monogon Ensure kernel_lockdown is enabled and active

Ensure kernel_lockdown is enabled and active

Open q3k opened this issue 3 years ago • 2 comments

man 7 kernel_lockdown

This is tangentially related to enabling Secure Boot, but we should do it as early as possible - even if we don't sign things and have module loading disabled.

Feb 22 '22 13:02 q3k

It looks like this feature is already enabled in an appropriate way:

fd16651a third_party/linux/linux-smalltown.config    (Lorenz Brun    2020-04-01 17:29:45 +0200 3503) CONFIG_SECURITY_LOCKDOWN_LSM=y
fd16651a third_party/linux/linux-smalltown.config    (Lorenz Brun    2020-04-01 17:29:45 +0200 3504) # CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set
fd16651a third_party/linux/linux-smalltown.config    (Lorenz Brun    2020-04-01 17:29:45 +0200 3532) CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"```

Mar 29 '22 10:03 msgctl

Since we need module loading now, we have to also implement module signing

Jan 11 '24 11:01 fionera

monogon monogon copied to clipboard

Ensure kernel_lockdown is enabled and active

monogon
monogon copied to clipboard