my experience with kernel lockdown and eBFP

I’m running Ubuntu Linux on Dell Latitude 7390 and was extremely baffled when suddenly I couldn’t run any of eBPF tools. Even running as root I received this:

Error creating map: '@curfreq': Operation not permitted
Error creating map: '@process_mhz': Operation not permitted
Error creating map: '@system_mhz': Operation not permitted
Error creating printf map: Operation not permitted
Creation of the required BPF maps has failed.
Make sure you have all the required permissions and are not confined (e.g. like
snapcraft does). `dmesg` will likely have useful output for further troubleshooting

Quick googling pointed me to the root cause – kernel lockdown, the mode which is activated by Secureboot. In the past it was still possible to disable lockdown from command line:

echo 1 > /proc/sys/kernel/sysrq
echo x > /proc/sysrq-trigger

But now this option has been disabled and it’s no longer possible to turn lockdown off through sysrq-trigger. If you try these two commands today nothing would change except for the following message in dmesg:

[Sun Mar 15 14:07:19 2020] This sysrq operation is disabled from userspace.

As far as I know there are three options left:
1. Disable secure boot in UEFI
2. Use Alt+SysRq everytime after reboot
3. sudo mokutil –disable-validation

As a dirty hack I’ve used Alt+SysRq option so far. Btw, to initiate Alt+SysRq on Dell 7390 I had to:
1. Press Fn+Esc to enable function keys
2. Press Alt+PrtScr+x to disable lockdown

Check dmesg to confirm it worked:

[Sun Mar 15 14:11:28 2020] sysrq: Disabling Secure Boot restrictions
[Sun Mar 15 14:11:28 2020] Lifting lockdown

Finally, I’d highly recommend to read Brendan Gregg’s comment regarding lockdown and it’s impact.

Stay cool and stay unlocked!

Posted on March 15, 2020 at 2:09 pm by sergeyt · Permalink
In: BPF, Linux

Leave a Reply