[PATCH v3 0/9] bpf-lsm: Extend interoperability with IMA
Alexei Starovoitov
alexei.starovoitov at gmail.com
Thu Mar 3 22:39:35 UTC 2022
On Thu, Mar 3, 2022 at 11:13 AM Mimi Zohar <zohar at linux.ibm.com> wrote:
>
> On Thu, 2022-03-03 at 19:14 +0100, KP Singh wrote:
> >
> > Even Robert's use case is to implement IMA policies in BPF this is still
> > fundamentally different from IMA doing integrity measurement for BPF
> > and blocking this patch-set on the latter does not seem rational and
> > I don't see how implementing integrity for BPF would avoid your
> > concerns.
>
> eBPF modules are an entire class of files currently not being measured,
> audited, or appraised. This is an integrity gap that needs to be
> closed. The purpose would be to at least measure and verify the
> integrity of the eBPF module that is going to be used in lieu of
> traditional IMA.
Mimi,
. There is no such thing as "eBPF modules". There are BPF programs.
They cannot be signed the same way as kernel modules.
We've been working on providing a way to sign them for more
than a year now. That work is still ongoing.
. IMA cannot be used for integrity check of BPF programs for the same
reasons why kernel module like signing cannot be used.
. This patch set is orthogonal.
More information about the Linux-security-module-archive
mailing list