The Linux 5.4 kernel merge window is set to close this weekend and as of writing it’s still yet to be decided by Linus Torvalds whether to accept the kernel “lockdown” functionality feature for this release.
The Linux Lockdown functionality is about restricting access to the underlying hardware or features that could modify the running kernel image. Particularly for security conscious users and for applications like UEFI SecureBoot, this lockdown functionality is opt-in and really limit the bits that can be touched by the kernel. Among the limitations enforced in this lock-down mode is preventing hiberation support, blocking kernel module parameters that manipulate hardware settings, restricting access to CPU MSRs, blocking writes to /dev/mem even when root, and a variety of other safeguards.
The patches have gone through 40 rounds of review and previously didn’t make it to the mainline kernel though some distribution vendor kernels do carry patches in various forms.
At the onset of the Linux 5.4 merge window, the latest lockdown pull request was sent in. Since then, it’s been silent… Until today with finally getting some clarification from Torvalds.
In response to longtime kernel developer Jiri Kosina of SUSE asking whether it would be merged or dropped for good, Torvalds provided some clarification. He says he intends to look through the work patch-by-patch but he hasn’t yet had the time to do so.
We’ll see if he has the time this weekend to decide on accepting lockdown or if it’s something that he either is going to reject or defer until a later kernel.
>> Source Link