Not adding kernel logs but changing to 'Confirmed'.

** Changed in: linux (Ubuntu)
       Status: Incomplete => Confirmed

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  Disabling bpf() syscall on kernel lockdown break apps when secure boot
  is on

Status in linux package in Ubuntu:

Bug description:
  In disco and eoan, lockdown is automatically enforced when secure boot
  is on [0]. Because lockdown was not in the mailine kernel at the time,
  some disto-specific patches were added to the kernel, including one
  that drastically restricts BPF usage by completely disabling the use
  of the `bpf()` system call when lockdown is on [1].

  A consequence of that decision is that no application relying on eBPF
  can run on 19.04/19.10, unless secure boot / lockdown is disabled. For
  example, Cilium ( strongly relies on BPF programs to
  implement its datapath and securing network connectivity between
  containers. Other applications like Suricata or Sysdig also rely on
  BPF to some extent. None of which will work by default on a EFI
  machine with secure boot activated.

  If I understand correctly, kernel 5.4 (to be used in focal) will have
  a different, lighter restricton (comming from mainline Linux kernel)
  [2], so `bpf()` for networking use cases should mostly work on 20.04.
  Is my understanding correct? If so, could this patch be backported to
  19.10 (and 19.04, if still supported) instead of completely disabling
  the syscall on lockdown?


To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to