System Requirements

The following distros have been tested and verified as working with Tawon

In theory, Tawon should work on any distro with a 4.19 or later kernel, but individual testing/validation may be necessary to ensure all BPF components are functioning correctly.

Install Linux kernel headers on the target machines. See the Kernel Headers page for details.

The concept of Lockdown has been in the works for over five years. Lockdown was formally added in the Linux 5.4 kernel. Any distro deciding to support Lockdown prior to this did so as a one-off patch. The easiest test to see if Lockdown exists in a kernel and its current setting is to look for/at the file /sys/kernel/security/lockdown:

Lockdown exists in the kernel:

Lockdown does not exist in the kernel:

Lockdown has three possible states: NONE, INTEGRITY, and CONFIDENTIALITY (with the default being NONE). You can see the current state of Lockdown by looking at /sys/kernel/security/lockdown (the current setting is indicated in brackets):

In the NONE state, it is completely disabled and for all intents and purposes does not exist. At the INTEGRITY level (the next step up), those kernel capabilities that could result in kernel compromise by root are prohibited (loading an arbitrary kernel loadable module or device driver for example). Finally, at the CONFIDENTIALITY level (the highest setting), those kernel capabilities that could result in kernel memory reading (and thus potential compromise of cryptographic keys) are disabled. In our review/testing, so long as Lockdown is set to NONE or INTEGRITY, Tawon is not affected in any way and is fully functional.

If Lockdown is set to CONFIDENTIALITY, then Tawon cannot function as all BPF is blocked at that point. The only way today for a kernel to get to the CONFIDENTIALITY level is by the root account explicitly setting the kernel to that level. Nothing today will automatically set CONFIDENTIALITY.

If you boot in BIOS "Legacy" or "Compatibility" mode, a kernel with Lockdown support will default Lockdown to NONE. If you boot with UEFI but have Secure Boot disabled, the kernel will also default Lockdown to NONE. If you boot with UEFI and Secure Boot is enabled, the kernel will default Lockdown to INTEGRITY (and thus, Tawon will run just fine). Again, nothing will set Lockdown to CONFIDENTIALITY automatically, so the BIOS boot mode is immaterial at this time.

What is detailed above is the default kernel behavior. If there is a distro that decides to patch/change the defaults for UEFI+Secure Boot to CONFIDENTIALITY (and it would have to be a specific distro that would do this as it is unlikely this will ever become the default for the kernel), then the only option for Tawon to work is to disable Secure Boot. Please note carefully we said "disable Secure Boot" and not "switch to Legacy/Compatibility". Switching boot modes will likely cause huge headaches as there normally is only one or the other kernels installed and not both.