Linus Torvalds suav nrog hauv kev tso tawm yav tom ntej ntawm Linux 5.4 kernel yog ib pawg thaj ua rau thaj "", David Howells (Red Hat) thiab Matthew Garrett (, ua haujlwm ntawm Google) txwv cov neeg siv hauv paus nkag mus rau cov ntsiav. Lockdown-related functionality suav nrog nyob rau hauv ib qho optionally loaded LSM module (), uas tso qhov teeb meem ntawm UID 0 thiab cov ntsiav, txwv qee qhov kev ua haujlwm qis.
Yog tias tus neeg tawm tsam ua tiav cov cai ua tiav nrog cov cai hauv paus, nws tuaj yeem ua tiav nws cov cai ntawm qib ntsiav, piv txwv li, los ntawm kev hloov cov ntsiav siv kexec lossis nyeem / sau nco ntawm /dev/kmem. Qhov pom tseeb tshaj plaws ntawm qhov kev ua no yuav yog UEFI Secure Boot lossis retrieving rhiab cov ntaub ntawv khaws cia ntawm qib ntsiav.
Thaum pib, lub hauv paus txwv kev ua haujlwm tau tsim nyob rau hauv cov ntsiab lus ntawm kev ntxiv dag zog rau kev tiv thaiv khau raj, thiab kev faib khoom tau siv cov khoom thib peb los thaiv kev hla ntawm UEFI Secure Boot rau qee lub sijhawm. Nyob rau tib lub sijhawm, cov kev txwv no tsis suav nrog hauv cov ntsiab lus tseem ceeb ntawm cov ntsiav vim hauv lawv qhov kev siv thiab kev ntshai ntawm kev cuam tshuam rau cov txheej txheem uas twb muaj lawm. Lub "lockdown" module nqus cov thaj ua rau thaj uas twb tau siv rau hauv kev faib khoom, uas tau rov tsim dua tshiab hauv daim ntawv ntawm lub subsystem cais tsis khi rau UEFI Secure Boot.
Lockdown hom txwv kev nkag mus rau /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug hom, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), qee qhov ACPI interfaces thiab CPU MSR cov ntawv sau npe, kexec_file thiab kexec_load hu tau raug thaiv, hom pw tsaug zog yog txwv tsis pub siv DMA rau PCI li txwv, ACPI code ntshuam los ntawm EFI hloov pauv yog txwv,
Manipulations nrog I / O cov chaw nres nkoj tsis raug tso cai, suav nrog kev hloov pauv tus lej cuam tshuam thiab I / O chaw nres nkoj rau qhov chaw nres nkoj serial.
Los ntawm lub neej ntawd, lub kaw lus kaw tsis ua haujlwm, nws tau tsim thaum qhov kev xaiv SECURITY_LOCKDOWN_LSM tau teev tseg hauv kconfig thiab tau qhib los ntawm cov ntsiav tsis "lockdown=", cov ntaub ntawv tswj "/sys/kernel/security/lockdown" lossis kev xaiv sib dhos , uas tuaj yeem coj qhov tseem ceeb "kev ncaj ncees" thiab "tsis pub leej twg paub". Hauv thawj kis, cov yam ntxwv uas tso cai rau kev hloov pauv mus rau cov ntsiav khiav los ntawm cov neeg siv qhov chaw raug thaiv, thiab hauv qhov thib ob, kev ua haujlwm uas tuaj yeem siv los rho tawm cov ntaub ntawv rhiab los ntawm cov ntsiav tseem raug kaw.
Nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias kev kaw cia tsuas yog txwv cov txheej txheem nkag mus rau cov ntsiav, tab sis tsis tiv thaiv kev hloov kho vim yog kev siv cov kev tsis zoo. Txhawm rau thaiv cov kev hloov pauv rau cov ntsiav khiav thaum siv los ntawm Openwall project cais module (Linux Kernel Runtime Guard).
Tau qhov twg los: opennet.ru