Ubuntu 20.04 Boot – Failed to Enable BPF LSM

20.04bootbpfiltergrub2

I want to enable the BPF LSM, I have added

lsm=lockdown,capability,yama,apparmor,bpf

to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub, and run update-grub. After rebooting, it still displays lockdown,capability,yama,apparmor for cat /sys/kernel/security/lsm.

The cat /proc/cmdline displays

BOOT_IMAGE=/boot/vmlinuz-5.8.0-48-generic root=UUID=a94e991b-4a4b-42ae-9729-ef5199478c48 ro debian-installer/custom-installation=/custom find_preseed=/preseed.cfg auto preseed/file=/floppy/preseed.cfg automatic-ubiquity noprompt priority=critical locale=en_US console-setup/modelcode=evdev lsm=lockdown,capability,yama,apparmor,bpf

My kernel version is 5.8.0-48-generic from uname -r.

Best Answer

Ubuntu 20.04
Adding bpf to CONFIG_LSM, then rebooting worked for me.

Related Solutions

Ubuntu – Kernel error messages when booting Ubuntu 20.04

The error is issued from the Kernel's Trusted Platform Module Command Response Buffer Interface driver (see drivers/char/tpm/tpm_crb.c in the Linux source), function crb_fixup_cmd_size(). This states in a comment:

"Work around broken BIOSs that return inconsistent values from the ACPI region vs the registers. Trust the ACPI region. Such broken systems probably cannot send large TPM commands since the buffer will be truncated."

Basically the ACPI AML contains I/O resource information that informs the kernel where a I/O region exists but this information looks dubious and the kernel attempts to work around this.

Normally the DSTD or SSDT contain AML that describes the I/O region (base address and length). I suspect one of the _CRS ACPI objects with the TPM 2.0 _CID "MSFT0101" is incorrect. You can find these using:

sudo fwts crsdump -

On my laptop I have the following:

\_SB_.TPM_._CRS (32-Bit Fixed Memory Range Descriptor):
  0x0000: Tag Type                      : 0x01
  0x0000: Tag Item ID                   : 0x06
  0x0001: Length                        : 0x0009
  0x0003: Write Status                  : 0x00 (non-writeable, read-only)
  0x0004: Range Base Address            : 0xfed40000
  0x0008: Range Length                  : 0x00005000

Or disassemble the AML using:

sudo fwts --dis

usually in one of the SSDT tables you have the relevant object described in AML something like:

Scope (\_SB)
{
    Device (TPM)
    {
        Name (_HID, "STM7304")  // _HID: Hardware ID
        Noop
        Name (_CID, "MSFT0101" /* TPM 2.0 Security Device */)  // _CID: Compatible ID
        Name (_STR, Unicode ("TPM 2.0 Device"))  // _STR: Description String
        Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
        {
            Memory32Fixed (ReadOnly,
                0xFED40000,         // Address Base
                0x00005000,         // Address Length
                )
        })
 ...etc

I suspect the address length field on your machine is broken. Never mind, because the kernel spotted this and tried to fix it up.

Boot – Fix Initramfs Unpacking Failed Error in Ubuntu 20.04

From the comments...

set back compress=lz4 in /etc/initramfs-tools/initramfs.conf
rebuild your ramdisk with sudo update-initramfs -c -k $(uname -r)
reboot

Note: Use the sudo update-initramfs -c example, not sudo update-initramfs -u variation.

Best Answer

Related Solutions

Ubuntu – Kernel error messages when booting Ubuntu 20.04

Boot – Fix Initramfs Unpacking Failed Error in Ubuntu 20.04

Related Question