DevHeads.net

Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

Booting Fedora with Secure Boot enabled will result in Lockdown being enabled at boot time. This will completly disable the BPF system call for all users [1][2].

Unfortunately, this breaks the IPAddressAllow & IPAddressDeny systemd feature [3][4][5].

I don't have a solution for this, but as far as I understand, this will also prevent other BPF use-cases (for example: Cilium on Fedora CoreOS).

[1] <a href="https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch#_1525" title="https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch#_1525">https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.pat...</a>
[2] <a href="https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?h=lockdown&amp;id=0eb0d0851747787f7182b3e9d0d38edb5925a678" title="https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?h=lockdown&amp;id=0eb0d0851747787f7182b3e9d0d38edb5925a678">https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit...</a>
[3] <a href="https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c" title="https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c">https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c</a>
[4] <a href="https://github.com/systemd/systemd/blob/master/NEWS#L1192" title="https://github.com/systemd/systemd/blob/master/NEWS#L1192">https://github.com/systemd/systemd/blob/master/NEWS#L1192</a>
[5] <a href="https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6" title="https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6">https://www.freedesktop.org/software/systemd/man/systemd.resource-contro...</a>