install Flutter on Linux. If you are new to Flutter, don't worry, we got that covered too as we shall go in-depth understanding of Flutter and what it brings to the table.

MUST READ

Buyers who wish to go for a machine that is based on Linux often show interest in Chromebooks due to the form factor and extended battery life capabilities. Although ChromeOS power these machines, users can still miss out on a more genuine Linux experience. For those who happen to agree, the new Lemur Pro by System76 might get some heads turning.
Linux is growing faster than ever. As per the latest report, there is a drop in the Windows 10 market share for the first time, and Linux's market share has improved to 2.87% this month. Most of the features in the list were rolled out in the Pop OS 20.04. Let's a detailed look into the new features, how to upgrade, and a ride through video.

6 ways to find out your Linux file system type

Any Operating system in the market whether its Windows, Linux, Unix, macOS, and any other, must be able to access and manage files and data on storage devices.

The 6 Best Linux File Recovery Software

Now and then, most of us lose important data in our computers either through accidental deletion, virus attacks, permanent removal of files, etc. Some of these files contain critical information that cannot be assumed and needs recovery. In this post, we will discuss some of the best data recovery available for Linux systems. The fantastic part is that most of them are opensource and freely available for use.

15 Tar command in Linux uses with examples

Tar is a famous utility that is basically used for collecting multiple files in a single archive. This file is often called a 'tarball'. Today, we are going to tell you about the different things you can do with tarballs using the tar command, with practical examples.

5 Best ways to encrypt files in Linux

Privacy is something that almost all of us have concerns about. Many people switch over to Linux because of its better privacy features. In this time, where many people believe (quite rightly so) that privacy doesn't exist anymore, Linux provides a ray of hope. Distributions like Tails OS are specifically designed for that purpose.