board configs: disable unprivelaged BPF

neheb · neheb · commit 4575c6a02676 · 2026-01-07T19:06:52.000-08:00
Fixes wrong CPU vulnerability output:

/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation:Vulnerable:
Unprivileged eBPF enabled

It's enabled but CONFIG_BPF_UNPRIV_DEFAULT_OFF being unset causes the
warning.

This warning happens on ARM32 and ARM64 devices.

Edited with:
find -name "*.config" -exec sed -i 's/# CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set/CONFIG_BPF_UNPRIV_DEFAULT_OFF=y/g' '{}' \;

Signed-off-by: Rosen Penev &lt;rosenp@gmail.com&gt;
diff --git a/lib/functions/compilation/armbian-kernel.sh b/lib/functions/compilation/armbian-kernel.sh
@@ -120,6 +120,7 @@ function armbian_kernel_config__600_enable_ebpf_and_btf_info() {
 		opts_n+=("DEBUG_INFO_NONE") # Make sure the "none" option is disabled
 		opts_y+=(
 			"BPF_JIT" "BPF_JIT_DEFAULT_ON" "FTRACE_SYSCALLS" "PROBE_EVENTS_BTF_ARGS" "BPF_KPROBE_OVERRIDE" # eBPF == on
+			"BPF_UNPRIV_DEFAULT_OFF"
 			"DEBUG_INFO" "DEBUG_INFO_DWARF5" "DEBUG_INFO_BTF" "DEBUG_INFO_BTF_MODULES"                     # BTF & CO-RE == off
 		)
 	fi

Original file line number	Diff line number	Diff line change
`@@ -120,6 +120,7 @@ function armbian_kernel_config__600_enable_ebpf_and_btf_info() {`
`120`	`120`	`opts_n+=("DEBUG_INFO_NONE") # Make sure the "none" option is disabled`
`121`	`121`	`opts_y+=(`
`122`	`122`	`"BPF_JIT" "BPF_JIT_DEFAULT_ON" "FTRACE_SYSCALLS" "PROBE_EVENTS_BTF_ARGS" "BPF_KPROBE_OVERRIDE" # eBPF == on`
	`123`	`+ "BPF_UNPRIV_DEFAULT_OFF"`
`123`	`124`	`"DEBUG_INFO" "DEBUG_INFO_DWARF5" "DEBUG_INFO_BTF" "DEBUG_INFO_BTF_MODULES" # BTF & CO-RE == off`
`124`	`125`	`)`
`125`	`126`	`fi`