linux-doc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: KP Singh <kpsingh@kernel.org>
To: bboscaccy@linux.microsoft.com
Cc: James.Bottomley@hansenpartnership.com, bpf@vger.kernel.org,
	code@tyhicks.com, corbet@lwn.net, davem@davemloft.net,
	dhowells@redhat.com, gnoack@google.com,
	herbert@gondor.apana.org.au, jarkko@kernel.org,
	jmorris@namei.org, jstancek@redhat.com, justinstitt@google.com,
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	linux-security-module@vger.kernel.org, llvm@lists.linux.dev,
	masahiroy@kernel.org, mic@digikod.net, morbo@google.com,
	nathan@kernel.org, neal@gompa.dev,
	nick.desaulniers+lkml@gmail.com, nicolas@fjasle.eu,
	nkapron@google.com, paul@paul-moore.com,
	roberto.sassu@huawei.com, serge@hallyn.com, shuah@kernel.org,
	teknoraver@meta.com, xiyou.wangcong@gmail.com,
	KP Singh <kpsingh@kernel.org>
Subject: Re: [PATCH v3 0/4] Introducing Hornet LSM
Date: Fri,  2 May 2025 23:00:34 +0200	[thread overview]
Message-ID: <20250502210034.284051-1-kpsingh@kernel.org> (raw)
In-Reply-To: <20250502184421.1424368-1-bboscaccy@linux.microsoft.com>

> This patch series introduces the Hornet LSM. The goal of Hornet is to provide
> a signature verification mechanism for eBPF programs.
>

[...]

>
> References: [1]
> https://lore.kernel.org/bpf/20220209054315.73833-1-alexei.starovoitov@gmail.com/
> [2]
> https://lore.kernel.org/bpf/CAADnVQ+wPK1KKZhCgb-Nnf0Xfjk8M1UpX5fnXC=cBzdEYbv_kg@mail.gmail.com/
>
> Change list: - v2 -> v3 - Remove any and all usage of proprietary bpf APIs

BPF APIs are not proprietary, but you cannot implement BPF program signing
for BPF users without aligning with the BPF maintainers and the community.
Signed programs are a UAPI and a key part of how developers experience BPF
and this is not how we would like signing to be experienced by BPF users.

Some more feedback (which should be pretty obvious) but explicitly:

* Hacks like if (current->pid == 1) return 0; also break your threat model
  about root being untrusted. This is all the more reason I think signing
  should be integrated into other LSMs, only a proper LSM policy can breathe
  life into the root / kernel boundary. 

* You also did not take the feedback into account:

   new = map->ops->map_lookup_elem(map, &key);

  This is not okay without having the BPF maintainers aligned, the same way as 

  https://patchwork.kernel.org/project/netdevbpf/patch/20240629084331.3807368-4-kpsingh@kernel.org/#25928981

  was not okay. Let's not have double standards.

* And you copy pasted tools/testing/selftests/hornet/frozen_skel.h which
  is what you expect users to do? Not acceptable either.

So for this approach, it's a:

Nacked-by: KP Singh <kpsingh@kernel.org>

Now if you really care about the use-case and want to work with the maintainers
and implement signing for the community, here's how we think it should be done:

* The core signing logic and the tooling stays in BPF, something that the users
  are already using. No new tooling.
* The policy decision on the effect of signing can be built into various
  existing LSMs. I don't think we need a new LSM for it.
* A simple UAPI (emphasis on UAPI!) change to union bpf_attr in uapi/bpf.h in
  the BPF_PROG_LOAD command:

__aligned_u64 signature; 
__u32 signature_size;


  parent reply	other threads:[~2025-05-02 21:00 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-02 18:44 [PATCH v3 0/4] Introducing Hornet LSM Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 1/4] security: " Blaise Boscaccy
2025-05-04 15:02   ` Paul Moore
2025-05-02 18:44 ` [PATCH v3 2/4] hornet: Introduce sign-ebpf Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 3/4] hornet: Add a light skeleton data extractor script Blaise Boscaccy
2025-05-02 18:44 ` [PATCH v3 4/4] selftests/hornet: Add a selftest for the Hornet LSM Blaise Boscaccy
2025-05-02 21:00 ` KP Singh [this message]
2025-05-04 17:36   ` [PATCH v3 0/4] Introducing " Paul Moore
2025-05-04 23:25     ` KP Singh
2025-05-05 16:22       ` Paul Moore
2025-05-11  2:01       ` KP Singh
2025-05-14  3:06         ` Paul Moore
2025-05-14 18:48           ` KP Singh
2025-05-16 19:49             ` Paul Moore
2025-05-16 23:49               ` Alexei Starovoitov
2025-05-17 15:02                 ` Paul Moore
2025-05-17 16:13                   ` Alexei Starovoitov
2025-05-18  5:48                     ` Paul Moore
2025-05-18 15:52                       ` Alexei Starovoitov
2025-05-18 21:34                         ` Paul Moore
2025-05-19 22:20                           ` KP Singh
2025-05-19 22:58                             ` Paul Moore
2025-05-21 22:26                               ` Paul Moore
2025-05-19 23:00                             ` Zvi Effron
2025-05-19 23:42                               ` KP Singh
2025-05-14 15:39         ` James Bottomley
2025-05-14 17:17           ` KP Singh
2025-05-14 17:45             ` James Bottomley
2025-05-14 18:35               ` KP Singh
2025-05-14 18:35                 ` KP Singh
2025-05-14 20:31                 ` James Bottomley
2025-05-14 20:41                   ` KP Singh
2025-05-05  9:22     ` Daniel Borkmann
2025-05-05 17:30   ` Blaise Boscaccy
2025-05-05 20:41     ` KP Singh
2025-05-05 21:04       ` Paul Moore
2025-05-07 17:48       ` James Bottomley
2025-05-07 23:21         ` Paul Moore
2025-05-08 17:44           ` Alexei Starovoitov
2025-05-08 19:23             ` Paul Moore
2025-05-11  2:14               ` KP Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250502210034.284051-1-kpsingh@kernel.org \
    --to=kpsingh@kernel.org \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=bboscaccy@linux.microsoft.com \
    --cc=bpf@vger.kernel.org \
    --cc=code@tyhicks.com \
    --cc=corbet@lwn.net \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=gnoack@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=jstancek@redhat.com \
    --cc=justinstitt@google.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=masahiroy@kernel.org \
    --cc=mic@digikod.net \
    --cc=morbo@google.com \
    --cc=nathan@kernel.org \
    --cc=neal@gompa.dev \
    --cc=nick.desaulniers+lkml@gmail.com \
    --cc=nicolas@fjasle.eu \
    --cc=nkapron@google.com \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=shuah@kernel.org \
    --cc=teknoraver@meta.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).