In news that has been a long time in coming, chief Linux maintainer Linus Torvalds has finally approved a new security feature, the Linux Security Module (LSM, nicknamed “lockdown”) to be part of the 5.4 branch of the Linux kernel. Although the feature will be turned off by default — out of fear it might break existing systems — it does promise to bring additional security to one of the most widely-used and hardened kernels on the market.
How Does It Work?
The lockdown feature’s aim is to restrict various pieces of kernel functionality. What exactly does it restrict? First off, it will restrict access to kernel features that may allow arbitrary code execution by way of code supplied by any application or service outside of the kernel (aka “userland”). The new feature will also block processes from reading/writing to /dev/mem and /dev/kmem memory, as well as block access to opening /dev/port (as a means to prevent raw ioport access). Other features include:
- Enforcing kernel module signatures.
- Prevents even the root account from modifying the kernel code.
- Kexec reboot (in case secure boot being enabled does not keep the secure boot mode in new kernel).
- Lockdown of hardware that could potentially generate direct memory addressing (DMA).
- Lockdown of KDADDIO, KDDELIO, KDENABIO and KDDISABIO console ioctls.
- And much more
There are two modes available to the lockdown module: Integrity and Confidentiality. When in Integrity mode, kernel features which would allow userland code to modify the running kernel are disabled. When in Confidentiality mode, userland code to extract confidential information from the kernel will be disabled.
Why Did Lockdown Take So Long?
Work on kernel lockdown began around 2010 and was originally engineered by Google Security Engineer Mathew Garrett. Garrett’s idea was to create a new security mechanism that would prevent users with elevated privileges (such as those with sudo access or even the root account) from modifying the Linux kernel code.
Torvalds was originally against the idea, as he felt it was nothing more than a means of getting Linux to boot on what would be Windows-only hardware. A rather explicit exchange between Torvalds and Garrett ensued, regarding Microsoft signing keys. In a response to the back and forth, Greg Kroah-Hartman, maintainer of the Linux kernel’s stable branch and the Linux driver project, added his two cents with, “I’m not saying that they are not nice things to have, personally, I want some of these things for my own machines just to make things more secure, but again, these are ‘I want to have’, not ‘Someone else is saying Linux MUST have.'”
Eventually, a number of Linux distributions developed their own lockdown patches. For example, Ubuntu has shipped with a similar patch that ensures UEFI Secure Boot cannot be subverted. However, in 2018 an agreement was reached and development on the lockdown feature began in earnest. And with the lockdown patch in place, Torvalds noted it, “gets us much closer to not requiring external patches.”
Neutering the Root Account
The idea of effectively rendering the root account less capable of working with a system (on a kernel level), might be considered (to some) a disservice to Linux (and Linux administrators). However, in the realm of business, absolute security is a necessity — especially on machines that house sensitive business/customer data. When the root account is under a form of strict lockdown, malicious code would be significantly more challenging to run rampant on a system. This could lead to fewer data breaches. And because the kernel developers are making the lockdown feature “optional,” it is possible for enterprise admins to enable the feature on production machines that store such sensitive data. Conversely, on standard desktop machines (or developer machines) the feature can remain disabled.
Any administrator that has ever experienced a breach on a system will consider enabling lockdown as soon as it reaches the mainline kernel. Although the Linux kernel is one of the most secure on the market, by way of the root account a user could wreak havoc on a system. That root account is the primary means in which any Linux system is compromised. Once a bad actor claimed access to that account, there’s no limit to what they could do. That’s where the lockdown mode comes into play. When enabled, the root account would be prevented from making any change to kernel code, thereby neutering many attempts at hacking a system.
The lockdown mode should go a long way to adding a boost to kernel security, one that many businesses will welcome.