"Lockdown: X: Y is restricted, see man kernel_lockdown.7" messages in the kernel log

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • EFI-enabled x86 or arm64 machine from upstream Linux kernel 5.4

Issue

  • Below kernel messages logged in /var/log/messages & dmesg

    Lockdown: rhsmcertd-worke: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
Lockdown: fwupd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
Lockdown: sosreport: debugfs access is restricted; see man kernel_lockdown.7
Lockdown: subscription-ma: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7

  • Message appeared while installing the unsigned module

    Lockdown: falcon-sensor: Loading of untrusted modules is restricted; see man kernel_lockdown.7

Resolution

Contact hardware vendor to disable Secure Boot in the server BIOS. There is no other way to disable the feature.

Root Cause

  • The Kernel Lockdown feature will be automatically enabled if the system boots in EFI Secure Boot mode which disables or have its use prohibited including special device files and kernel services that allow direct access to the kernel image:

    /dev/mem
/dev/kmem
/dev/kcore
/dev/ioports
BPF
kprobes

  • Secure Boot enforces all code is signed by a trusted key before execution while the Kernel_lockdown feature is designed to disable features of the kernel that allow modifications of the running kernel or the extraction of confidential information from userspace.

  • As man kernel_lockdown.7 suggests, it prevents the use of a device to access or modify a kernel image:

    • The use of module parameters that directly specify hardware
  parameters to drivers through the kernel command line or when
  loading a module.
• The use of direct PCI BAR access.
• The use of the ioperm and iopl instructions on x86.
• The use of the KD*IO console ioctls.
• The use of the TIOCSSERIAL serial ioctl.
• The alteration of MSR registers on x86.
• The replacement of the PCMCIA CIS.
• The overriding of ACPI tables.
• The use of ACPI error injection.
• The specification of the ACPI RDSP address.
• The use of ACPI custom methods.

Certain facilities are restricted:
• Only validly signed modules may be loaded (waived if the module
  file being loaded is vouched for by IMA appraisal).
• Only validly signed binaries may be kexec'd (waived if the
  binary image file to be executed is vouched for by IMA
  appraisal).
• Unencrypted hibernation/suspend to swap are disallowed as the
  kernel image is saved to a medium that can then be accessed.
• Use of debugfs is not permitted as this allows a whole range of
  actions including direct configuration of, access to and
  driving of hardware.
• IMA requires the addition of the "secure_boot" rules to the
  policy, whether or not they are specified on the command line,
  for both the built-in and custom policies in secure boot
  lockdown mode.

Diagnostic Steps

  • Below is the case where the system is booted in secure boot and enabled lockdown:

    kernel/dmesg:[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7

  • There is no way to disable once it is booted in lockdown mode to prevent any malicious activities. As we can see in the below, only increasing the lockdown level is allowed:

    /*
 * Put the kernel into lock-down mode.
 */
static int lock_kernel_down(const char *where, enum lockdown_reason level)
{
    if (kernel_locked_down >= level)
        return -EPERM;

    kernel_locked_down = level;
    pr_notice("Kernel is locked down from %s; see man kernel_lockdown.7\n",
          where);
    return 0;
}

  • The message we are concerning here is coming from the below function which is showing that that action is not allowed which was trying to access /dev/mem, /dev/kmem or /dev/port in this case:

    /**
 * lockdown_is_locked_down - Find out if the kernel is locked down
 * @what: Tag to use in notice generated if lockdown is in effect
 */
static int lockdown_is_locked_down(enum lockdown_reason what)
{
    if (WARN(what >= LOCKDOWN_CONFIDENTIALITY_MAX,
         "Invalid lockdown reason"))
        return -EPERM;

    if (kernel_locked_down >= what) {
        if (lockdown_reasons[what])
            pr_notice("Lockdown: %s: %s is restricted; see man kernel_lockdown.7\n",
                  current->comm, lockdown_reasons[what]);
        return -EPERM;
    }

    return 0;
}

/*
 * These are descriptions of the reasons that can be passed to the
 * security_locked_down() LSM hook. Placing this array here allows
 * all security modules to use the same descriptions for auditing
 * purposes.
 */
const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
    [LOCKDOWN_NONE] = "none",
    [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
    [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
    [LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
    [LOCKDOWN_KEXEC] = "kexec of unsigned images",
    [LOCKDOWN_HIBERNATION] = "hibernation",
    [LOCKDOWN_PCI_ACCESS] = "direct PCI access",
    [LOCKDOWN_IOPORT] = "raw io port access",
    [LOCKDOWN_MSR] = "raw MSR access",
    [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",
    [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",
    [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",
...

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments