Why protect the Linux kernel from the root user?
If an attacker gets root, don't they pretty much own the machine even without kernel access, by doing things like modifying binaries?
Maybe, maybe not. With SELinux, you can restrict access to block devices, even for the root user. So, if your root partition is read-only (and the system is running with OverlayFS to provide for non-persistent modifications), then protecting the kernel from root can guarantee a consistent state on reboot, even if the machine has been compromised at the root level.
Whereas if the kernel is not protected from the root user, you can't have such guarantees.
Without a verified boot, along with verified modules and kexec
you will give to the kernel a better chance to defend itself against attack in the face of a privilege escalation. By default the two features are disabled:
kexec_load_disabled:
A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
modules_disabled:
A toggle value indicating if modules are allowed to be loaded in an otherwise modular kernel. This toggle defaults to off (0), but can be set true (1). Once true, modules can be neither loaded nor unloaded, and the toggle cannot be set back to false. Generally used with the "kexec_load_disabled" toggle.