After a long discussion, review and code rewriting, Linus Torvalds finally decided to add kernel “lock” security features to Linux kernel 5.4. This feature will be optional and will be available to developers as a Linux security module in the upcoming release of Linux 5.4. This feature will bring about major changes in how user space interacts with the Linux kernel.
What is the kernel locking feature in Linux? This feature propose by Google engineer Matthew Garrett in 2010. The main idea is to “allow the kernel to lock in the early stages of the boot process”. This is primarily to prevent the root account from tampering with the kernel code and thus between user-mode processes and code. Clear the boundaries.
By default, kernel-locked security features disabled at the factory. However, when this feature is enabled, even the root account cannot access certain kernel features. Thus protecting the operating system from malicious root accounts.
Some of the restrictions that are made in the “lock” feature include preventing the system from going to sleep. Preventing writes to /dev/mem (even the root account), blocking CPU MSR access, and so on.
It is worth mentioning that when Matthew Garrett first proposed this feature. Linus Torvalds was one of the critics of this feature. Later, Matthew Garrett organized a lot of discussions, reviewing and adding a lot of code rewriting to ensure that the feature does not affect the kernel.