After years of evaluation, discussion, and rewriting, Linus Torvalds approved the kernel lockdown feature. The new feature LSM (Linux Security Module) will be available to users with Linux kernel 5.4. It will restrict user-space access or modification to the kernel, and impose additional restrictions on the root modification runtime kernel to prevent the compromised root account from jeopardizing the rest of the system. The LSM will initially be turned off by default and the user can choose to enable it because it may corrupt the existing system.
Windows Vista: Let’s lock down the kernel
Linux 3.x: lul root is kernel brah
Windows 10: Kernel arbitrary writes from Admin are not bugs, there’s a party in ring0 and the bouncer is off duty
Linux 5.x: hey, let’s lock down the kernel https://t.co/ex8p8tCLmR
— Alex Ionescu (@aionescu) September 29, 2019
Downstream distros like Ubuntu have shipped a previous version of this for a while now (to try and ensure UEFI Secure Boot cannot be subverted) so it is great to see this finally upstream
— Alex Murray (@alex_murray) September 30, 2019
Other changes to kernel 5.4 include: ARM64 architecture will be able to use 52-bit addresses; remove Intel ‘s MPX functionality; remove support for SGI SN2 architecture; “haltpoll” CPU idle governor; support Lenovo ThinkPad “PrivacyGuard” functionality, etc.