Kuphawulwe ukuba sengozini ku-Linux kernel (CVE-2022-21505) eyenza kube lula ukudlula indlela yokuvikela ye-Lockdown, ekhawulela ukufinyelela komsebenzisi ku-kernel futhi ivimbe izindlela zokudlula ze-UEFI Secure Boot. Ukuze kudlule kuyo, kuhlongozwa ukuthi kusetshenziswe i-kernel subsystem ye-IMA (Integrity Measurement Architecture), eklanyelwe ukuqinisekisa ubuqotho bezingxenye zesistimu yokusebenza kusetshenziswa amasiginesha edijithali namahashi.
Imodi yokukhiya ikhawulela ukufinyelela ku-/dev/mem, /dev/kmem, /dev/port,/proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Isakhiwo Solwazi Lwekhadi), ezinye izixhumi ezibonakalayo ze-ACPI kanye ne-CPU Amarejista e-MSR, izingcingo ze-kexec_file kanye ne-kexec_load zivinjiwe, imodi yokulala ivinjelwe, ukusetshenziswa kwe-DMA kumadivayisi e-PCI kunqunyelwe, ukungenisa ikhodi ye-ACPI kusuka kokuguquguqukayo kwe-EFI akuvunyelwe, ukukhohlisa ngezimbobo ze-I/O akuvunyelwe, okuhlanganisa ukushintsha inombolo ephazamisayo nembobo I. /O yembobo ye-serial.
Ingqikithi yokuba sengozini iwukuthi uma usebenzisa ipharamitha yokuqalisa ethi βima_appraise=logβ, kuyenzeka ukuthi ushayele i-kexec ukuze ulayishe ikhophi entsha ye-kernel uma Imodi Yokuqalisa Okuvikelekile ingasebenzi ohlelweni futhi Imodi ye-Lockdown isetshenziswa ngokuhlukile. kusuka kuyo. I-IMA ayikuvumeli ukuthi imodi ye-βima_appraiseβ ivulwe uma i-Secure Boot isebenza, kodwa ayicabangi ukuthi kungenzeka kusetshenziswe i-Lockdown ngokuhlukene ne-Secure Boot.
Source: opennet.ru