[PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader
James Bottomley
James.Bottomley at HansenPartnership.com
Tue Jun 10 21:24:11 UTC 2025
On Tue, 2025-06-10 at 21:47 +0200, KP Singh wrote:
> It's been repeatedly mentioned that trusted loaders (whether kernel
> or BPF programs) are the only way because a large number of BPF
> use-cases dynamically generate BPF programs.
You keep asserting this, but it isn't supported by patches already
proposed. Specifically, there already exists a patch set:
https://lore.kernel.org/all/20250528215037.2081066-1-bboscaccy@linux.microsoft.com/
that supports both signed trusted loaders and exact hash chain
verification of loaders plus program maps. The core kernel code that
does it is only about 10 lines and looks to me like it could easily be
added to your current patch set. This means BPF signing could support
both dynamically generated and end to end integrity use cases with the
signer being in the position of deciding what they want and no loss of
generality for either use case.
> So whatever we build needs to work for everyone and not just your
> specific use-case or your affinity to an implementation.
The linked patch supports both your trusted loader use case and the
exact hash chain verification one the security people want. Your
current patch only seems to support your use case, which seems a little
bit counter to the quote above. However, it also seems that
reconciling both patch sets to give everyone what they want is easily
within reach so I think that's what we should all work towards.
Regards,
James
More information about the Linux-security-module-archive
mailing list