From: Blaise Boscaccy <bboscaccy@linux.microsoft.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: bpf@vger.kernel.org, nkapron@google.com, teknoraver@meta.com,
roberto.sassu@huawei.com, gregkh@linuxfoundation.org,
paul@paul-moore.com, code@tyhicks.com,
flaniel@linux.microsoft.com, alexei.starovoitov@gmail.com,
daniel@iogearbox.net, john.fastabend@gmail.com
Subject: Re: [POC][RFC][PATCH] bpf: in-kernel bpf relocations on raw elf files
Date: Thu, 30 Jan 2025 11:22:24 -0800 [thread overview]
Message-ID: <874j1gf6of.fsf@microsoft.com> (raw)
In-Reply-To: <Z5rSIaXf4Fm5jeRf@pop-os.localdomain>
Cong Wang <xiyou.wangcong@gmail.com> writes:
> Hello Blaise,
>
Hi!
> On Thu, Jan 09, 2025 at 01:43:42PM -0800, Blaise Boscaccy wrote:
>>
>> This is a proof-of-concept, based off of bpf-next-6.13. The
>> implementation will need additional work. The goal of this prototype was
>> to be able load raw elf object files directly into the kernel and have
>> the kernel perform all the necessary instruction rewriting and
>> relocation calculations. Having a file descriptor tied to a bpf program
>> allowed us to have tighter integration with the existing LSM
>> infrastructure. Additionally, it opens the door for signature and provenance
>> checking, along with loading programs without a functioning userspace.
>>
>> The main goal of this RFC is to get some feedback on the overall
>> approach and feasibility of this design.
>>
>> A new subcommand BPF_LOAD_FD is introduced. This subcommand takes a file
>> descriptor to an elf object file, along with an array of map fds, and a
>> sysfs entry to associate programs and metadata with. The kernel then
>> performs all the relocation calculations and instruction rewriting
>> inside the kernel. Later BPF_PROG_LOAD can reference this sysfs entry
>> and load/attach previously loaded programs by name. Userspace is
>> responsible for generating and populating maps.
>>
>> CO-RE relocation support already existed in the kernel. Support for
>> everything else, maps, externs, etc., was added. In the same vein as
>> 29db4bea1d10 ("bpf: Prepare relo_core.c for kernel duty.")
>> this prototype directly uses code from libbpf.
>>
>> One of the challenges encountered was having different elf and btf
>> abstractions utilized in the kernel vs libpf. Missing btf functionality
>> was ported over to the kernel while trying to minimize the number of
>> changes required to the libpf code. As a result, there is some code
>> duplication and obvious refactoring opportunities. Additionally, being
>> able to directly share code between userspace and kernelspace in a
>> similar fashion to relo_core.c would be a TODO.
>
> I recently became aware of this patchset through Alexei's reference
> in another thread, and I apologize for my delayed involvement.
>
> Upon reviewing your proposed changes, I have concerns about the scope
> of the kernel modifications. This implementation appears to introduce
> substantial code changes to the kernel (estimated at approximately
> 1,000+ lines, though a git diff stat wasn't provided).
>
Yes, it ended up way bigger than I anticipated. The ultimate goal of
that was to be able to conditionally compile parts of libbpf directly
into the kernel and unify the btf and elf libraries. That refactoring
work was way out of scope for a PoC.
> If the primary objective is eBPF program signing, I would like to
> propose an alternative approach: a two-phase signing mechanism that
> eliminates the need for kernel modifications. My solution leverages
> the existing eBPF infrastructure, particularly the BPF LSM framework.
> So the fundamental architectural difference between these two approaches
> is pretty much kernel-based versus userspace implementation, which has
> been extensively discussed and debated within the kernel community.
>
Code signing, secure system design and supply-chain attack mitigations
are some active research areas that we are exploring. BPF programs have
some interesting ramifications on those topics. Attacks that were
previously demonstrated in CVE-2021-3444 are an area of interest as
well.
> I have also developed a proof-of-concept implementation, which is
> available for review at: https://github.com/congwang/ebpf-2-phase-signing
>
Sweet, I'll take a look. It sounds super interesting! At a quick
glance, it looks like your approach would probably benefit from John's
suggestions for early-boot un-unloadable bpf programs.
What are your use cases for signature verification if you don't mind me
asking?
> I welcome your thoughts and feedback on this alternative approach.
>
> Thanks!
-blaise
next prev parent reply other threads:[~2025-01-30 19:22 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-09 21:43 [POC][RFC][PATCH] bpf: in-kernel bpf relocations on raw elf files Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 01/14] bpf: Port prerequiste BTF handling functions from userspace Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 02/14] bpf: Add data structures for managing in-kernel eBPF relocations Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 03/14] bpf: Port .btf.ext parsing functions from userspace Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 04/14] bpf: Port elf and btf utility helper " Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 05/14] fs/kernel_read_file: Add an eBPF specifier to kernel_read_file Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 06/14] bpf: Add BPF_LOAD_FD subcommand Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 07/14] bpf: Implement BPF_LOAD_FD subcommand handler Blaise Boscaccy
2025-01-10 6:05 ` Greg KH
2025-01-10 22:41 ` Blaise Boscaccy
2025-01-11 0:41 ` kernel test robot
2025-01-09 21:43 ` [PATCH 08/14] bpf: Add elf parsing support to the BPF_LOAD_FD subcommand Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 09/14] bpf: Collect extern relocations Blaise Boscaccy
2025-01-11 1:35 ` kernel test robot
2025-01-09 21:43 ` [PATCH 10/14] bpf: Implement BTF fixup functionality Blaise Boscaccy
2025-01-11 3:19 ` kernel test robot
2025-01-09 21:43 ` [PATCH 11/14] bpf: Implement relocation collection Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 12/14] bpf: Resolve external relocations Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 13/14] bpf: Apply in-kernel bpf instruction relocations Blaise Boscaccy
2025-01-09 21:43 ` [PATCH 14/14] bpf: Augment BPF_PROG_LOAD to use in-kernel relocations Blaise Boscaccy
2025-01-10 18:40 ` [POC][RFC][PATCH] bpf: in-kernel bpf relocations on raw elf files Alexei Starovoitov
2025-01-10 23:27 ` Blaise Boscaccy
2025-01-13 17:54 ` Alexei Starovoitov
2025-01-14 18:24 ` Blaise Boscaccy
2025-01-24 5:08 ` bpf signing. " Alexei Starovoitov
2025-01-24 7:05 ` John Fastabend
2025-01-28 22:32 ` Blaise Boscaccy
2025-01-30 1:13 ` Cong Wang
2025-01-30 19:22 ` Blaise Boscaccy [this message]
2025-02-01 22:24 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874j1gf6of.fsf@microsoft.com \
--to=bboscaccy@linux.microsoft.com \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=code@tyhicks.com \
--cc=daniel@iogearbox.net \
--cc=flaniel@linux.microsoft.com \
--cc=gregkh@linuxfoundation.org \
--cc=john.fastabend@gmail.com \
--cc=nkapron@google.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=teknoraver@meta.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).