How to Use Linux's New Kernel Kill Switch to Mitigate Vulnerabilities

Introduction

Linux kernel co-maintainer and NVIDIA engineer Sasha Levin has proposed a new security mechanism called killswitch. This feature allows system administrators to immediately disable a vulnerable kernel function on a running system—without waiting for a full kernel update. By forcing a function to return a predefined value and skip its execution, killswitch can block privilege escalation exploits like Copy Fail and Dirty Frag until an official patch is deployed. In this guide, we'll walk through the steps to use killswitch effectively, along with important precautions.

What You Need

• A Linux system running a kernel with the killswitch patch applied (proposed for inclusion in mainline).
• Root privileges – All killswitch operations require superuser access.
• Knowledge of the vulnerable kernel function name (e.g., af_alg_sendmsg, ksmbd_ioctl).
• Access to the /sys/kernel/security/killswitch/ sysfs interface or the ability to modify kernel boot parameters.

Step-by-Step Instructions

Step 1: Identify the Vulnerable Kernel Function

Before engaging the kill switch, you must determine which kernel function contains the vulnerability. Common candidates mentioned in the patch include af_alg_sendmsg, ksmbd, nftables, vsock, and ax25. Review security advisories or use tools like grep on kernel logs to find the exact symbol name. For example, if a CVE mentions a flaw in the AF_ALG socket family, the function may be af_alg_sendmsg.

Step 2: Engage the Kill Switch at Runtime

Once you have the function name, open a terminal with root access and execute:

echo "engage af_alg_sendmsg -1" > /sys/kernel/security/killswitch/control

Replace af_alg_sendmsg with your target function and -1 with the desired return value (usually an error code like -1 or -EPERM). This command immediately stops the function from executing across all CPU cores. Any process calling that function will receive the specified return value as if an error occurred.

Step 3: Verify the Kill Switch Is Active

Check the status by reading the control file:

cat /sys/kernel/security/killswitch/control

You should see the engaged function and its return value. Additionally, the kernel is now tainted – a new flag H (bit 20) is set. You can confirm taint status via cat /proc/sys/kernel/tainted. The H flag indicates that a kill switch has been used.

Step 4: Disengage the Kill Switch (When Safe)

To re-enable the function (e.g., after applying a proper patch), run:

echo "disengage" > /sys/kernel/security/killswitch/control

This restores normal execution. Note that the taint flag persists until the next reboot, even after disengagement. If you need a completely clean kernel, reboot the system.

Step 5: Using the Boot Parameter Version (For Fleet Management)

For applying mitigations across multiple machines before boot, add the killswitch parameter to the kernel command line. For example, in GRUB edit the linux line to include:

killswitch=af_alg_sendmsg=-1,ksmbd_ioctl=-EPERM

You can specify multiple function-value pairs separated by commas. This method activates the kill switch during early boot, preventing exploits from the start.

Tips and Important Considerations

• Choose the Right Function. The patch includes a warning to carefully select the function. Disabling a widely used function (e.g., networking core) can break essential services. Test in a non-production environment first.
• Kill Switch Is Not a Fix. It only blocks the vulnerable code path. The underlying bug remains unpatched. Plan to apply the official kernel update as soon as it's available.
• Service Impact. Anything relying on the disabled function will fail. For instance, disabling af_alg_sendmsg will break kernel cryptography for all users. Weigh the risk of running a vulnerable kernel against the loss of functionality.
• Taint Persistence. The kernel taint flag H is permanent until reboot, even after disengaging. This signals to maintainers that the system ran a modified (tainted) kernel. Use with caution in environments where kernel integrity is audited.
• Root Only. Only root can engage or disengage the kill switch. This prevents unprivileged attackers from toggling it.
• Reboot Resets. All runtime kill switches are lost on reboot. Boot parameter kills persist across reboots until removed from the bootloader configuration.
• Check for Alternatives. Evaluate other mitigation methods such as SELinux policies, kernel lockdown, or live patching (e.g., Ksplice) which may have different trade-offs.

By following these steps, you can temporarily block high-risk kernel vulnerabilities using the kill switch while you prepare a permanent fix. Always monitor for side effects and revert as soon as possible.