From: Jarkko Sakkinen <jarkko@kernel.org>
To: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
Cc: Paul Moore <paul@paul-moore.com>,
zeffron@riotgames.com, xiyou.wangcong@gmail.com,
kysrinivasan@gmail.com, code@tyhicks.com,
linux-security-module@vger.kernel.org, roberto.sassu@huawei.com,
James.Bottomley@hansenpartnership.com,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, David Howells <dhowells@redhat.com>,
Lukas Wunner <lukas@wunner.de>,
Ignat Korchagin <ignat@cloudflare.com>,
Quentin Monnet <qmo@kernel.org>,
Jason Xing <kerneljasonxing@gmail.com>,
Willem de Bruijn <willemb@google.com>,
Anton Protopopov <aspsk@isovalent.com>,
Jordan Rome <linux@jordanrome.com>,
Martin Kelly <martin.kelly@crowdstrike.com>,
Alan Maguire <alan.maguire@oracle.com>,
Matteo Croce <teknoraver@meta.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [PATCH 0/3] BPF signature verification
Date: Wed, 4 Jun 2025 19:22:04 +0300 [thread overview]
Message-ID: <aEByrCJ1R_OYDYxH@kernel.org> (raw)
In-Reply-To: <20250528215037.2081066-1-bboscaccy@linux.microsoft.com>
On Wed, May 28, 2025 at 02:49:02PM -0700, Blaise Boscaccy wrote:
> As suggested or mandated by KP Singh
> https://lore.kernel.org/linux-security-module/CACYkzJ6VQUExfyt0=-FmXz46GHJh3d=FXh5j4KfexcEFbHV-vg@mail.gmail.com/,
> this patchset proposes and implements an alternative hash-chain
> algorithm for signature verification of BPF programs.
>
> This design diverges in two key ways:
>
> 1. Signature Strategy
>
> Two different signature strategies are
> implemented. One verifies only the signature of the loader program in
> the kernel, as described in the link above. The other verifies the
Describe "the one" briefly, despite having the link. Label them A and
B, and also, why there are two strategies. Then you can use those labels
as references later on in this description.
> program’s maps in-kernel via a hash chain. The original design
> required loader programs to be “self-aborting” and embedded the
> terminal hash verification logic as metaprogramming code generation
> routines inside libbpf. While this patchset supports that scheme, it
> is considered undesirable in certain environments due to the potential
> for supply-chain attack vectors and the lack of visibility for the LSM
> subsystem. Additionally, it is impossible to verify the code
> performing the signature verification, as it is uniquely regenerated
> for every program.
>
> 2. Timing of Signature Check
>
> This patchset moves the signature check to a point before
> security_bpf_prog_load is invoked, due to an unresolved discussion
> here:
> https://lore.kernel.org/linux-security-module/CAHC9VhTj3=ZXgrYMNA+G64zsOyZO+78uDs1g=kh91=GR5KypYg@mail.gmail.com/
> This change allows the LSM subsystem to be informed of the signature
> verification result—if it occurred—and the method used, all without
> introducing a new hook. It improves visibility and auditability,
> reducing the “trust me, friend” aspect of the original design.
>
>
> Blaise Boscaccy (3):
> bpf: Add bpf_check_signature
> bpf: Support light-skeleton signatures in autogenerated code
> bpftool: Allow signing of light-skeleton programs
>
> include/linux/bpf.h | 2 +
> include/linux/verification.h | 1 +
> include/uapi/linux/bpf.h | 4 +
> kernel/bpf/arraymap.c | 11 +-
> kernel/bpf/syscall.c | 123 +++++++++++++++++++-
> tools/bpf/bpftool/Makefile | 4 +-
> tools/bpf/bpftool/common.c | 204 +++++++++++++++++++++++++++++++++
> tools/bpf/bpftool/gen.c | 66 ++++++++++-
> tools/bpf/bpftool/main.c | 24 +++-
> tools/bpf/bpftool/main.h | 23 ++++
> tools/include/uapi/linux/bpf.h | 4 +
> tools/lib/bpf/libbpf.h | 4 +
> tools/lib/bpf/skel_internal.h | 28 ++++-
> 13 files changed, 491 insertions(+), 7 deletions(-)
>
> --
> 2.48.1
>
BR, Jarkko
prev parent reply other threads:[~2025-06-04 16:22 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-28 21:49 [PATCH 0/3] BPF signature verification Blaise Boscaccy
2025-05-28 21:49 ` [PATCH 1/3] bpf: Add bpf_check_signature Blaise Boscaccy
2025-05-29 7:39 ` kernel test robot
2025-05-29 10:11 ` Lukas Wunner
2025-05-29 15:32 ` Blaise Boscaccy
2025-05-29 19:31 ` Lukas Wunner
2025-05-29 19:36 ` James Bottomley
2025-06-02 22:40 ` Paul Moore
2025-06-04 16:25 ` Jarkko Sakkinen
2025-05-28 21:49 ` [PATCH 2/3] bpf: Support light-skeleton signatures in autogenerated code Blaise Boscaccy
2025-05-28 21:49 ` [PATCH 3/3] bpftool: Allow signing of light-skeleton programs Blaise Boscaccy
2025-05-30 16:42 ` [PATCH 0/3] BPF signature verification KP Singh
2025-05-30 20:14 ` Paul Moore
2025-05-30 20:44 ` KP Singh
2025-05-30 21:19 ` Blaise Boscaccy
2025-05-30 21:32 ` KP Singh
2025-05-30 21:33 ` KP Singh
2025-05-30 22:15 ` Blaise Boscaccy
2025-05-30 22:14 ` Blaise Boscaccy
2025-05-30 22:19 ` KP Singh
2025-05-30 22:27 ` Blaise Boscaccy
2025-05-30 22:47 ` KP Singh
2025-05-30 23:25 ` Blaise Boscaccy
2025-05-30 23:32 ` KP Singh
2025-06-02 15:01 ` Blaise Boscaccy
2025-06-04 16:22 ` Jarkko Sakkinen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aEByrCJ1R_OYDYxH@kernel.org \
--to=jarkko@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=alan.maguire@oracle.com \
--cc=andrii@kernel.org \
--cc=aspsk@isovalent.com \
--cc=ast@kernel.org \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=code@tyhicks.com \
--cc=daniel@iogearbox.net \
--cc=dhowells@redhat.com \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=ignat@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kerneljasonxing@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=kysrinivasan@gmail.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux@jordanrome.com \
--cc=lukas@wunner.de \
--cc=martin.kelly@crowdstrike.com \
--cc=martin.lau@linux.dev \
--cc=paul@paul-moore.com \
--cc=qmo@kernel.org \
--cc=roberto.sassu@huawei.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=teknoraver@meta.com \
--cc=willemb@google.com \
--cc=xiyou.wangcong@gmail.com \
--cc=yonghong.song@linux.dev \
--cc=zeffron@riotgames.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.