袙 褟写褉械 Linux 胁褘褟胁谢械薪邪 褍褟蟹胁懈屑芯褋褌褜 (CVE-2022-21505), 锌芯蟹胁芯谢褟褞褖邪褟 谢械谐泻芯 芯斜芯泄褌懈 屑械褏邪薪懈蟹屑 蟹邪褖懈褌褘 Lockdown, 泻芯褌芯褉褘泄 芯谐褉邪薪懈褔懈胁邪械褌 写芯褋褌褍锌 锌芯谢褜蟹芯胁邪褌械谢褟 root 泻 褟写褉褍 懈 斜谢芯泻懈褉褍械褌 锌褍褌懈 芯斜褏芯写邪 UEFI Secure Boot. 袛谢褟 芯斜褏芯写邪 锌褉械写谢邪谐邪械褌褋褟 懈褋锌芯谢褜蟹芯胁邪褌褜 锌芯写褋懈褋褌械屑褍 褟写褉邪 IMA (Integrity Measurement Architecture), 锌褉械写薪邪蟹薪邪褔械薪薪褍褞 写谢褟 锌褉芯胁械褉泻懈 褑械谢芯褋褌薪芯褋褌懈 泻芯屑锌芯薪械薪褌芯胁 芯锌械褉邪褑懈芯薪薪芯泄 褋懈褋褌械屑褘 锌芯 褑懈褎褉芯胁褘屑 锌芯写锌懈褋褟屑 懈 褏褝褕邪屑.
袙 褉械卸懈屑械 lockdown 芯谐褉邪薪懈褔懈胁邪械褌褋褟 写芯褋褌褍锌 泻 /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, 芯褌谢邪写芯褔薪芯屑褍 褉械卸懈屑褍 kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), 薪械泻芯褌芯褉褘屑 懈薪褌械褉褎械泄褋邪屑 ACPI 懈 MSR-褉械谐懈褋褌褉邪屑 CPU, 斜谢芯泻懈褉褍褞褌褋褟 胁褘蟹芯胁褘 kexec_file 懈 kexec_load, 蟹邪锌褉械褖邪械褌褋褟 锌械褉械褏芯写 胁 褋锌褟褖懈泄 褉械卸懈屑, 谢懈屑懈褌懈褉褍械褌褋褟 懈褋锌芯谢褜蟹芯胁邪薪懈械 DMA 写谢褟 PCI-褍褋褌褉芯泄褋褌胁, 蟹邪锌褉械褖邪械褌褋褟 懈屑锌芯褉褌 泻芯写邪 ACPI 懈蟹 锌械褉械屑械薪薪褘褏 EFI, 薪械 写芯锌褍褋泻邪褞褌褋褟 屑邪薪懈锌褍谢褟褑懈懈 褋 锌芯褉褌邪屑懈 胁胁芯写邪/胁褘胁芯写邪, 胁 褌芯屑 褔懈褋谢械 懈蟹屑械薪械薪懈械 薪芯屑械褉邪 锌褉械褉褘胁邪薪懈褟 懈 锌芯褉褌邪 胁胁芯写邪/胁褘胁芯写邪 写谢褟 锌芯褋谢械写芯胁邪褌械谢褜薪芯谐芯 锌芯褉褌邪.
小褍褌褜 褍褟蟹胁懈屑芯褋褌懈 胁 褌芯屑, 褔褌芯 锌褉懈 懈褋锌芯谢褜蟹芯胁邪薪懈懈 蟹邪谐褉褍蟹芯褔薪芯谐芯 锌邪褉邪屑械褌褉邪 芦ima_appraise=log禄, 写芯锌褍褋泻邪械褌褋褟 胁褘蟹芯胁 kexec 写谢褟 蟹邪谐褉褍蟹泻懈 薪芯胁芯泄 泻芯锌懈懈 褟写褉邪, 械褋谢懈 胁 褋懈褋褌械屑械 薪械 邪泻褌懈胁械薪 褉械卸懈屑 Secure Boot 懈 褉械卸懈屑 Lockdown 懈褋锌芯谢褜蟹褍械褌褋褟 芯斜芯褋芯斜谢械薪薪芯 芯褌 薪械谐芯. IMA 薪械写芯锌褍褋泻邪械褌 胁泻谢褞褔械薪懈械 褉械卸懈屑邪 芦ima_appraise禄 锌褉懈 邪泻褌懈胁薪芯屑 Secure Boot, 薪芯 薪械 褍褔懈褌褘胁邪械褌 胁芯蟹屑芯卸薪芯褋褌褜 懈褋锌芯谢褜蟹芯胁邪薪懈褟 Lockdown 芯褌写械谢褜薪芯 芯褌 Secure Boot.
诪拽讜专: opennet.ru