Matthew Garrett has posted an overview of the kernel lockdown capability merged in 5.4. "If you verify your boot chain but allow root to modify that kernel, the benefits of the verified boot chain are significantly reduced. Even if root can't modify the on-disk kernel, root can just hot-patch the kernel and then make this persistent by dropping a binary that repeats the process on system boot.
Lockdown is intended as a mechanism to avoid that, by providing an optional policy that closes off interfaces that allow root to modify the kernel."
More like this (3)
Matthew Garrett recently posted a patch set enabling hibernation on systems that are running in the...Matthew Garrett recently posted a patch set enabling hibernation on systems that are running in the UEFI secure-boot lockdown mode. This blog entry gets into the details of how it all works. "When we encrypt material with the TPM, we can ask it to record the PCR state. This is given back to us as metadata accompanying the encrypted secret. Along with the metadata...
For those who are into the details: here is a step-by-step guide through the process of...For those who are into the details: here is a step-by-step guide through the process of decompressing an Arm kernel and getting ready to boot from Linus Walleij. "Next the decompression code sets up a page table, if it is possible to fit one over the whole uncompressed+compressed kernel image. The page table is not for virtual memory, but for enabling cache, which is...
The idea behind kernel address-space layout randomization (KASLR) is to make it harder for attackers to...The idea behind kernel address-space layout randomization (KASLR) is to make it harder for attackers to find code and data of interest to use in their attacks by loading the kernel at a random location. But a single random offset is used for the placement of the kernel text, which presents a weakness: if the offset can be determined for anything within the kernel,...