{"id":2231788,"url":"http://patchwork.ozlabs.org/api/1.2/covers/2231788/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177763771233.374359.17873278509696979439@gollum.public/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.2/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<177763771233.374359.17873278509696979439@gollum.public>","list_archive_url":null,"date":"2026-05-01T12:29:58","name":"[SRU,R:raspi/Q:raspi/N:raspi,0/3] CONFIG_BPF_LSM not enabled in linux-raspi arm64 kernel (LP: #2150798)","submitter":{"id":71819,"url":"http://patchwork.ozlabs.org/api/1.2/people/71819/?format=json","name":"Juerg Haefliger","email":"juerg.haefliger@canonical.com"},"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177763771233.374359.17873278509696979439@gollum.public/mbox/","series":[],"comments":"http://patchwork.ozlabs.org/api/covers/2231788/comments/","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=FgunQM6+;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6Vk46drWz1yHZ\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 22:30:20 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wIn0S-0000aW-UD; Fri, 01 May 2026 12:30:08 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <juerg.haefliger@canonical.com>)\n id 1wIn0R-0000aF-FI\n for kernel-team@lists.ubuntu.com; Fri, 01 May 2026 12:30:07 +0000","from mail-wr1-f72.google.com (mail-wr1-f72.google.com\n [209.85.221.72])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 49E173FEA3\n for <kernel-team@lists.ubuntu.com>; Fri,  1 May 2026 12:30:07 +0000 (UTC)","by mail-wr1-f72.google.com with SMTP id\n ffacd0b85a97d-43d103e46c3so1139232f8f.3\n for <kernel-team@lists.ubuntu.com>; Fri, 01 May 2026 05:30:07 -0700 (PDT)","from localhost ([81.221.210.150]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-44a8ea7cf97sm5057850f8f.6.2026.05.01.05.30.05\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 01 May 2026 05:30:05 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777638607;\n bh=Jm13lCe+tUpko1mj/TXGBgcWWT0IsliOaL4yDT8fbRg=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=FgunQM6+gcOShuKIdyPMuD1ghngLPbP3C0O8bnb98/s8v7RnyZ4ppjEkjQR/42kG5\n Gt/SA7z5DuTi+LKarwdy7w/NWjQrMWtGABo68vw+gEdwmjshwcpoCq8HgeJiI/NAiY\n 7CI21EpRLiD9aP0iNFXSogjeWy+H6F8SIkLdnWPuS6H2JYy8f2gnAY75nqdgp0DCYE\n 2B9nKAt75aUuIdp6WJZyGHT+dmledrZJwHBZWREHDkSyG9LzLl1esCrUSrkIrd1+IH\n glF6AB96T5oYlOxsCkjwcvWln1SZsMghL+MwlFbe3+IDrXmodho3LLMlBcjTQODWCa\n p1dxu7GAjmS1QDi27BouYoFzv5A9c9kOz7004xoHZGxXtO/Avja8/lbsiqtTpa5Y49\n 8GqhttVa+2r2LlqvbBQtJ9hJ+Z03yGP5cgxpssKq1LizlRu20rXocoubsnXuHmiTCm\n 2fpwgzjI9w0fHQhe2iEi7iZGmM+j7qgvoOb1nyY1GVwcRuPpu4JbrVFzwPGbjbP/Qz\n O97R687LcdP0Vp08P985BBS9/RjivEkGl0mGDN63qKvtl5mU0bK9kLckRnXyVaP2+4\n GQS+dfGKklHQOIq90SMgdEgFSKgRHPua1P8ZIgbhpivKIlFSiAaFOD2q45+nEAOF6X\n zgPY5r5DiOYoLHk5kFNKEYHo=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777638607; x=1778243407;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=Jm13lCe+tUpko1mj/TXGBgcWWT0IsliOaL4yDT8fbRg=;\n b=SYENP9su5Tf8khReTklE3Zrth7WN8XTavNeZ8keL6pDb19OAUBvRy+y9CTQO6cqbvR\n a8Kxjp5YzE0RqaETeRn7u96WTAnrLEV4eqU6cexn4gd7lVQ8DsrQkLGoy7D0sb59YiWk\n mUuG5GhHXghMUsSAWEaMGTFHzNCVE36sEkgcXsxuYXf7l6NyCvs9A6g2TI2oyxjU5044\n 2cIK0qZYRz1hl26mwwB1+hwxzGNIUZPmwZD2uM9hrEb/U/aK29ifI6iG00STq40pLc5K\n kmwt/YMkfRprLAwmZJCWE/uH1JBKHJpN9VVmM1/+8Qaky5e7zuE0dgiCkSNokvWzlboI\n 4jHA==","X-Gm-Message-State":"AOJu0YxNHkt9Y2QAIwD1g3Y7rX0A49EfitDT6lXw6d5RswXkBJiGfmuz\n cM4qugqptQeJVKl7rdtCZPacKCXMM/w5XQ7fCBLj8moYUaSZ18n7IzTJKWXT+z65+APKQSCMNG6\n z81oTdUPq55hRW7DaNDtQBuRRqhUCsJ8SlGhyuEs+M6H1oncSLQmQBBKSE7fO6+1oSlFMzvTJFk\n PNg88bLgmrEBRgN8KD","X-Gm-Gg":"AeBDietrN6MVeT6ApGT9AwbniuRffLha+zFQelH5UWycCy8YTJ7mSFYf4/LjFDSp1Hh\n ovBZe0rCeJTXwLaMPpDGsga6nOuHWeyfE2zmPwBHc6kkQ1Lyek22XEP7C6FXcwmnlfKyCBVVj7J\n 1xHdEbXSvfoosbh0RTz05Up3/l3yOLpYmZqALpgi4NBXUqAm6VWBfYhx+QKvxxpifQeryK/5Sva\n kvNMOWmbHYKabOoX+cYxAly5Kt/XGYweD8sQ8CIxwluodLb9jDkeOwCQfLeG51defNT7cBFLLzS\n CiGvoyT6JlltOk6zzanqu4VKFifjVCS0XwA0jjY/9EokpEGY6dT28RmmCfZQ9U/opDek32pyyJS\n e+cILB0gVaaTkWBJulGXcu9rNzTocgAn3SfvnjVS6w+3hwejjRhTrLsBIYoPG7h0yT8oJESB+yR\n M=","X-Received":["by 2002:a05:6000:2c11:b0:43d:775b:c9bd with SMTP id\n ffacd0b85a97d-4493cc3f4e1mr11263868f8f.10.1777638606727;\n Fri, 01 May 2026 05:30:06 -0700 (PDT)","by 2002:a05:6000:2c11:b0:43d:775b:c9bd with SMTP id\n ffacd0b85a97d-4493cc3f4e1mr11263816f8f.10.1777638606287;\n Fri, 01 May 2026 05:30:06 -0700 (PDT)"],"From":"Juerg Haefliger <juerg.haefliger@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][R:raspi/Q:raspi/N:raspi][PATCH 0/3] CONFIG_BPF_LSM not enabled\n in linux-raspi arm64 kernel (LP: #2150798)","Date":"Fri,  1 May 2026 14:29:58 +0200","Message-ID":"<177763771233.374359.17873278509696979439@gollum.public>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"BugLink: https://bugs.launchpad.net/bugs/2150798\n\n[ Impact ]\n\nThe linux-raspi kernel flavor on Ubuntu 24.04 (Noble) arm64 does not have\nCONFIG_BPF_LSM enabled, while linux-image-generic arm64 does. This prevents\nRaspberry Pi users from using BPF LSM programs for security enforcement, even\nvia the lsm= boot parameter.\n\nThe raspi config annotations in Noble explicitly override the parent kernel's\nsetting:\n\n    CONFIG_BPF_LSM  policy<{'arm64': 'n'}>  note<'Different from master'>\n\nAdditionally, the 26.04 (Resolute) linux-raspi changelog for 7.0.0-1009 includes\n\"[Config] Enable CONFIG_BPF_LSM\", but debian.raspi/config/config.common.ubuntu\nstill contains \"# CONFIG_BPF_LSM is not set\". This appears to be an incomplete\nrollout of the intended change.\n\n\n[ Test Case ]\n\n$ grep CONFIG_BPF_LSM /boot/config-$(uname -r)\nCONFIG_BPF_LSM=y\n\n\n[ Where Problems Could Occur ]\n\nTurning this on doesn't do anything by itself but badly written hooks can bring down the system."}