[$] Lockdown as a security module

Technologies like UEFI secure boot are intended to guarantee that a
locked-down system is running the software intended by its owner (for a
definition of 'owner' as 'whoever holds the signing key recognized by the
firmware'). That guarantee is hard to uphold, though, if a program run on
the system in question is able to modify the running kernel somehow. Thus,
proponents of secure-boot technologies have been trying for years to
provide the ability to lock
down many types of kernel functionality on secure systems. The latest
attempt posted by Matthew Garrett, at an eyebrow-raising version 34,
tries to address previous concerns by putting lockdown under the control of
a Linux security module (LSM).