Provided by: manpages_5.10-1ubuntu1_all bug


       kernel_lockdown - kernel image access prevention feature


       The  Kernel  Lockdown  feature is designed to prevent both direct and indirect access to a
       running kernel image, attempting to  protect  against  unauthorized  modification  of  the
       kernel  image  and  to prevent access to security and cryptographic data located in kernel
       memory, whilst still permitting driver modules to be loaded.

       If a prohibited or restricted feature is accessed or used, the kernel will emit a  message
       that looks like:

               Lockdown: X: Y is restricted, see man kernel_lockdown.7

       where X indicates the process name and Y indicates what is restricted.

       On  an  EFI-enabled  x86  or  arm64 machine, lockdown will be automatically enabled if the
       system boots in EFI Secure Boot mode.

       When lockdown is in  effect,  a  number  of  features  are  disabled  or  have  their  use
       restricted.   This  includes  special  device  files and kernel services that allow direct
       access of the kernel image:


       and the ability to directly configure and control devices, so as to prevent the use  of  a
       device to access or modify a kernel image:

       • The  use  of  module  parameters  that  directly  specify hardware parameters to drivers
         through the kernel command line or when loading a module.

       • The use of direct PCI BAR access.

       • The use of the ioperm and iopl instructions on x86.

       • The use of the KD*IO console ioctls.

       • The use of the TIOCSSERIAL serial ioctl.

       • The alteration of MSR registers on x86.

       • The replacement of the PCMCIA CIS.

       • The overriding of ACPI tables.

       • The use of ACPI error injection.

       • The specification of the ACPI RDSP address.

       • The use of ACPI custom methods.

       Certain facilities are restricted:

       • Only validly signed modules may be loaded (waived if the module  file  being  loaded  is
         vouched for by IMA appraisal).

       • Only  validly  signed  binaries  may  be  kexec'd (waived if the binary image file to be
         executed is vouched for by IMA appraisal).

       • Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a
         medium that can then be accessed.

       • Use of debugfs is not permitted as this allows a whole range of actions including direct
         configuration of, access to and driving of hardware.

       • IMA requires the addition of the "secure_boot" rules to the policy, whether or not  they
         are  specified  on the command line, for both the built-in and custom policies in secure
         boot lockdown mode.


       The Kernel Lockdown feature was added in Linux 5.4.


       The  Kernel  Lockdown   feature   is   enabled   by   CONFIG_SECURITY_LOCKDOWN_LSM.    The
       lsm=lsm1,...,lsmN  command  line  parameter controls the sequence of the initialization of
       Linux Security Modules.  It must contain the string lockdown to enable the Kernel Lockdown
       feature.  If the command line parameter is not specified, the initialization falls back to
       the value of the deprecated security= command line parameter and further to the  value  of


       This  page  is  part of release 5.10 of the Linux man-pages project.  A description of the
       project, information about reporting bugs, and the latest version of  this  page,  can  be
       found at