Lockdown is typically enabled during boot and may be terminated, if configured, by typing a special key combination on a directly attached physical keyboard.
If a prohibited or restricted feature is accessed or used, the kernel will emit a message that looks like:
where X indicates the process name and Y indicates what is restricted.
On an EFI-enabled x86 or arm64 machine, lockdown will be automatically enabled if the system boots in EFI Secure Boot mode.
and the ability to directly configure and control devices, so as to prevent the use of a device to access or modify a kernel image:
The use of direct PCI BAR access.
The use of the ioperm and iopl instructions on x86.
The use of the KD*IO console ioctls.
The use of the TIOCSSERIAL serial ioctl.
The alteration of MSR registers on x86.
The replacement of the PCMCIA CIS.
The overriding of ACPI tables.
The use of ACPI error injection.
The specification of the ACPI RDSP address.
The use of ACPI custom methods.
Certain facilities are restricted:
Only validly signed binaries may be kexec'd (waived if the binary image file to be executed is vouched for by IMA appraisal).
Unencrypted hibernation/suspend to swap are disallowed as the kernel image is saved to a medium that can then be accessed.
Use of debugfs is not permitted as this allows a whole range of actions including direct configuration of, access to and driving of hardware.
IMA requires the addition of the "secure_boot" rules to the policy, whether or not they are specified on the command line, for both the builtin and custom policies in secure boot lockdown mode.