ULinus Torvalds
Uma umhlaseli ezuza ukukhishwa kwekhodi ngamalungelo ezimpande, angakwazi ukusebenzisa ikhodi yakhe ezingeni le-kernel, isibonelo, ngokushintsha i-kernel esebenzisa i-kexec noma inkumbulo yokufunda/yokubhala nge-/dev/kmem. Umphumela osobala kakhulu womsebenzi onjalo ungaba
Ekuqaleni, imisebenzi yokuvinjelwa kwezimpande yathuthukiswa kumongo wokuqinisa ukuvikeleka kwe-boot eqinisekisiwe, futhi ukusabalalisa bekusebenzisa ama-patches ezinkampani zangaphandle ukuvimba ukudlula i-UEFI Secure Boot isikhathi eside. Ngesikhathi esifanayo, imingcele enjalo ayizange ifakwe ekubunjweni okuyinhloko kwe-kernel ngenxa
Imodi yokukhiya ikhawulela ukufinyelela ku-/dev/mem, /dev/kmem, /dev/port,/proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Isakhiwo Solwazi Lwekhadi), ezinye izixhumi ezibonakalayo ze-ACPI kanye ne-CPU Amarejista e-MSR, izingcingo ze-kexec_file kanye ne-kexec_load zivaliwe, imodi yokulala ayivunyelwe, ukusetshenziswa kwe-DMA kumadivayisi we-PCI kunqunyelwe, ukungenisa ikhodi ye-ACPI kusuka kokuguquguqukayo kwe-EFI akuvunyelwe,
Ukukhohlisa ngezimbobo ze-I/O akuvunyelwe, okuhlanganisa ukushintsha inombolo yokuphazamiseka kanye nembobo ye-I/O yembobo ye-serial.
Ngokuzenzakalelayo, imojuli yokukhiya ayisebenzi, yakhiwa lapho inketho ye-SECURITY_LOCKDOWN_LSM icaciswa ku-kconfig futhi yenziwa isebenze ngepharamitha ye-kernel “lockdown=”, ifayela lokulawula “/sys/kernel/security/lockdown” noma izinketho zomhlangano.
Kubalulekile ukuqaphela ukuthi ukukhiya kunciphisa ukufinyelela okujwayelekile kuphela ku-kernel, kodwa akuvikeli ekulungisweni ngenxa yokuxhashazwa kobuthakathaka. Ukuvimba izinguquko ku-kernel esebenzayo lapho ukuxhashazwa kusetshenziswa iphrojekthi ye-Openwall
Source: opennet.ru