DevHeads.net

Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

Booting Fedora with Secure Boot enabled will result in Lockdown being enabled at boot time. This will completly disable the BPF system call for all users [1][2].

Unfortunately, this breaks the IPAddressAllow & IPAddressDeny systemd feature [3][4][5].

I don't have a solution for this, but as far as I understand, this will also prevent other BPF use-cases (for example: Cilium on Fedora CoreOS).

[1] <a href="https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch#_1525" title="https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch#_1525">https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.pat...</a>
[2] <a href="https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?h=lockdown&amp;id=0eb0d0851747787f7182b3e9d0d38edb5925a678" title="https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?h=lockdown&amp;id=0eb0d0851747787f7182b3e9d0d38edb5925a678">https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit...</a>
[3] <a href="https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c" title="https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c">https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c</a>
[4] <a href="https://github.com/systemd/systemd/blob/master/NEWS#L1192" title="https://github.com/systemd/systemd/blob/master/NEWS#L1192">https://github.com/systemd/systemd/blob/master/NEWS#L1192</a>
[5] <a href="https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6" title="https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6">https://www.freedesktop.org/software/systemd/man/systemd.resource-contro...</a>

Comments

Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd

By Peter Robinson at 08/08/2018 - 03:29

Probably a good idea to cc: this to the kernel list :-)

I suspect it's intentional but with the planned changes for iptables
etc to be backed by bpf in the upstream kernel sometime in the future
it's likely going to need to be reviewed.

Peter

On Tue, Aug 7, 2018 at 10:25 PM, Timothée Ravier < ... at siosm dot fr> wrote: