bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: KP Singh <kpsingh@kernel.org>,
	Blaise Boscaccy <bboscaccy@linux.microsoft.com>
Cc: bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
	 paul@paul-moore.com, kys@microsoft.com, ast@kernel.org,
	daniel@iogearbox.net,  andrii@kernel.org
Subject: Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader
Date: Tue, 10 Jun 2025 17:24:11 -0400	[thread overview]
Message-ID: <8cf2c1cc15e0c5e4b87a91a2cb42e04f38ac1094.camel@HansenPartnership.com> (raw)
In-Reply-To: <CACYkzJ74MJkwejki7kFNR4RWh+EnJ++0Vop8eRkSwY6pJepMEQ@mail.gmail.com>

On Tue, 2025-06-10 at 21:47 +0200, KP Singh wrote:
> It's been repeatedly mentioned that trusted loaders (whether kernel
> or BPF programs) are the only way because a large number of BPF
> use-cases dynamically generate BPF programs.

You keep asserting this, but it isn't supported by patches already
proposed.  Specifically, there already exists a patch set:

https://lore.kernel.org/all/20250528215037.2081066-1-bboscaccy@linux.microsoft.com/

that supports both signed trusted loaders and exact hash chain
verification of loaders plus program maps.  The core kernel code that
does it is only about 10 lines and looks to me like it could easily be
added to your current patch set.  This means BPF signing could support
both dynamically generated and end to end integrity use cases with the
signer being in the position of deciding what they want and no loss of
generality for either use case.

>  So whatever we build needs to work for everyone and not just your
> specific use-case or your affinity to an implementation. 

The linked patch supports both your trusted loader use case and the
exact hash chain verification one the security people want.  Your
current patch only seems to support your use case, which seems a little
bit counter to the quote above.  However, it also seems that
reconciling both patch sets to give everyone what they want is easily
within reach so I think that's what we should all work towards.

Regards,

James


  reply	other threads:[~2025-06-10 21:24 UTC|newest]

Thread overview: 79+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-06 23:29 [PATCH 00/12] Signed BPF programs KP Singh
2025-06-06 23:29 ` [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing KP Singh
2025-06-09  9:31   ` kernel test robot
2025-06-09 16:56   ` Alexei Starovoitov
2025-06-12 19:07   ` Eric Biggers
2025-06-16 23:40     ` KP Singh
2025-06-16 23:48       ` Eric Biggers
2025-06-17  0:04         ` KP Singh
2025-06-06 23:29 ` [PATCH 02/12] bpf: Update the bpf_prog_calc_tag to use SHA256 KP Singh
2025-06-09 17:46   ` Alexei Starovoitov
2025-06-06 23:29 ` [PATCH 03/12] bpf: Implement exclusive map creation KP Singh
2025-06-09 20:58   ` Alexei Starovoitov
2025-06-11 21:44     ` KP Singh
2025-06-11 22:55       ` Alexei Starovoitov
2025-06-11 23:05         ` KP Singh
2025-06-06 23:29 ` [PATCH 04/12] libbpf: Implement SHA256 internal helper KP Singh
2025-06-12 22:55   ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 05/12] libbpf: Support exclusive map creation KP Singh
2025-06-07  9:16   ` kernel test robot
2025-06-12 22:55   ` Andrii Nakryiko
2025-06-12 23:41     ` KP Singh
2025-06-13 16:51       ` Andrii Nakryiko
2025-07-12  0:50         ` KP Singh
2025-07-12  0:53     ` KP Singh
2025-07-14 20:56       ` Andrii Nakryiko
2025-07-14 12:29     ` KP Singh
2025-07-14 12:55       ` KP Singh
2025-07-14 21:05         ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 06/12] selftests/bpf: Add tests for exclusive maps KP Singh
2025-06-06 23:29 ` [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD KP Singh
2025-06-07  9:26   ` kernel test robot
2025-06-08 13:11   ` kernel test robot
2025-06-09 21:30   ` Alexei Starovoitov
2025-06-11 14:27     ` KP Singh
2025-06-11 15:04       ` Alexei Starovoitov
2025-06-11 16:05         ` KP Singh
2025-06-06 23:29 ` [PATCH 08/12] bpf: Implement signature verification for BPF programs KP Singh
2025-06-09 21:39   ` Alexei Starovoitov
2025-06-10 16:37   ` Blaise Boscaccy
2025-06-06 23:29 ` [PATCH 09/12] libbpf: Update light skeleton for signing KP Singh
2025-06-09 21:41   ` Alexei Starovoitov
2025-06-06 23:29 ` [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader KP Singh
2025-06-10  0:08   ` Alexei Starovoitov
2025-06-10 16:51   ` Blaise Boscaccy
2025-06-10 17:43     ` KP Singh
2025-06-10 18:15       ` Blaise Boscaccy
2025-06-10 19:47         ` KP Singh
2025-06-10 21:24           ` James Bottomley [this message]
2025-06-10 22:31             ` Paul Moore
2025-06-10 22:35             ` KP Singh
2025-06-11 11:59               ` James Bottomley
2025-06-11 12:33                 ` KP Singh
2025-06-11 13:12                   ` James Bottomley
2025-06-11 13:24                     ` KP Singh
2025-06-11 13:18                   ` James Bottomley
2025-06-11 13:41                     ` KP Singh
2025-06-11 14:43                       ` James Bottomley
2025-06-11 14:45                         ` KP Singh
2025-06-10 20:56         ` KP Singh
2025-06-12 22:56   ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 11/12] bpftool: Add support for signing BPF programs KP Singh
2025-06-08 14:03   ` James Bottomley
2025-06-10  8:50     ` KP Singh
2025-06-10 15:56       ` James Bottomley
2025-06-10 16:41         ` KP Singh
2025-06-10 16:34       ` Blaise Boscaccy
2025-06-06 23:29 ` [PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests KP Singh
2025-06-10  0:45   ` Alexei Starovoitov
2025-06-10 16:39   ` Blaise Boscaccy
2025-06-10 16:42     ` KP Singh
2025-06-09  8:20 ` [PATCH 00/12] Signed BPF programs Toke Høiland-Jørgensen
2025-06-09 11:40   ` KP Singh
2025-06-10  9:45     ` Toke Høiland-Jørgensen
2025-06-10 11:18       ` KP Singh
2025-06-10 11:58         ` Toke Høiland-Jørgensen
2025-06-10 12:26           ` KP Singh
2025-06-10 14:25             ` Toke Høiland-Jørgensen
2025-07-08 15:15 ` Blaise Boscaccy
2025-07-10 14:49   ` KP Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8cf2c1cc15e0c5e4b87a91a2cb42e04f38ac1094.camel@HansenPartnership.com \
    --to=james.bottomley@hansenpartnership.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=kpsingh@kernel.org \
    --cc=kys@microsoft.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).