[MODERN_EBPF_FAILURE] Talos Linux nodes [version 1.8.1, kubernetes version 1.31.2]

[Andreagit97]

I'm not the original person, but ran into this issue #3323 as well on self hosted Talos Linux nodes (version 1.8.1, kubernetes version 1.31.2). Noticed a pattern that falco ran on nodes without secureboot enabled, but on nodes with secureboot I was getting this error message. May be a separate issue, but here are debug logs from a good node and a bad node.

falco-logs-bad.log
falco-logs-good.log

Originally posted by @NachoxMacho in #3323 (comment)

[Andreagit97]

Thank you for the logs! Looking at the error

126: (bf) r1 = r10                    ; R1_w=fp0 R10=fp0
127: (07) r1 += -8                    ; R1_w=fp-8
128: (b7) r2 = 8                      ; R2_w=8
129: (bf) r3 = r8                     ; R3_w=trusted_ptr_pt_regs(off=40,imm=0) R8_w=trusted_ptr_pt_regs(off=40,imm=0)
130: (85) call bpf_probe_read#4
unknown func bpf_probe_read#4
processed 119 insns (limit 1000000) max_states_per_insn 1 total_states 11 peak_states 11 mark_read 5
-- END PROG LOAD LOG --
Wed Nov 27 03:33:16 2024: [libs]: libbpf: prog 'sys_enter': failed to load: -22
Wed Nov 27 03:33:16 2024: [libs]: libbpf: failed to load object 'bpf_probe'
Wed Nov 27 03:33:16 2024: [libs]: libbpf: failed to load BPF skeleton 'bpf_probe': -22
Wed Nov 27 03:33:16 2024: [libs]: libpman: failed to load BPF object (errno: 22 | message: Invalid argument)
Wed Nov 27 03:33:16 2024: An error occurred in an event source, forcing termination...

it seems like the node with secureboot enabled is preventing the usage of some ebpf helpers bpf_probe_read. I am not sure we can do something for this :/ Probably there is something in the node configuration that is blocking it