[tenebrisalietum]

- `/dev/mem` should only be accessible by root or whoever you set the permissions to (don't `chmod 777 /dev/mem`).

- root can install device drivers which have full executable run of the system anyway and do anything you can do with this device; this is also true on Windows.

- read about CONFIG_STRICT_DEVMEM - https://man7.org/linux/man-pages/man4/mem.4.html#:~:text=Sin....

- wait until you hear about `/dev/kmem`.

- it's possible to build a Linux kernel without `/dev/mem` support and also without loadable module support (I think), so if your threat model indicates this needs to be addressed it is possible.

[amarshall]

`CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y` or similar may also be of interest, see `man kernel_lockdown`.

[no_time]

>root can install device drivers which have full executable run of the system anyway and do anything you can do with this device; this is also true on Windows.

Oddly enough, no. Or atleast last time I tried on Ubuntu I had to disable secure boot. Seemed like an easier way than to sign the build files

[pritambaral]

Secure Boot can be configured to also trust user keys. Ubuntu's installer does it automatically if you choose to install it with third-party drivers (like Nvidia). Those user keys are then available to root to sign any DKMS kernel modules.

[colechristensen]

It would be a fun exercise/YouTube video/class… you are an unprivileged user, /dev/mem is 777, go forth and prosper.