LINUX: Kernel lockdown proposed for inclusion in the main branch

After years of work, the patches for the so-called kernel lockdown have been proposed for inclusion in the main branch of Linux. Now it is up to chief developer Torvalds to implement this for the upcoming version.

LINUX News - Kernel lockdown proposed for inclusion in the main branch

Maintainer James Morris, who is responsible for the security kernel of the Linux kernel, has proposed the kernel lockdown code for inclusion in the main branch. The feature could thus be part of the upcoming Linux version 5.4, which should appear in mid-November. Previously, the patches had already been entered into a testing branch.

Whether the code is actually recorded, depends only on chief developer Linus Torvalds, who is responsible for the main branch. This may well be a matter of form, since the Linux developer community has been discussing about such a technique for about seven years, according to the developer Matthew Garrett points, who was last responsible for the patches.

The goal of the patches is that the current kernel can not be permanently changed by an attacker by simply preventing access to certain kernel interfaces. This even goes so far as to partially separate the root user (UID-0) from the running kernel with its system privileges (Ring-0). Such a separation does not exist so far. Many distributors already rely on similar, own implementations. But with the lockdown patches in the main branch, the technique can be unified.

About a year and a half ago, a revision of the patches caused even clear criticism from some developers. Main point of criticism at that time was the linking of the function with UEFI Secure Boot. Garrett had taken over the work on the patches, among other things, to respond to the then expressed criticism. In the meantime, kernel lockdown has been reworked independently of UEFI Secure Boot and, moreover, as a so-called Linux Security Module (LSM).