From: Greg KH <gregkh@linuxfoundation.org>
To: Maxwell Bland <mbland@motorola.com>
Cc: "bpf@vger.kernel.org" <bpf@vger.kernel.org>
Subject: Re: FW: BPF-NX+CFI is a good upstreaming candidate
Date: Wed, 3 Jan 2024 17:27:41 +0100 [thread overview]
Message-ID: <2024010317-undercoat-widow-e087@gregkh> (raw)
In-Reply-To: <SEZPR03MB6786598744F4D5DE29C46651B4602@SEZPR03MB6786.apcprd03.prod.outlook.com>
On Wed, Jan 03, 2024 at 04:06:32PM +0000, Maxwell Bland wrote:
> Forwarding to BPF mailing list as plaintext to match the mail server restrictions.
>
> From what I understand, Linux security team is reactive rather than
> proactive, so maybe the below is a moot point, but I'd love to see
> BPF-NX+CFI if possible.
security@kernel.org is reactive, as that is it's requirement, but there
are many other groups that work on proactive security, see the
linux-hardening project for lots of work happening there that is adding
loads of good stuff to the kernel.
>
> Originally sent to di_jin@brown.edu; v.atlidakis@gmail.com; vpk@cs.brown.edu; dborkman@kernel.org; lsf-pc@lists.linux-foundation.org; bpf@vger.kernel.org; Andrew Wheeler <awheeler@motorola.com>; Sammy BS2 Que | 阙斌生 <quebs2@motorola.com>
>
> Dear Jin et al. Daniel Borkman, and LSF/BPF mailing lists,
>
> Although a few months late, Jin et al.’s USENIX ATC’23 EPF publication here (https://cs.brown.edu/~vpk/papers/epf.atc23.pdf) is great. It was a relief to see the efforts in https://gitlab.com/brown-ssl/epf/-/blob/master/linux-5.10/patches/0003-Adding-BPF-NX.patch?ref_type=heads and related files.
>
> BPF-NX+CFI would/could/should be a great upstreaming candidate. I am not sure how well BPF-NX+CFI generalizes to the full kernel ecosystem given the approach requires a dedicated vmalloc memory region, but the idea PXN is no longer be enforced at a PMD-level granularity because of eBPF is unfortunate.
>
> BPF-ISR is likely overkill performance-wise as a mechanism and can be handled/refined via kprobes rather than direct patches.
>
> Jin et al., do you happen to have performance numbers for just NX+CFI, or knowledge of how well this may apply to 6.*+ kernels? With your blessing, and if the mailing list peers are supportive, we should discuss your work and BPF security at https://events.linuxfoundation.org/lsfmmbpf/program/cfp/.
Are there working patches somewhere? 5.10.y is very old and obsolete.
thanks,
greg k-h
next prev parent reply other threads:[~2024-01-03 16:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:06 FW: BPF-NX+CFI is a good upstreaming candidate Maxwell Bland
2024-01-03 16:27 ` Greg KH [this message]
2024-01-03 18:56 ` Maxwell Bland
2024-01-03 19:16 ` [PATCH 1/2] Adding BPF NX Maxwell Bland
2024-01-03 19:17 ` [PATCH 2/2] Adding BPF CFI Maxwell Bland
2024-01-03 20:47 ` [PATCH 1/2] Adding BPF NX Alexei Starovoitov
2024-01-03 22:36 ` [External] " Maxwell Bland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024010317-undercoat-widow-e087@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=bpf@vger.kernel.org \
--cc=mbland@motorola.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.