[$] Lockdown as a security module
Technologies like UEFI secure boot are intended to guarantee that alocked-down system is running the software intended by its owner (for adefinition of "owner" as "whoever holds the signing key recognized by thefirmware"). That guarantee is hard to uphold, though, if a program run onthe system in question is able to modify the running kernel somehow. Thus,proponents of secure-boot technologies have been trying for years toprovide the ability to lockdown many types of kernel functionality on secure systems. The latestattempt posted by Matthew Garrett, at an eyebrow-raising version 34,tries to address previous concerns by putting lockdown under the control ofa Linux security module (LSM).