Re: [PATCH bpf-next 0/3] bpf: add signature

BPF List
 help / color / mirror / Atom feed

From: Luca Boccassi <bluca@debian.org>
To: John Fastabend <john.fastabend@gmail.com>,
	Alexei Starovoitov <alexei.starovoitov@gmail.com>,
	Matteo Croce <mcroce@linux.microsoft.com>
Cc: bpf <bpf@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
	Yonghong Song <yhs@fb.com>, KP Singh <kpsingh@kernel.org>,
	Jakub Kicinski <kuba@kernel.org>,
	Jesper Dangaard Brouer <hawk@kernel.org>,
	keyrings@vger.kernel.org,
	Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
	Lorenzo Bianconi <lorenzo@kernel.org>
Subject: Re: [PATCH bpf-next 0/3] bpf: add signature
Date: Thu, 09 Dec 2021 13:40:14 +0000	[thread overview]
Message-ID: <5b1e655e96e976f985c8cc9990a590b9c85d7010.camel@debian.org> (raw)
In-Reply-To: <61b112daa1b84_94d5c208c7@john.notmuch>

[-- Attachment #1: Type: text/plain, Size: 4144 bytes --]

On Wed, 2021-12-08 at 12:17 -0800, John Fastabend wrote:
> [...]
> 
> > > > > Hope this makes sense. Thanks!
> > > > 
> > > > I think I understand your use case. When done as BPF helper you
> > > > can get the behavior you want with a one line BPF program
> > > > loaded at boot.
> > > > 
> > > > int verify_all(struct bpf_prog **prog) {
> > > >         return verify_signature(prog->insn,
> > > >                                 prog->len * sizeof(struct bpf_insn),
> > > >                                 signature, KEYRING, BPF_SIGTYPE);
> > > > }
> > > > 
> > > > And I can write some more specific things as,
> > > > 
> > > > int verify_blobs(void data) {
> > > >   int reject = verify_signature(data, data_len, sig, KEYRING, TYPE);
> > > >   struct policy_key *key = map_get_key();
> > > > 
> > > >   return policy(key, reject);  
> > > > }
> > > > 
> > > > map_get_key() looks into some datastor with the policy likely using
> > > > 'current' to dig something up. It doesn't just apply to BPF progs
> > > > we can use it on other executables more generally. And I get more
> > > > interesting use cases like, allowing 'tc' programs unsigned, but
> > > > requiring kernel memory reads to require signatures or any N
> > > > other policies that may have value. Or only allowing my dbg user
> > > > to run read-only programs, because the dbg maybe shouldn't ever
> > > > be writing into packets, etc. Driving least privilege use cases
> > > > in fine detail.
> > > > 
> > > > By making it a BPF program we side step the debate where the kernel
> > > > tries to get the 'right' policy for you, me, everyone now and in
> > > > the future. The only way I can see to do this without getting N
> > > > policies baked into the kernel and at M different hook points is via
> > > > a BPF helper.
> > > > 
> > > > Thanks,
> > > > John
> > > 
> > > Now this sounds like something that could work - we can prove that this
> > > could be loaded before any writable fs comes up anywhere, so in
> > > principle I think it would be acceptable and free of races. Matteo, we
> > > should talk about this tomorrow.
> > > And this requires some infrastructure work right? Is there a WIP git
> > > tree somewhere that we can test out?
> > > 
> > > Thank you!
> > 
> 
> I don't have a WIP tree, but I believe it should be fairly easy.
> First I would add a wrapper BPF helper for verify_signature() so
> we can call it from fentry/freturn context. That can be done on
> its own IMO as its a generally useful operation.
> 
> Then I would stub a hook point into the BPF load path. The exact
> place to put this is going to have some debate I think, but I
> would place it immediately after the check_bpf call.
> 
> With above two you have enough to do sig verification iiuc.
> 
> Early boot loading I would have to check its current status. But I know
> folks have been working on it. Maybe its done?
> 
> > One question more question: with the signature + kconfig approach,
> > nothing can disable the signature check. But if the signature checker
> > is itself a bpf program, is there/can there be anything stopping root
> > from unloading it?
> 
> Interesting. Not that I'm aware of. Currently something with sufficient
> privileges could unload the program. Maybe we should have a flag so
> early boot programs can signal they shouldn't be unloaded ever. I would
> be OK with this and also seems generally useful. I have a case where
> I want to always set the socket cookie and we leave it running all the
> time. It would be nice if it came up and was pinned at boot.
> 
> Maybe slightly better than a flag would be to have a new CAP support
> that only early boot has like CAP_BPF_EARLY. From my point of view
> this both seems doable with just some smallish changes on BPF side.
> 
> Thanks,
> John

Thanks - again the means of enforcing this are not too important for
our use case, as long as there is something that works reliably and can
be attested.

-- 
Kind regards,
Luca Boccassi

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

     prev parent reply	other threads:[~2021-12-09 13:40 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-03 19:18 [PATCH bpf-next 0/3] bpf: add signature Matteo Croce
2021-12-03 19:18 ` [PATCH bpf-next 1/3] bpf: add signature to eBPF instructions Matteo Croce
2021-12-03 21:46   ` kernel test robot
2021-12-03 19:18 ` [PATCH bpf-next 2/3] bpf: add option to require BPF signature Matteo Croce
2021-12-03 19:18 ` [PATCH bpf-next 3/3] bpftool: add signature in skeleton Matteo Croce
2021-12-03 19:22 ` [PATCH bpf-next 0/3] bpf: add signature Alexei Starovoitov
2021-12-03 19:35   ` Matteo Croce
2021-12-03 19:37     ` Alexei Starovoitov
2021-12-03 22:06       ` Luca Boccassi
2021-12-03 22:20         ` Alexei Starovoitov
2021-12-04  0:42           ` Matteo Croce
2021-12-04  2:02             ` Alexei Starovoitov
2021-12-04  3:39               ` John Fastabend
2021-12-04 12:37                 ` Luca Boccassi
2021-12-06 20:40                   ` John Fastabend
2021-12-06 21:11                     ` Arnaldo Carvalho de Melo
2021-12-06 22:59                     ` Luca Boccassi
2021-12-08 16:25                       ` Luca Boccassi
2021-12-08 20:17                         ` John Fastabend
2021-12-09 13:40                           ` Luca Boccassi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5b1e655e96e976f985c8cc9990a590b9c85d7010.camel@debian.org \
    --to=bluca@debian.org \
    --cc=acme@kernel.org \
    --cc=alexei.starovoitov@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=hawk@kernel.org \
    --cc=john.fastabend@gmail.com \
    --cc=kafai@fb.com \
    --cc=keyrings@vger.kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lorenzo@kernel.org \
    --cc=mcroce@linux.microsoft.com \
    --cc=songliubraving@fb.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox