UBUNTU: SAUCE: UEFI: bpf: disable bpf when module security is enabled
BPF carnage - Hi, It looks like CONFIG_BPF_EVENTS needs to be disabled
in secure boot environments since you can read kernel memory (and
hence, the hibernation image signing key) by attaching an eBPF program
to a tracepoint through a perf_event_open() fd which uses bpf_probe_read()
and either bpf_trace_printk() or bpf_probe_write_user(). (Or, rather,
kernel memory _reads_ need to be added to the threat model if a private
key is held in kernel memory.) -Kees -- Kees Cook Nexus Security
Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Conflicts:
kernel/bpf/syscall.c
projects / mirror_ubuntu-zesty-kernel.git / commit