[PATCH bpf-next v2 0/3] BPF signature hash chains

Fri Oct 17 18:39:06 UTC 2025

On Fri, Oct 17, 2025 at 2:03 PM Alexei Starovoitov
<alexei.starovoitov at gmail.com> wrote:
> On Thu, Oct 16, 2025 at 6:36 PM Paul Moore <paul at paul-moore.com> wrote:
> > On Thu, Oct 16, 2025 at 6:01 PM Alexei Starovoitov
> > <alexei.starovoitov at gmail.com> wrote:
> > > On Thu, Oct 16, 2025 at 1:51 PM Paul Moore <paul at paul-moore.com> wrote:
> > > > On Sun, Oct 12, 2025 at 10:12 PM Paul Moore <paul at paul-moore.com> wrote:
> > > > > On Sat, Oct 11, 2025 at 1:09 PM James Bottomley
> > > > > <James.Bottomley at hansenpartnership.com> wrote:
> > > > > > On Sat, 2025-10-11 at 09:31 -0700, Alexei Starovoitov wrote:
> > > > > > > On Sat, Oct 11, 2025 at 7:52 AM James Bottomley
> > > > > > > <James.Bottomley at hansenpartnership.com> wrote:
> > > > > > > >
> > > > > > > > It doesn't need to, once we check both the loader and the map, the
> > > > > > > > integrity is verified and the loader can be trusted to run and
> > > > > > > > relocate the map into the bpf program
> > > > > > >
> > > > > > > You should read KP's cover letter again and then research trusted
> > > > > > > hash chains. Here is a quote from the first googled link:
> > > > > > >
> > > > > > > "A trusted hash chain is a cryptographic process used to verify the
> > > > > > > integrity and authenticity of data by creating a sequence of hash
> > > > > > > values, where each hash is linked to the next".
> > > > > > >
> > > > > > > In addition KP's algorithm was vetted by various security teams.
> > > > > > > There is nothing novel here. It's a classic algorithm used
> > > > > > > to verify integrity and that's what was implemented.
> > > > > >
> > > > > > Both KP and Blaise's patch sets are implementations of trusted hash
> > > > > > chains.  The security argument isn't about whether the hash chain
> > > > > > algorithm works, it's about where, in relation to the LSM hook, the
> > > > > > hash chain verification completes.
> > >
> > > Not true. Blaise's patch is a trusted hash chain denial.
> >
> > It would be helpful if you could clarify what you mean by "trusted
> > hash chain denial" and how that differs from a "trusted hash chain".
>
> Paul,
> This is getting ridiculous. You're arguing about the code that you
> don't understand.

Alexei,
Asking for clarification on a phrase which is not commonly used is far
from ridiculous, it's part of a reasonable discussion.  We've talked a
lot about "trusted hash chains", with KP's patchset providing a rather
thorough explanation, but I don't recall a "trusted hash chain denial"
definition and it isn't a term I recall hearing in an algorithm
context, at least not outside of "verification of the trusted hash
chain failed resulting in the operation being denied", which doesn't
match with the context used in your comment.

> Stop this broken phone and let Blaise defend his code.

He has, in this thread and others.

James has defended the code, in this thread and others.

I've defended the code, in this thread and others.

Support, or criticism, of an idea shouldn't be limited to the original
author.  In fact I would say as contributors, and definitely
maintainers, we have a responsibility to review and provide feedback
on proposed changes; that's how this whole thing works.

-- 
paul-moore.com