From: KP Singh <kpsingh@kernel.org>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: Blaise Boscaccy <bboscaccy@linux.microsoft.com>,
bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
paul@paul-moore.com, kys@microsoft.com, ast@kernel.org,
daniel@iogearbox.net, andrii@kernel.org
Subject: Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader
Date: Wed, 11 Jun 2025 16:45:17 +0200 [thread overview]
Message-ID: <CACYkzJ5GXqdcFx0za0aWpezLj5n5x61fuug5T+5dXmd2f9BEKw@mail.gmail.com> (raw)
In-Reply-To: <3088dc5f59ab3bc8b0ed2a9a2800589bc1435b66.camel@HansenPartnership.com>
On Wed, Jun 11, 2025 at 4:43 PM James Bottomley
<James.Bottomley@hansenpartnership.com> wrote:
>
> On Wed, 2025-06-11 at 15:41 +0200, KP Singh wrote:
> > On Wed, Jun 11, 2025 at 3:18 PM James Bottomley
> > <James.Bottomley@hansenpartnership.com> wrote:
> > >
> > > On Wed, 2025-06-11 at 14:33 +0200, KP Singh wrote:
> > > > [...]
> > > > I have read and understood the code, there is no technical
> > > > misalignment.
> > > >
> > > > I am talking about a trusted user space loader. You seem to
> > > > confuse the trusted BPF loader program as userspace, no this is
> > > > not userspace, it runs in the kernel context.
> > >
> > > So your criticism isn't that it doesn't cover your use case from
> > > the signature point of view but that it didn't include a loader for
> > > it?
> > >
> > > The linked patch was a sketch of how to verify signatures not a
> > > full
> >
> > It was a non functional sketch that did not address much of the
> > feedback that was given, that's not how collaboration works.
>
> It was somewhat functional for the security use case but could be
> extended for yours and provably allowed both was the point of the
> sketch. The feedback it addressed was your desire for a signed trusted
> loader.
>
> > > implementation. The pieces like what the loader looks like and
> > > which keyring gets used are implementation details which can be
> > > filled in later by combining the patch series with review and
> > > discussion. It's not a requirement that one person codes
> > > everyone's use case before they get theirs in, it's usually a
> > > collaborative effort ... I mean, why
> >
> > Yeah, it's surely a collaborative effort, but the collaboration has
> > been aggressive and tied to a specific implementation (at least from
> > some folks). Rather than working with the feedback received it has
> > been accusational of mandating and forcing.
>
> I don't see how that squares with producing a sketch that supports your
> use case ... clearly feedback has been incorporated.
>
> > If the intent is to really collaborate, let's land this base
> > implementation and discuss further. I am not willing to add
> > additional stuff into this base implementation.
>
> Just so I'm clear: your definition of collaboration means Blaise takes
> feedback from you at all times but you don't take it from him until
> you've got your use case upstream? This might be OK if the two use
> cases were thousands of lines apart, but, as I've said before, it seems
> to be less than a hundred lines which doesn't seem to be a huge
> integration burden given the size of the patch set you're trying to
> land. I'm sure Blaise would be willing to produce the patch set that
> adds the incremental over what you've published here to demonstrate its
> smallness.
>
> > > would you want Microsoft coding up the loader? If they don't have
> > > a use case for it they don't have much incentive to test it
> > > thoroughly whereas you do.
> >
> > It seems that your incentives are purely aligned with Microsoft and
> > not that of the BPF community at large (this is also visible from the
> > patches and the engagement).
>
> No, as has been stated many times before there are other companies than
> Microsoft who want supply chain integrity for BPF code which the data
> block hash chaining you proposed but didn't implement does perfectly.
> I shouldn't have to remind people that open source is about scratching
> your own itch and thus you can determine a company's investments in
> open source by its goals. I've even given a few talks about this:
>
> https://archive.fosdem.org/2020/schedule/event/selfish_contributor/
>
> As a Linux community we're usually good at creaming off additional
> things around the edges, such as integrating the two approaches, which
> I'm sure Microsoft will be happy to invest Blaise's time on, but I'm
> equally sure they won't invest huge amounts in testing the trusted
> loader until they have a use case for it.
>
> > FWIW, There is no urgency for my employer to have signed BPF
> > programs, yet I am working on this purely to help you and the
> > community.
>
> From what I heard Google is using signed BPF internally but has no
> urgency to get it upstream. However, in my experience Google always
This is incorrect.
> has a lack of upstream urgency until they run into a backporting
> problem, so I'm sure they'll give you credit for avoiding potential
Also not correct, please stop assuming things.
> future backport issues.
>
> Regards,
>
> James
>
next prev parent reply other threads:[~2025-06-11 14:45 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-06 23:29 [PATCH 00/12] Signed BPF programs KP Singh
2025-06-06 23:29 ` [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing KP Singh
2025-06-09 9:31 ` kernel test robot
2025-06-09 16:56 ` Alexei Starovoitov
2025-06-12 19:07 ` Eric Biggers
2025-06-16 23:40 ` KP Singh
2025-06-16 23:48 ` Eric Biggers
2025-06-17 0:04 ` KP Singh
2025-06-06 23:29 ` [PATCH 02/12] bpf: Update the bpf_prog_calc_tag to use SHA256 KP Singh
2025-06-09 17:46 ` Alexei Starovoitov
2025-06-06 23:29 ` [PATCH 03/12] bpf: Implement exclusive map creation KP Singh
2025-06-09 20:58 ` Alexei Starovoitov
2025-06-11 21:44 ` KP Singh
2025-06-11 22:55 ` Alexei Starovoitov
2025-06-11 23:05 ` KP Singh
2025-06-06 23:29 ` [PATCH 04/12] libbpf: Implement SHA256 internal helper KP Singh
2025-06-12 22:55 ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 05/12] libbpf: Support exclusive map creation KP Singh
2025-06-07 9:16 ` kernel test robot
2025-06-12 22:55 ` Andrii Nakryiko
2025-06-12 23:41 ` KP Singh
2025-06-13 16:51 ` Andrii Nakryiko
2025-07-12 0:50 ` KP Singh
2025-07-12 0:53 ` KP Singh
2025-07-14 20:56 ` Andrii Nakryiko
2025-07-14 12:29 ` KP Singh
2025-07-14 12:55 ` KP Singh
2025-07-14 21:05 ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 06/12] selftests/bpf: Add tests for exclusive maps KP Singh
2025-06-06 23:29 ` [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD KP Singh
2025-06-07 9:26 ` kernel test robot
2025-06-08 13:11 ` kernel test robot
2025-06-09 21:30 ` Alexei Starovoitov
2025-06-11 14:27 ` KP Singh
2025-06-11 15:04 ` Alexei Starovoitov
2025-06-11 16:05 ` KP Singh
2025-06-06 23:29 ` [PATCH 08/12] bpf: Implement signature verification for BPF programs KP Singh
2025-06-09 21:39 ` Alexei Starovoitov
2025-06-10 16:37 ` Blaise Boscaccy
2025-06-06 23:29 ` [PATCH 09/12] libbpf: Update light skeleton for signing KP Singh
2025-06-09 21:41 ` Alexei Starovoitov
2025-06-06 23:29 ` [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader KP Singh
2025-06-10 0:08 ` Alexei Starovoitov
2025-06-10 16:51 ` Blaise Boscaccy
2025-06-10 17:43 ` KP Singh
2025-06-10 18:15 ` Blaise Boscaccy
2025-06-10 19:47 ` KP Singh
2025-06-10 21:24 ` James Bottomley
2025-06-10 22:31 ` Paul Moore
2025-06-10 22:35 ` KP Singh
2025-06-11 11:59 ` James Bottomley
2025-06-11 12:33 ` KP Singh
2025-06-11 13:12 ` James Bottomley
2025-06-11 13:24 ` KP Singh
2025-06-11 13:18 ` James Bottomley
2025-06-11 13:41 ` KP Singh
2025-06-11 14:43 ` James Bottomley
2025-06-11 14:45 ` KP Singh [this message]
2025-06-10 20:56 ` KP Singh
2025-06-12 22:56 ` Andrii Nakryiko
2025-06-06 23:29 ` [PATCH 11/12] bpftool: Add support for signing BPF programs KP Singh
2025-06-08 14:03 ` James Bottomley
2025-06-10 8:50 ` KP Singh
2025-06-10 15:56 ` James Bottomley
2025-06-10 16:41 ` KP Singh
2025-06-10 16:34 ` Blaise Boscaccy
2025-06-06 23:29 ` [PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests KP Singh
2025-06-10 0:45 ` Alexei Starovoitov
2025-06-10 16:39 ` Blaise Boscaccy
2025-06-10 16:42 ` KP Singh
2025-06-09 8:20 ` [PATCH 00/12] Signed BPF programs Toke Høiland-Jørgensen
2025-06-09 11:40 ` KP Singh
2025-06-10 9:45 ` Toke Høiland-Jørgensen
2025-06-10 11:18 ` KP Singh
2025-06-10 11:58 ` Toke Høiland-Jørgensen
2025-06-10 12:26 ` KP Singh
2025-06-10 14:25 ` Toke Høiland-Jørgensen
2025-07-08 15:15 ` Blaise Boscaccy
2025-07-10 14:49 ` KP Singh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACYkzJ5GXqdcFx0za0aWpezLj5n5x61fuug5T+5dXmd2f9BEKw@mail.gmail.com \
--to=kpsingh@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bboscaccy@linux.microsoft.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kys@microsoft.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).