We’re currently inside of the two week merge window where code is being pulled in to form the Linux 4.7 kernel. One of the GIT pull requests came from Linux kernel developer James Morris and includes at least one really interesting new security feature, by way of a new Linux Security Module (LSM).
A new LSM, “LoadPin”, from Kees Cook is added, which allows forcing of modules and firmware to be loaded from a specific device (this is from ChromeOS, where the device as a whole is verified cryptographically via dm-verity). This is disabled by default but can be configured to be enabled by default (don’t do this if you don’t know what you’re doing).
That’s particularly interesting as it extends a chain of trust in a way that is kinda/sort similar (yet different) to secure computing forms of attestation for hardware integrity. No this isn’t a Secure Boot redux, though the net effect is the same – Linux will only boot on known hardware.
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist