From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: KP Singh <kpsingh@kernel.org>
Cc: Blaise Boscaccy <bboscaccy@linux.microsoft.com>,
bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
paul@paul-moore.com, kys@microsoft.com, ast@kernel.org,
daniel@iogearbox.net, andrii@kernel.org
Subject: Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader
Date: Wed, 11 Jun 2025 10:43:43 -0400 [thread overview]
Message-ID: <3088dc5f59ab3bc8b0ed2a9a2800589bc1435b66.camel@HansenPartnership.com> (raw)
In-Reply-To: <CACYkzJ4JYDXEkYpN=XBn4bOmv6Fg7bSgV-YAKHfEL2NxJiMh0A@mail.gmail.com>
On Wed, 2025-06-11 at 15:41 +0200, KP Singh wrote:
> On Wed, Jun 11, 2025 at 3:18 PM James Bottomley
> <James.Bottomley@hansenpartnership.com> wrote:
> >
> > On Wed, 2025-06-11 at 14:33 +0200, KP Singh wrote:
> > > [...]
> > > I have read and understood the code, there is no technical
> > > misalignment.
> > >
> > > I am talking about a trusted user space loader. You seem to
> > > confuse the trusted BPF loader program as userspace, no this is
> > > not userspace, it runs in the kernel context.
> >
> > So your criticism isn't that it doesn't cover your use case from
> > the signature point of view but that it didn't include a loader for
> > it?
> >
> > The linked patch was a sketch of how to verify signatures not a
> > full
>
> It was a non functional sketch that did not address much of the
> feedback that was given, that's not how collaboration works.
It was somewhat functional for the security use case but could be
extended for yours and provably allowed both was the point of the
sketch. The feedback it addressed was your desire for a signed trusted
loader.
> > implementation. The pieces like what the loader looks like and
> > which keyring gets used are implementation details which can be
> > filled in later by combining the patch series with review and
> > discussion. It's not a requirement that one person codes
> > everyone's use case before they get theirs in, it's usually a
> > collaborative effort ... I mean, why
>
> Yeah, it's surely a collaborative effort, but the collaboration has
> been aggressive and tied to a specific implementation (at least from
> some folks). Rather than working with the feedback received it has
> been accusational of mandating and forcing.
I don't see how that squares with producing a sketch that supports your
use case ... clearly feedback has been incorporated.
> If the intent is to really collaborate, let's land this base
> implementation and discuss further. I am not willing to add
> additional stuff into this base implementation.
Just so I'm clear: your definition of collaboration means Blaise takes
feedback from you at all times but you don't take it from him until
you've got your use case upstream? This might be OK if the two use
cases were thousands of lines apart, but, as I've said before, it seems
to be less than a hundred lines which doesn't seem to be a huge
integration burden given the size of the patch set you're trying to
land. I'm sure Blaise would be willing to produce the patch set that
adds the incremental over what you've published here to demonstrate its
smallness.
> > would you want Microsoft coding up the loader? If they don't have
> > a use case for it they don't have much incentive to test it
> > thoroughly whereas you do.
>
> It seems that your incentives are purely aligned with Microsoft and
> not that of the BPF community at large (this is also visible from the
> patches and the engagement).
No, as has been stated many times before there are other companies than
Microsoft who want supply chain integrity for BPF code which the data
block hash chaining you proposed but didn't implement does perfectly.
I shouldn't have to remind people that open source is about scratching
your own itch and thus you can determine a company's investments in
open source by its goals. I've even given a few talks about this:
https://archive.fosdem.org/2020/schedule/event/selfish_contributor/
As a Linux community we're usually good at creaming off additional
things around the edges, such as integrating the two approaches, which
I'm sure Microsoft will be happy to invest Blaise's time on, but I'm
equally sure they won't invest huge amounts in testing the trusted
loader until they have a use case for it.
> FWIW, There is no urgency for my employer to have signed BPF
> programs, yet I am working on this purely to help you and the
> community.
From what I heard Google is using signed BPF internally but has no
urgency to get it upstream. However, in my experience Google always
has a lack of upstream urgency until they run into a backporting
problem, so I'm sure they'll give you credit for avoiding potential
future backport issues.
Regards,
James
next prev parent reply other threads:[~2025-06-11 14:43 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-06 23:29 [PATCH 00/12] Signed BPF programs KP Singh
2025-06-06 23:29 ` [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing KP Singh
2025-06-09 9:31 ` kernel test robot
2025-06-09 16:56 ` Alexei Starovoitov
2025-06-12 19:07 ` Eric Biggers
2025-06-16 23:40 ` KP Singh
2025-06-16 23:48 ` Eric Biggers
2025-06-17 0:04 ` KP Singh
2025-06-06 23:29 ` [PATCH 02/12] bpf: Update the bpf_prog_calc_tag to use SHA256 KP Singh
2025-06-09 17:46 ` Alexei Starovoitov
2025-06-06 23:29 ` [PATCH 03/12] bpf: Implement exclusive map creation KP Singh
2025-06-09 20:58 ` Alexei Starovoitov
2025-06-11 21:44 ` KP Singh
2025-06-11 22:55 ` Alexei Starovoitov
2025-06-11 23:05 ` KP Singh
2025-06-06 23:29 ` [PATCH 04/12] libbpf: Implement SHA256 internal helper KP Singh
2025-06-12 22:55 ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 05/12] libbpf: Support exclusive map creation KP Singh
2025-06-07 9:16 ` kernel test robot
2025-06-12 22:55 ` Andrii Nakryiko
2025-06-12 23:41 ` KP Singh
2025-06-13 16:51 ` Andrii Nakryiko
2025-07-12 0:50 ` KP Singh
2025-07-12 0:53 ` KP Singh
2025-07-14 20:56 ` Andrii Nakryiko
2025-07-14 12:29 ` KP Singh
2025-07-14 12:55 ` KP Singh
2025-07-14 21:05 ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 06/12] selftests/bpf: Add tests for exclusive maps KP Singh
2025-06-06 23:29 ` [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD KP Singh
2025-06-07 9:26 ` kernel test robot
2025-06-08 13:11 ` kernel test robot
2025-06-09 21:30 ` Alexei Starovoitov
2025-06-11 14:27 ` KP Singh
2025-06-11 15:04 ` Alexei Starovoitov
2025-06-11 16:05 ` KP Singh
2025-06-06 23:29 ` [PATCH 08/12] bpf: Implement signature verification for BPF programs KP Singh
2025-06-09 21:39 ` Alexei Starovoitov
2025-06-10 16:37 ` Blaise Boscaccy
2025-06-06 23:29 ` [PATCH 09/12] libbpf: Update light skeleton for signing KP Singh
2025-06-09 21:41 ` Alexei Starovoitov
2025-06-06 23:29 ` [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader KP Singh
2025-06-10 0:08 ` Alexei Starovoitov
2025-06-10 16:51 ` Blaise Boscaccy
2025-06-10 17:43 ` KP Singh
2025-06-10 18:15 ` Blaise Boscaccy
2025-06-10 19:47 ` KP Singh
2025-06-10 21:24 ` James Bottomley
2025-06-10 22:31 ` Paul Moore
2025-06-10 22:35 ` KP Singh
2025-06-11 11:59 ` James Bottomley
2025-06-11 12:33 ` KP Singh
2025-06-11 13:12 ` James Bottomley
2025-06-11 13:24 ` KP Singh
2025-06-11 13:18 ` James Bottomley
2025-06-11 13:41 ` KP Singh
2025-06-11 14:43 ` James Bottomley [this message]
2025-06-11 14:45 ` KP Singh
2025-06-10 20:56 ` KP Singh
2025-06-12 22:56 ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 11/12] bpftool: Add support for signing BPF programs KP Singh
2025-06-08 14:03 ` James Bottomley
2025-06-10 8:50 ` KP Singh
2025-06-10 15:56 ` James Bottomley
2025-06-10 16:41 ` KP Singh
2025-06-10 16:34 ` Blaise Boscaccy
2025-06-06 23:29 ` [PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests KP Singh
2025-06-10 0:45 ` Alexei Starovoitov
2025-06-10 16:39 ` Blaise Boscaccy
2025-06-10 16:42 ` KP Singh
2025-06-09 8:20 ` [PATCH 00/12] Signed BPF programs Toke Høiland-Jørgensen
2025-06-09 11:40 ` KP Singh
2025-06-10 9:45 ` Toke Høiland-Jørgensen
2025-06-10 11:18 ` KP Singh
2025-06-10 11:58 ` Toke Høiland-Jørgensen
2025-06-10 12:26 ` KP Singh
2025-06-10 14:25 ` Toke Høiland-Jørgensen
2025-07-08 15:15 ` Blaise Boscaccy
2025-07-10 14:49 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3088dc5f59ab3bc8b0ed2a9a2800589bc1435b66.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kpsingh@kernel.org \
--cc=kys@microsoft.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).