Linux Kernel Lockdown for eBPF Applications
Issue Description
eBPF applications may fail to load or run properly when the Linux kernel lockdown feature is enabled. This guide will help you diagnose and resolve issues related to kernel lockdown, particularly for Qpoint eBPF applications.
Symptoms
eBPF programs fail to load with errors mentioning "invalid argument" or "unknown func".
Qpoint Tap fails to start with a panic message similar to:
Diagnosis Steps
Check current lockdown status:
The output will show the current mode in square brackets, e.g.,
none [integrity] confidentiality
.Verify GRUB configuration:
Look for the
GRUB_CMDLINE_LINUX
line and check iflockdown=none
is present.If lockdown is not set to "none" or the GRUB configuration doesn't match the current status, proceed to the fix.
Fix
Edit the GRUB configuration:
Modify the
GRUB_CMDLINE_LINUX
line to includelockdown=none
:Ensure there's a space between parameters.
Save the file and exit the editor.
Update GRUB:
Reboot the system:
After reboot, verify the lockdown status again:
It should now show
[none] integrity confidentiality
.
Additional Troubleshooting
If the issue persists after following these steps:
Check kernel version:
Ensure you're running a kernel version that supports the eBPF features you're using.
Verify eBPF system requirements:
If this returns 1, unprivileged eBPF is disabled and may need to be enabled.
Check for any security modules (e.g., SELinux, AppArmor) that might be interfering:
Review system logs for any related errors:
Further Assistance
If you continue to experience issues after following this guide, please contact Qpoint support with the following information:
Output of the diagnosis steps
Complete error message from Qpoint Tap
Kernel version (
uname -r
)Any relevant entries from system logs
Last updated