{ "mode": "man", "parameter": "kernel_lockdown", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/kernel_lockdown/7/json", "generated": "2026-06-15T22:17:33Z", "sections": { "NAME": { "content": "kernellockdown - kernel image access prevention feature\n", "subsections": [] }, "DESCRIPTION": { "content": "The Kernel Lockdown feature is designed to prevent both direct and indirect access to a run‐\nning kernel image, attempting to protect against unauthorized modification of the kernel im‐\nage and to prevent access to security and cryptographic data located in kernel memory, whilst\nstill permitting driver modules to be loaded.\n\nIf a prohibited or restricted feature is accessed or used, the kernel will emit a message\nthat looks like:\n\nLockdown: X: Y is restricted, see man kernellockdown.7\n\nwhere X indicates the process name and Y indicates what is restricted.\n\nOn an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system\nboots in EFI Secure Boot mode.\n", "subsections": [ { "name": "Coverage", "content": "When lockdown is in effect, a number of features are disabled or have their use restricted.\nThis includes special device files and kernel services that allow direct access of the kernel\nimage:\n\n/dev/mem\n/dev/kmem\n/dev/kcore\n/dev/ioports\nBPF\nkprobes\n\nand the ability to directly configure and control devices, so as to prevent the use of a de‐\nvice to access or modify a kernel image:\n\n• The use of module parameters that directly specify hardware parameters to drivers through\nthe kernel command line or when loading a module.\n\n• The use of direct PCI BAR access.\n\n• The use of the ioperm and iopl instructions on x86.\n\n• The use of the KD*IO console ioctls.\n\n• The use of the TIOCSSERIAL serial ioctl.\n\n• The alteration of MSR registers on x86.\n\n• The replacement of the PCMCIA CIS.\n\n• The overriding of ACPI tables.\n\n• The use of ACPI error injection.\n\n• The specification of the ACPI RDSP address.\n\n• The use of ACPI custom methods.\n\nCertain facilities are restricted:\n\n• Only validly signed modules may be loaded (waived if the module file being loaded is\nvouched for by IMA appraisal).\n\n• Only validly signed binaries may be kexec'd (waived if the binary image file to be executed\nis vouched for by IMA appraisal).\n\n• Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a\nmedium that can then be accessed.\n\n• Use of debugfs is not permitted as this allows a whole range of actions including direct\nconfiguration of, access to and driving of hardware.\n\n• IMA requires the addition of the \"secureboot\" rules to the policy, whether or not they are\nspecified on the command line, for both the built-in and custom policies in secure boot\nlockdown mode.\n" } ] }, "VERSIONS": { "content": "The Kernel Lockdown feature was added in Linux 5.4.\n", "subsections": [] }, "NOTES": { "content": "The Kernel Lockdown feature is enabled by CONFIGSECURITYLOCKDOWNLSM. The\nlsm=lsm1,...,lsmN command line parameter controls the sequence of the initialization of Linux\nSecurity Modules. It must contain the string lockdown to enable the Kernel Lockdown feature.\nIf the command line parameter is not specified, the initialization falls back to the value of\nthe deprecated security= command line parameter and further to the value of CONFIGLSM.\n", "subsections": [] }, "COLOPHON": { "content": "This page is part of release 5.10 of the Linux man-pages project. A description of the\nproject, information about reporting bugs, and the latest version of this page, can be found\nat https://www.kernel.org/doc/man-pages/.\n\n\n\nLinux 2020-11-01 KERNELLOCKDOWN(7)", "subsections": [] } }, "summary": "kernellockdown - kernel image access prevention feature", "flags": [], "examples": [], "see_also": [] }