Andrey Konovalov from Google
Lockdown restricts root access to the kernel and blocks UEFI Secure Boot bypass paths. For example, lockdown mode restricts access to /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, debug mode kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), some interfaces CPU ACPI and MSR registers, blocks kexec_file and kexec_load calls, prohibits sleep mode, limits the use of DMA for PCI devices, prohibits importing ACPI code from EFI variables, does not allow manipulations with I / O ports, including changing the interrupt number and an I/O port for the serial port.
The Lockdown mechanism has recently been added to the core of the Linux kernel.
In Ubuntu and Fedora, the key combination Alt+SysRq+X is provided to disable Lockdown. It is understood that the Alt+SysRq+X combination can only be used with physical access to the device, and in the case of remote hacking and obtaining root access, the attacker will not be able to disable Lockdown and, for example, load an unsigned module with a rootkit into the kernel.
Andrey Konovalov showed that keyboard-based methods of confirming the user's physical presence are inefficient. The easiest way to disable Lockdown would be programmatically
The first method involves using the "sysrq-trigger" interface - for simulation, it is enough to enable this interface by writing "1" to /proc/sys/kernel/sysrq, and then writing "x" to /proc/sysrq-trigger. Specified loophole
The second method is related to keyboard emulation through
Source: opennet.ru