24-28 August 2020
US/Pacific timezone

eBPF in kernel lockdown mode

26 Aug 2020, 09:45
Networking and BPF Summit/Virtual-Room (LPC 2020)

Networking and BPF Summit/Virtual-Room

LPC 2020

Networking & BPF Summit Networking and BPF Summit


Mr Arnaldo Melo (Red Hat Inc.)


Linux has a new 'lockdown' security mode where changes to the running kernel
requires verification with a cryptographic signature and restrictions to
accesses to kernel memory that may leak to userspace.

Lockdown's 'integrity' mode requires just the signature, while in
'confidentiality' mode in addition to requiring a signature the system can't
leak confidential information to userspace.

Work needs to be done to add cryptographic signatures for eBPF bytecode. The
signature be then passed to the kernel via sys_bpf() reusing the kernel module
signing infrastructure.

The main eBPF loader, libbpf, may perform relocations on the received bytecode
for things like CO-RE (Compile Once, Run Everywhere), thus tampering with the
signature made with the original bytecode.

It is thus needed to move such modifications to the signed bytecode from libbpf
to the kernel, so that it may be done after the signature is verified.

This presentation is intended to provide a problem statement, some ideas being
discussed, provide a reading list, and to foster awareness about this security
feature so that BPF can be used in environments where 'lockdown' mode is

I agree to abide by the anti-harassment policy I agree

Primary author

Mr Arnaldo Melo (Red Hat Inc.)

Presentation Materials