From 65d823f3432500974f828a8955c6cf781f682649 Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 8 Feb 2026 11:33:35 -0800 Subject: [PATCH] board configs: disable unprivelaged BPF (#9082) Fixes wrong CPU vulnerability output: /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable: Unprivileged eBPF enabled It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the warning. This warning happens on ARM32 and ARM64 devices. Edited with: find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' ; CONFIG_BPF_UNPRIV_DEFAULT_OFF is a Linux kernel build-time hardening option that disables unprivileged use of the bpf() syscall (and thus unprivileged eBPF loading) by default by setting kernel.unprivileged_bpf_disabled=2 at boot. With this default, only privileged processes (e.g., with CAP_SYS_ADMIN / CAP_BPF, depending on kernel) can load eBPF unless an administrator explicitly relaxes it. [1], [2] Operational behavior you should know kernel.unprivileged_bpf_disabled semantics (as documented in the kernel sysctl docs/patch): 0: unprivileged bpf() allowed 1: unprivileged bpf() blocked and cannot be re-enabled until reboot (no transition back to 0 while running) 2: unprivileged bpf() blocked but admin can later switch to 0 or 1 if needed If CONFIG_BPF_UNPRIV_DEFAULT_OFF=y, the default becomes 2 instead of 0. [2] Signed-off-by: Rosen Penev --- lib/functions/compilation/armbian-kernel.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/functions/compilation/armbian-kernel.sh b/lib/functions/compilation/armbian-kernel.sh index 5d0073b0ce..0f927806d8 100644 --- a/lib/functions/compilation/armbian-kernel.sh +++ b/lib/functions/compilation/armbian-kernel.sh @@ -120,6 +120,7 @@ function armbian_kernel_config__600_enable_ebpf_and_btf_info() { opts_n+=("DEBUG_INFO_NONE") # Make sure the "none" option is disabled opts_y+=( "BPF_JIT" "BPF_JIT_DEFAULT_ON" "FTRACE_SYSCALLS" "PROBE_EVENTS_BTF_ARGS" "BPF_KPROBE_OVERRIDE" # eBPF == on + "BPF_UNPRIV_DEFAULT_OFF" "DEBUG_INFO" "DEBUG_INFO_DWARF5" "DEBUG_INFO_BTF" "DEBUG_INFO_BTF_MODULES" # BTF & CO-RE == off )