-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kernel lockdown impact on bpf #2565
Comments
Hi @yonghong-song , thank you very much for the information, this will help us to fix possible problems and to do plans for the next version. |
Posted same thing in bpftrace/bpftrace#925, but I think we may need to escalate this given my fresh 19.10 install with |
Hi @dailyherold , In all my tests with the future eBPF collectors, I did not have any problem. Lockdown is present since 5.2, but I did not have any missing chart or performance in the collectors I am working right now. Best regards! |
@thiagoftsm any logs I can pull for you if I re-enable lockdown and run? I definitely want to help validate if it will be a problem for anyone trying to compile on a fresh 19.10 system. I do realize desktop ubuntu installs aren't the primary use case for bcc, but do imagine that a lot of people picking up the BPF book (like me!) may be on newer installs and wanting to mess around on their own system when not at work. |
Hi @dailyherold , As I said before, I am not having problems with lockdown, all the eBPF collectors are running perfect in my environment, and it will be available for everybody in few weeks. Best regards! |
Many distros are enabling lockdown, breaking BPF. This is the worst OS change I've ever seen.
The disable method using sysrq keys is being removed. On Ubuntu, the only way to disable it going forward will be to run It's only a small consolation that it doesn't currently affect virtual machine users, such as on AWS EC2. How long until those support secure boot, and therefore lockdown, and now BPF is disabled on them as well? See https://lwn.net/Articles/784674/ for background on this controversial patch, which includes quotes like:
And yes, we need to object really strongly. Everyone needs to contact their distro vendors and ask them to disable lockdown by default, or find another way to allow BPF by default. I'm 100% serious. A gist I get from that article is that they were trying to create a mode ("tristate") to not break BPF, but the description doesn't seem to make sense. If the "integrity" state was the compromise state to allow BPF, then it should allow BPF programs to run, not the opposite. Whoever has the cycles: please study what's going on in detail to list what our options are, other than avoiding distros that do this. PS. The second-worst OS change I've seen is compiling everything (including libc) without frame pointers by default. That still hurts us at Netflix on a daily basis. |
@brendangregg The patch in SLES/openSUSE should not break BPF. We enable integrity lockdown mode when booting in EFI Secure Mode. Without Secure Boot, the lockdown mode is none. We never enable confidentionality. And anyway, we ship Cilium and BCC as parts of our distro and products, so if anything breaks BPF, we are going to fix that. |
@mrostecki Yay, thank you! :) |
What is the best way to reach out to distro providers (for example, Fedora) to voice concern? The thing I understand least is: If their goal is to protect cryptographic keys, why blacklist bpf_probe_read and bpf_probe_read_str entirely instead of just modifying those functions to not permit access to a dedicated memory region to keep the keys in? |
Agreed w/ Thomas. The current "solution" will significantly (negatively) impact other security applications (host intrusion detection). Thomas' solution seems far better! |
AFAIK distros provided lockdown out-of-tree patch for years and in those versions bpf was disabled completely not only bpf_probe_read() and bpf_probe_read_str() like in upstream version. |
FWIW, after talking with Matthew Garrett (one of the lockdown patch authors) he was kind enough to talk to the Redhat folks that had auto-booted into confidentiality mode in recent Fedora versions and convince them that confidentiality mode has a specific use-case that is not satisfied there. Fedora 30 and 31 will now boot into integrity mode instead of confidentiality mode. This still makes "naked" kprobes impossible, but at least still allows "regular" reading of kernel memory from eBPF. Relevant Redhat bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=1815571. |
For the record, Ubuntu also switched to integrity mode by default (launchpad bug / fix for Focal). |
LOCKDOWN_CONFIDENTIALITY_MAX restricts a lot of useful features, even security ones (like monitoring via BPF), while not adding that much value for common use cases. Set the default level to LOCKDOWN_INTEGRITY_MAX as Ubuntu, RedHat and SUSE did recently. iovisor/bcc#2565 (comment) https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1868626 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=ef7c6600bb3e https://bugzilla.redhat.com/show_bug.cgi?id=1815571 Closes: #956197
posted a question here bpftrace/bpftrace#853 (comment) also relevant to this repository - we shouldn't have to ask users to disable boot protection in order to use a userspace program. if there was a way to get authority trust for our userspsace program that uses BPF, that would allow us to distribute userspace programs that are able to take advantage of BPF but are also trusted without additional configuration |
Starting from kernel 5.4, lockdown is actually merged in the kernel.
This issue is created to track its impact on bcc and tracing. We can add to proper documentation once 5.4 is released.
The bcc/tracing will be impacted when lockdown confidentiality mode is turned on.
The following is kernel source code for different lockdown subcategories for confidentiality mode:
https://github.com/torvalds/linux/blob/master/include/linux/security.h#L104-L126
The following three modes will have impact on bcc:
kprobe will be disabled, debugfs most part will be disabled unless it is unprivileged. bpf_probe_read() and bpf_probe_read_str() will be disabled. perf_event_open() cannot open an event to get kernel data (others are fine).
Things could change as the 5.4 still has some way to go.
The text was updated successfully, but these errors were encountered: