|
|
Subscribe / Log in / New account

Kernel lockdown locked out — for now

Kernel lockdown locked out — for now

Posted Apr 8, 2018 11:48 UTC (Sun) by niner (subscriber, #26151)
Parent article: Kernel lockdown locked out — for now

I wonder if virtualization has come up in the discussion. I can imagine lockdown being a good tool to further harden virtual machines. We use the one VM per service model to make it harder for an attacker to spread in case of a breach in one service. Lockdown sounds like something that would make it harder to attack the hypervisor even if the attacker gained root privileges in a VM. No need for secure boot to gain some advantage in that case (assuming the hypervisor is properly protected from the network).

to post comments

Kernel lockdown locked out — for now

Posted Apr 8, 2018 13:17 UTC (Sun) by epa (subscriber, #39769) [Link] (4 responses)

Isn’t the whole point of a VM that you can run whatever OS and kernel you want? If that choice is removed you might as well offer users a container-based setup where they can have ‘root’ but are really just another user on a large system.

Kernel lockdown locked out — for now

Posted Apr 8, 2018 15:07 UTC (Sun) by niner (subscriber, #26151) [Link] (2 responses)

Running multiple operating systems on the same hardware is one use case for VMs. Our's is increased security through compartmentalization. We do not rent out our hardware to other people. We run our own applications consisting of a plethora of inter-operating services and simply assume that none of these services is 100 % proof against intruders. Thus we put them into different VMs with narrow and clearly defined interfaces, so when an intruder finds a hole in one service, it would still be hard to get into the rest of the system. And that's where lockdown could help even without secure boot provided by the firmware.

Kernel lockdown locked out — for now

Posted Apr 10, 2018 3:51 UTC (Tue) by pabs (subscriber, #43278) [Link] (1 responses)

Are you using Kata Containers (formerly Intel Clear Containers) or your own custom mechanism for this?

https://katacontainers.io/

Kernel lockdown locked out — for now

Posted Apr 10, 2018 6:32 UTC (Tue) by niner (subscriber, #26151) [Link]

We do it the old fashioned way with heavy weight kvm machines and puppet. Kata is certainly very tempting, but you know how it is. The system is running quite well as it is and there's always stuff to keep you busy, like the EU GDPR. So I guess Kata Containers will have some more time to mature till we give it a try :)

Kernel lockdown locked out — for now

Posted Apr 8, 2018 15:13 UTC (Sun) by Paf (subscriber, #91811) [Link]

I think the suggestion is that it could further harden an existing VM. So you can still put whatever you want in there and then lock it down. You seem to be imagining a world where the hypervisor comes prelocked or something, but I don’t think that’s what niner is suggesting.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds