Upstreamed to the Linux kernel back in 2019 was the Lockdown security module for opt-in hardware/kernel security restrictions. It was a difficult and contentious process getting to the Linux kernel but then was left without any formal maintainer shortly after being mainlined. Now for helping to renew this Linux security module, two developers have stepped up to takeover maintainership of Lockdown.
Since Lockdown was mainlined six years ago, attack vectors have emerged and bypass bugs for this security module typically paired with UEFI Secure Boot to help fend off any unauthorized or unintended modifications to the running kernel image. Lockdown-protected environments restrict direct access to the likes of /dev/mem and other interfaces as well as features like BPF. Lockdown also blocks various kernel module parameters that affect hardware behavior, prohibits direct PCI BAR access, modifying of x86 MSR registers, and more. Thankfully there are now two maintainers taking over the stewardship of Lockdown for those wishing to run in this locked-down Linux environment.
Xiu Jianfeng of Huawei and Nicolas Bouchinet of the government of France have stepped up to maintain Lockdown in the upstream kernel.
The Lockdown merge to Linux 6.17 explains:
“Add Nicolas Bouchinet and Xiu Jianfeng as Lockdown maintainers
The Lockdown LSM has been without a dedicated mantainer since its original acceptance upstream, and it has suffered as a result. Thankfully we have two new volunteers who together I believe have the background and desire to help ensure Lockdown is properly supported.”
Here’s to the continued success of Lockdown moving forward.
