In disco and eoan, lockdown is automatically enforced when secure boot is on [0]. Because lockdown was not in the mailine kernel at the time, some disto-specific patches were added to the kernel, including one that drastically restricts BPF usage by completely disabling the use of the `bpf()` system call when lockdown is on [1].
A consequence of that decision is that no application relying on eBPF can run on 19.04/19.10, unless secure boot / lockdown is disabled. For example, Cilium (cilium.io) strongly relies on BPF programs to implement its datapath and securing network connectivity between containers. Other applications like Suricata or Sysdig also rely on BPF to some extent. None of which will work by default on a EFI machine with secure boot activated.
If I understand correctly, kernel 5.4 (to be used in focal) will have a different, lighter restricton (comming from mainline Linux kernel) [2], so `bpf()` for networking use cases should mostly work on 20.04. Is my understanding correct? If so, could this patch be backported to 19.10 (and 19.04, if still supported) instead of completely disabling the syscall on lockdown?
In disco and eoan, lockdown is automatically enforced when secure boot is on [0]. Because lockdown was not in the mailine kernel at the time, some disto-specific patches were added to the kernel, including one that drastically restricts BPF usage by completely disabling the use of the `bpf()` system call when lockdown is on [1].
A consequence of that decision is that no application relying on eBPF can run on 19.04/19.10, unless secure boot / lockdown is disabled. For example, Cilium (cilium.io) strongly relies on BPF programs to implement its datapath and securing network connectivity between containers. Other applications like Suricata or Sysdig also rely on BPF to some extent. None of which will work by default on a EFI machine with secure boot activated.
If I understand correctly, kernel 5.4 (to be used in focal) will have a different, lighter restricton (comming from mainline Linux kernel) [2], so `bpf()` for networking use cases should mostly work on 20.04. Is my understanding correct? If so, could this patch be backported to 19.10 (and 19.04, if still supported) instead of completely disabling the syscall on lockdown?
Links: /git.launchpad. net/~ubuntu- kernel/ ubuntu/ +source/ linux/+ git/disco/ commit/ ?id=d0db99473fc 3bb8a5d03f99ed4 54ac7ca5e7d517 /git.launchpad. net/~ubuntu- kernel/ ubuntu/ +source/ linux/+ git/disco/ commit/ ?id=2a68c65abae 66d28e2acb3245c b156ae2ea6eb1d /git.launchpad. net/~ubuntu- kernel/ ubuntu/ +source/ linux/+ git/focal/ commit/ ?id=9d1f8be5cf4 2b497a3bddf1d52 3f2bb142e9318c
[0] https:/
[1] https:/
[2] https:/