Secure boot restrictions
Restrictions apply when running Linux®
with secure boot enabled. Once started in secure boot mode, a Linux kernel runs in lockdown mode to improve security.
Signed kernel modules
In a kernel prepared for secure boot, all kernel modules
must be signed either:
- By the distributor.
- By the person who signs modules and code, who has access to the private key for which the associated public key was uploaded to the HMC and assigned to the LPAR.
Restricted kernel interfaces
Access to certain kernel interfaces is restricted, with impact on for example the hyptop command.
Verifying Linux kernel lockdown mode
To check whether Linux is running in
lockdown mode, check the sysfs attribute
lockdown:
$ cat /sys/kernel/security/lockdown none [integrity]The above result indicates that lockdown is in effect. The following example indicates that lockdown is off:
$ cat /sys/kernel/security/lockdown [none] integrity
Alternatively, search the Linux kernel boot messages for
a message containing the text
kernel_lockdown:$ dmesg -t | grep kernel_lockdown Kernel is locked down from Secure IPL mode; see man kernel_lockdown.7