From: Daniel Borkmann <daniel@iogearbox.net>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "David S. Miller" <davem@davemloft.net>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>,
Andrew Lutomirski <luto@kernel.org>,
Network Development <netdev@vger.kernel.org>
Subject: Re: [PATCH net] bpf: rework prog_digest into prog_tag
Date: Sat, 14 Jan 2017 00:59:19 +0100 [thread overview]
Message-ID: <587969D7.5010806@iogearbox.net> (raw)
In-Reply-To: <CALCETrWD7FuRLH0dC46bMf85mXosC3r54=TAXdar5EsZvbvyzg@mail.gmail.com>
On 01/14/2017 12:49 AM, Andy Lutomirski wrote:
> On Fri, Jan 13, 2017 at 3:41 PM, Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 01/14/2017 12:16 AM, Andy Lutomirski wrote:
>>> On Fri, Jan 13, 2017 at 2:38 PM, Daniel Borkmann <daniel@iogearbox.net>
>>> wrote:
>>>>
>>>> Commit 7bd509e311f4 ("bpf: add prog_digest and expose it via
>>>> fdinfo/netlink") was recently discussed, partially due to
>>>> admittedly suboptimal name of "prog_digest" in combination
>>>> with sha1 hash usage, thus inevitably and rightfully concerns
>>>> about its security in terms of collision resistance were
>>>> raised with regards to use-cases.
>>>
>>> Seems reasonable. My only question is whether you'd still want to
>>> switch to SHA-256 just from a code cleanliness perspective. With
>>> SHA-256 you can use the easy streaming API I wrote, but with SHA-1
>>> you're still stuck with the crappy API in lib/, and I'm not
>>> volunteering to fix up the SHA-1 API.
>>
>> We'd need to truncate that in kernel anyway to not get a too long
>> tag, so given that I'm actually fine with it as-is. I was planning
>> to submit the code for testing to bpf selftests for net-next once
>> it's merged back, too.
>
> Unless you want to kill off that vmalloc()+vfree() pair...
That is really just in slow-path, and should that become a bottleneck
compared to the rest of the verification steps or allocs we do there,
then we can always clean it up in net-next.
Thanks,
Daniel
next prev parent reply other threads:[~2017-01-13 23:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-13 22:38 [PATCH net] bpf: rework prog_digest into prog_tag Daniel Borkmann
2017-01-13 23:16 ` Andy Lutomirski
2017-01-13 23:34 ` Alexei Starovoitov
2017-01-13 23:41 ` Daniel Borkmann
2017-01-13 23:49 ` Andy Lutomirski
2017-01-13 23:59 ` Daniel Borkmann [this message]
2017-01-16 19:03 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=587969D7.5010806@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=alexei.starovoitov@gmail.com \
--cc=davem@davemloft.net \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.