Securing the Linux kernel with lockdown mode
Using Lockdown Mode
To use lockdown mode, you need to call the lsm
and lockdown
parameters in the Linux kernel command line. The kernel command line (the command that actually starts the Linux kernel) is executed during the boot process – see your Linux distribution's documentation for more on adding Linux boot parameters. The lsm
parameter activates the LSM subsystem and expects the lsm=lockdown,yama
arguments for lockdown. If LSM is already activated for other modules, you just need to append lockdown
and yama
, separated by a comma, to the existing parameters. The lockdown
parameter can have two arguments: integrity
and confidentiality
. I'll tell you more about lockdown's integrity
and confidentiality
modes later in this article.
In principle, lockdown mode can still be activated at run time by calling echo confidentiality
or echo integrity
with a redirect to the /sys/kernel/security/lockdown
file. Of course, lockdown mode cannot be disabled at run time in either of these two scenarios. Enabling at run time is not quite as secure as enabling from the command line, because full protection does not kick in right from the first second (Figure 2).
![](/var/linux_magazin/storage/images/issues/2020/239/lockdown-mode/figure-2/773471-1-eng-US/Figure-2_large.png)
Integrity and Confidentiality
The developers offer two modes of the lockdown implementation. Integrity mode ensures that root cannot modify the currently running kernel. It implements what the developers originally wanted to achieve with the entire lockdown patch: that ability to establish the chain of trust between the running kernel and the originally started kernel.
In the meantime, however, lockdown mode has evolved. In addition to protecting the running system, the developers also focused on protecting any content that may currently be present in RAM. Root can access RAM and read it at will. This is precisely what confidentiality mode prevents. If confidentiality mode is active, the attempt to read memory will fail. Keeping users from reading memory significantly reduces the risk of passwords or other confidential data falling into the hands of attackers.
If you take a look at the Linux source code (Figure 3), you will see the concrete functions that the two lockdown modes trigger in the background. If the kernel is running in integrity mode, loading unsigned modules is prohibited. You can also no longer use kexec
to make the system boot directly into a new kernel.
![](/var/linux_magazin/storage/images/issues/2020/239/lockdown-mode/figure-3/773474-1-eng-US/Figure-3_large.png)
Several modules in the Linux kernel offer functions that are explicitly marked as "insecure." In integrity mode, the kernel prevents root from using parameters that load such modules. If a user of the root account tries to use a parameter that loads an insecure module, the user will immediately see a Permission Denied response from the kernel. MMIO operations that are identified as insecure are also prevented by the kernel, as are certain ways of using perf
. Another important fact: It is basically possible to modify the running kernel using a system's ACPI tables and thus compromise the kernel. This explains why integrity mode also deactivates these operations across the board. Also interesting for mobile systems: Lockdown mode deactivates the hibernation feature.
Confidentiality mode adds several additional constraints. Access to /dev/mem
, /dev/kmem
, and /dev/port
is prevented by the kernel. Traffic on serial ports cannot be read by root. Access to debugfs
for debugging purposes is disabled, as is access to /proc/kcore
. Even with the Berkeley Packet Filter (BPF), you can no longer read kernel RAM directly.
Compatibility Problems
Lockdown mode disables various features that are used by userspace software. Many of the functions that lockdown mode disables are explicitly intended for debugging only but have existed for years or even decades. The fact that various userspace software tools have come to rely on these functions means that some applications might not work after you enable lockdown mode.
The kernel developers therefore view lockdown as an optional feature that is not enabled by default. If you want to use lockdown, plan some time and investigate whether your software works in the usual way after locking down. This is especially true for confidentiality mode. If confidentiality mode isn't right for your systems, you might still be able to use integrity mode, which prevents attackers from systematically opening up security holes.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.