[PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader

KP Singh kpsingh at kernel.org
Wed Jun 11 13:41:30 UTC 2025 

On Wed, Jun 11, 2025 at 3:18 PM James Bottomley
<James.Bottomley at hansenpartnership.com> wrote:
>
> On Wed, 2025-06-11 at 14:33 +0200, KP Singh wrote:
> > [...]
> > I have read and understood the code, there is no technical
> > misalignment.
> >
> > I am talking about a trusted user space loader. You seem to confuse
> > the trusted BPF loader program as userspace, no this is not
> > userspace, it runs in the kernel context.
>
> So your criticism isn't that it doesn't cover your use case from the
> signature point of view but that it didn't include a loader for it?
>
> The linked patch was a sketch of how to verify signatures not a full

It was a non functional sketch that did not address much of the
feedback that was given, that's not how collaboration works.

> implementation.  The pieces like what the loader looks like and which
> keyring gets used are implementation details which can be filled in
> later by combining the patch series with review and discussion.  It's
> not a requirement that one person codes everyone's use case before they
> get theirs in, it's usually a collaborative effort ... I mean, why

Yeah, it's surely a collaborative effort, but the collaboration has
been aggressive and tied to a specific implementation (at least from
some folks). Rather than working with the feedback received it has
been accusational of mandating and forcing. If the intent is to really
collaborate, let's land this base implementation and discuss further.
I am not willing to add additional stuff into this base
implementation.

> would you want Microsoft coding up the loader?  If they don't have a
> use case for it they don't have much incentive to test it thoroughly
> whereas you do.

It seems that your incentives are purely aligned with Microsoft and
not that of the BPF community at large (this is also visible from the
patches and the engagement). FWIW, There is no urgency for my employer
to have signed BPF programs, yet I am working on this purely to help
you and the community.

- KP

>
> Regards,
>
> James
>

More information about the Linux-security-module-archive mailing list