Results 1 to 10 of 10

Thread: What Do You Guys Think Of This New Kernel Lockdown Feature?

  1. #1
    Join Date
    Dec 2007
    Location
    Western U.S.
    Beans
    169

    What Do You Guys Think Of This New Kernel Lockdown Feature?

    There's a new feature that will be coming out on future versions of the Linux Kernel. What do you guys think of it?

  2. #2
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    The new feature will ship as a LSM (Linux Security Module) in the soon-to-be-released Linux kernel 5.4 branch, where it will be turned off by default; usage being optional due to the risk of breaking existing systems.
    As I understand it, The new feature's primary function will be to strengthen the divide between userland processes and kernel code by preventing even the root account from interacting with kernel code -- something that it's been able to do, by design, until now.
    As with all new kernel mods, I watch with curiosity. https://www.phoronix.com/scan.php?pa...el-Lockdown-PR
    Good read: https://lwn.net/ml/linux-kernel/2019...tt@google.com/
    Last edited by 1fallen; 2 Weeks Ago at 05:17 PM.
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags

  3. #3
    Join Date
    Dec 2007
    Location
    Western U.S.
    Beans
    169

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    Phoronix gave a real good summary of what it could do. Would something like this help, for example, to prevent those incredible banking cracks that get millions of people's account information stolen? Or what kind of threat exactly is the lockdown feature designed for?

    The one thing I'm glad about is that it is off by default. I don't know that I would be able to configure my hardware to run properly if Linux prevented stuff from accessing the hardware to do stuff... if that lockdown was on by default...

    As you can see, I am not a very technical end user, but at least I can see a potential for trouble for non-technical guys like me to build my own PC's and install my own operating systems if things that are beyond my technical abilities were locked down....

  4. #4
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    In my short tests, the goal of the lockdown mode is to prevent someone who has UID=0 ("root") in the kernel from being able to modify or tamper with it (ring0 / CPL0 access). This can be done through /dev/mem, kexec, or even by asking a PCI card or FireWire device to DMA into physical system memory. Basically, there are a lot of hooks to tamper with the kernel, and "lockdown" mode turns them off. (In a nut-shell)
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags

  5. #5
    Join Date
    Dec 2017
    Location
    RockyMts
    Beans
    1,146

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    This sounds like a feature geared more towards production machines. As just a home user I wonder if the extra security will be useful.

  6. #6
    Join Date
    Aug 2016
    Location
    Wandering
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    Why in the world wouldn't it be useful?
    And- production, hobbyist, home/user, added security is always welcome. (At least here it is )
    Do you access banks?
    Take what I say with a grain of salt, I monitor networks, and see things that would raise the hair on the back of your neck.
    And a old saying that goes like: "Failing to Plan is Planing to Fail"
    I think I understand your concerns, but it will be a configurable change;
    "none" results in no behavioural change, "integrity"
    enables features that prevent untrusted code from being run in ring 0,
    and "confidentiality" is a superset of "integrity" that also disables
    features that may be used to extract secret information from the kernel
    at runtime.
    Last edited by 1fallen; 2 Weeks Ago at 07:47 PM. Reason: added to
    With realization of one's own potential and self-confidence in one's ability, one can build a better world.
    Dalai Lama>>
    Code Tags

  7. #7
    Join Date
    Jan 2010
    Location
    Wheeling WV USA
    Beans
    1,351
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    Quote Originally Posted by cruzer001 View Post
    This sounds like a feature geared more towards production machines. As just a home user I wonder if the extra security will be useful.
    it depends if you are interesting as a target. you might be, some day, if not already. as i am building production tools, i am, at least a bit.
    YouTube/Google still does not put their ads between songs like radio stations do, so, I am boycotting their advertisers.

  8. #8
    Join Date
    Jan 2010
    Location
    Wheeling WV USA
    Beans
    1,351
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    Quote Originally Posted by 1fallen View Post
    Do you access banks?
    no!
    YouTube/Google still does not put their ads between songs like radio stations do, so, I am boycotting their advertisers.

  9. #9
    Join Date
    Dec 2017
    Location
    RockyMts
    Beans
    1,146

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    "none" results in no behavioural change, "integrity"
    enables features that prevent untrusted code from being run in ring 0,
    and "confidentiality" is a superset of "integrity" that also disables
    features that may be used to extract secret information from the kernel
    at runtime.
    Ok,that got my attention

    Guess we will see this in 20.04

  10. #10
    Join Date
    Jan 2010
    Location
    Wheeling WV USA
    Beans
    1,351
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: What Do You Guys Think Of This New Kernel Lockdown Feature?

    Quote Originally Posted by cruzer001 View Post
    Ok,that got my attention
    what mode will you set your kernel to?

    Quote Originally Posted by cruzer001 View Post
    Guess we will see this in 20.04
    i'm looking forward to shaking out more poorly designed hacks of softwarez.
    YouTube/Google still does not put their ads between songs like radio stations do, so, I am boycotting their advertisers.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •