Activating Lockdown

phabricator-migrator · February 19, 2024, 5:43pm

Information

ID: 670
PHID: PHID-TASK-l4gmuy3cuov3icsa3hqv
Author: HulaHoop
Status at Migration Time: open
Priority at Migration Time: Normal

Description

Consider activating “Lockdown” a mainlined patch that does some hardening measures that including some grsec formerly did. Package currently available only in Sid.

What it does:

disables loading/removing kernel modules after boot
disables live kernel patching (kexec)
disables Berkeley packet filter (BPF)

(*) No unsigned modules and no modules for which can’t validate the signature.

(*) No use of ioperm(), iopl() and no writing to /dev/port.

(*) No writing to /dev/mem or /dev/kmem.

(*) No hibernation.

(*) Restrict PCI BAR access.

(*) Restrict MSR access.

(*) No kexec_load().

(*) Certain ACPI restrictions.

(*) Restrict debugfs interface to ASUS WMI.

While idsabling modules might interfere with non buil-in devices, they can be whitelisted on demand or an extended timeout specified so the needed components are loaded during boot.

https://lwn.net/Articles/719035/

https://packages.debian.org/sid/lockdown

Comments

HulaHoop

2019-03-29 03:39:21 UTC

Patrick

2019-04-04 18:14:57 UTC

marmarek

2019-04-04 18:51:48 UTC

HulaHoop

2019-05-03 16:14:01 UTC

Patrick

2019-05-05 21:28:00 UTC

Patrick

2019-07-03 06:45:35 UTC

madaidan

2019-07-03 14:58:56 UTC

madaidan

2019-10-04 18:37:46 UTC

It turns out, what I said only applies to the Debian package. The kernel patch and the package are actually two different things.

Many of the things in the kernel patch are already enabled by default or are enabled in security-misc. There’s very little advantage.

Also, Daniel Micay has interesting things to say about lockdown.

https://twitter.com/DanielMicay/status/1180072339112898562

Almost entirely security theater with no real impact. Not relevant in any way to solving these kinds of problems or mitigating kernel vulnerabilities. It’s based around providing a bogus, incomplete form of secure boot not actually providing any real security value to end users.

It’s a marketing-focused, incomplete and useless approach to secure boot. The total value of it is negligible and it’s very unfortunate that it’s all grouped together as part of something that’s almost completely nonsense with no real threat model or use case thought out for it.