+.. describe:: CONFIG_SECURITY_LOCKDOWN_LSM=y
+ CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
+ CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
+
+ Basically, the *lockdown* LSM tries to strengthen the boundary between the
+ superuser and the kernel. The *integrity* mode thus restricts access to
+ features that would allow userland to modify the running kernel, and the
+ *confidentiality* mode extends these restrictions to features that would
+ allow userland to extract confidential information held inside the kernel.
+ Note that a significant portion of such features is already disabled in the
+ CLIP OS kernel due to our custom configuration. The *lockdown* functionality
+ is important for CLIP OS as we want to prevent an attacker, be he highly
+ privileged, from persisting on a compromised machine.
+