[PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader
Paul Moore
paul at paul-moore.com
Tue Jun 10 22:31:49 UTC 2025
On Tue, Jun 10, 2025 at 5:24 PM James Bottomley
<James.Bottomley at hansenpartnership.com> wrote:
> On Tue, 2025-06-10 at 21:47 +0200, KP Singh wrote:
> > It's been repeatedly mentioned that trusted loaders (whether kernel
> > or BPF programs) are the only way because a large number of BPF
> > use-cases dynamically generate BPF programs.
>
> You keep asserting this, but it isn't supported by patches already
> proposed. Specifically, there already exists a patch set:
>
> https://lore.kernel.org/all/20250528215037.2081066-1-bboscaccy@linux.microsoft.com/
>
> that supports both signed trusted loaders and exact hash chain
> verification of loaders plus program maps. The core kernel code that
> does it is only about 10 lines and looks to me like it could easily be
> added to your current patch set. This means BPF signing could support
> both dynamically generated and end to end integrity use cases with the
> signer being in the position of deciding what they want and no loss of
> generality for either use case.
>
> > So whatever we build needs to work for everyone and not just your
> > specific use-case or your affinity to an implementation.
>
> The linked patch supports both your trusted loader use case and the
> exact hash chain verification one the security people want. Your
> current patch only seems to support your use case, which seems a little
> bit counter to the quote above. However, it also seems that
> reconciling both patch sets to give everyone what they want is easily
> within reach so I think that's what we should all work towards.
I agree with James, I see no reason why the two schemes could not
coexist in the kernel; support both and let the user/admin/distro
decide which is appropriate for their needs through policy.
I'm sure Blaise would be willing to build on top of KP's patchset if
that really is a sticking point.
Finally, I just wanted to bring some attention to my last comment on
Blaise's latest patchset as the needs mentioned there seem to have
been ignored in this patchset.
https://lore.kernel.org/linux-security-module/CAHC9VhQT=ymqssa9ymXtvssHTdVH_64T8Mpb0Mh8oxRD0Guo_Q@mail.gmail.com/
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list