1.1.10 Security

The following notable security features are implemented in Unbreakable Enterprise Kernel Release 5:

  • Secure boot improvements.  Secure boot is designed to protect a system against malicious code being loaded and executed early in the boot process. Secured platforms load only software binaries, such as option ROM drivers, boot loaders, and operating system loaders, that are unmodified and trusted by the platform. While the operating system is loaded, measures have been added to prevent malicious code from being injected on subsequent boots. Although this feature was available in previous releases of UEK, the implementation differed significantly from the approach taken in UEK R5. The new design avoids any relation to the securelevel security mechanism used in BSD kernels. These updates and changes help to ensure that the approach that is taken in UEK R5 brings Oracle Linux in line with other mainstream distributions.

    Some of the secure boot features that are applied to the kernel when it is locked down are described briefly in the following list:

    • Facilitates using keys in the UEFI database when in secure boot mode

    • Enforces module signatures

    • Disallows access to /dev/mem, /dev/kmem and /proc/kcore

    • Disallows do_kexec_load, which is used to allocate structs and load initram

    • Copies the secure_boot flag in the boot parameters across kexec reboots

    • Disallows images to be loaded into trusted kernels where the signature is not verified in the kexec_file

    • Disables hibernate and user space software suspend (uswsusp)

    • Locks down PCIe Base Address Register access

    • Locks down IO port access

    • Restricts CPU Model Specific Register access

    • Restricts the debugfs interface in the ASUS WMI driver

    • Restricts access to custom ACPI methods

    • Ignores the acpi_rsdp kernel parameter

    • Disables ACPI table override

    • Disables ACPI Platform Error Interface (APEI) error injection

    • Disables the EATA SCSI driver

    • Prohibits PCMCIA CIS storage

    • Prohibits using TIOCSSERIAL to change device addresses, IRQs and DMA channels

    • Prevents using module parameters that specify hardware options (such as ioport)

    • Disables the testmmiotrace module

    • Disables debugfs

    • Disables kprobes for debugging

    • Disables Berkeley Packet Filter functions

    • Disables DTrace

    Several new kernel configuration options have been added to cater for secure boot:

    • LOCK_DOWN_KERNEL: Allows the kernel to be locked down under certain circumstances, such as when UEFI secure boot is enabled.

    • LOCK_DOWN_IN_EFI_SECURE_BOOT: Allows kernel lockdown to be triggered if EFI Secure Boot is set in an EFI variable provided by system firmware if not indicated by a boot parameter.

    • LOAD_UEFI_KEYS: Allows a kernel in secure boot mode to load modules signed with UEFI-stored keys and to reject modules signed with keys that match the blacklist.

  • User space updates to enable FIPS.  The dracut package for Oracle Linux 7 has been updated to dracut-033-535.0.2. This update enables FIPS support and compatibility with UEK R5. You must install this version or higher of the dracut package if you intend to enable FIPS mode on a system running UEK R5. See Oracle® Linux 7: Security Guide for more information.