From 03e909e52fb8186beb6e98bc0d942186b58a02d2 Mon Sep 17 00:00:00 2001 From: Robert Kolchmeyer Date: Thu, 30 Apr 2026 10:07:35 -0700 Subject: [PATCH] Daemonset for setting initcall_blacklist=algif_aead_init --- .../cos-disable-algif-aead.yaml | 104 ++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 disable-algif-aead/cos-disable-algif-aead.yaml diff --git a/disable-algif-aead/cos-disable-algif-aead.yaml b/disable-algif-aead/cos-disable-algif-aead.yaml new file mode 100644 index 0000000..e0a358b --- /dev/null +++ b/disable-algif-aead/cos-disable-algif-aead.yaml @@ -0,0 +1,104 @@ +# Copyright 2026 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Deploy this DaemonSet to disable usage of AEAD in AF_ALG sockets. +# +# WARNING: This requires node reboot. Therefore, in order to +# avoid disrupting your workloads, it is recommended to create a new node pool +# with the "cloud.google.com/gke-algif-aead-disabled=true" label in your +# cluster, deploy the DaemonSet to apply settings in that node pool, and then +# migrate your workloads to the new node pool. + +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: disable-algif-aead +spec: + selector: + matchLabels: + name: disable-algif-aead + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + name: disable-algif-aead + spec: + volumes: + - name: host + hostPath: + path: / + initContainers: + - name: disable-algif-aead + image: marketplace.gcr.io/google/ubuntu2404 + securityContext: + privileged: true + resources: + requests: + memory: 5Mi + cpu: 5m + volumeMounts: + - name: host + mountPath: /host + command: + - /bin/bash + - -c + - | + set -o errexit + set -o pipefail + set -o nounset + + function check_not_secure_boot() { + if [[ ! -d "/sys/firmware/efi" ]]; then + return + fi + efi="$(mktemp -d)" + mount -t efivarfs none "${efi}" + secure_boot="$(cat "${efi}"/SecureBoot-* | chroot /host python -c 'import sys; print(sys.stdin.buffer.read() == b"\x06\x00\x00\x00\x01")')" + umount "${efi}" + rmdir "${efi}" + if [[ "${secure_boot}" == "True" ]]; then + echo "Secure Boot is enabled. Boot options cannot be changed." + exit 1 + fi + } + + function main() { + if grep " initcall_blacklist=algif_aead_init " /proc/cmdline > /dev/null; then + echo "'initcall_blacklist=algif_aead_init' already present on the kernel command line. Nothing to do." + return + fi + echo "Attempting to set 'initcall_blacklist=algif_aead_init' on the kernel command line." + if [[ "${EUID}" -ne 0 ]]; then + echo "This script must be run as root." + return 1 + fi + check_not_secure_boot + + dir="$(mktemp -d)" + mount /host/dev/disk/by-partlabel/EFI-SYSTEM "${dir}" + sed -i -e "s|cros_efi|cros_efi initcall_blacklist=algif_aead_init|g" "${dir}/efi/boot/grub.cfg" + umount "${dir}" + rmdir "${dir}" + echo "Rebooting." + chroot /host reboot + } + + main + containers: + - image: gke.gcr.io/pause:3.7 + name: pause + nodeSelector: + "cloud.google.com/gke-algif-aead-disabled": "true" + "cloud.google.com/gke-os-distribution": "cos"