* Re: [PATCH bpf-next v2 1/5] bpf: Verify signed loader metadata at load time
From: KP Singh @ 2026-06-26 22:01 UTC (permalink / raw)
To: Alexei Starovoitov
Cc: Paul Moore, Daniel Borkmann, ast, James.Bottomley, bboscaccy,
memxor, torvalds, bpf, linux-security-module
In-Reply-To: <DJIL18C2F40B.39U9WHD43SDBR@gmail.com>
On Fri, Jun 26, 2026 at 3:16 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Thu Jun 25, 2026 at 5:59 PM PDT, Paul Moore wrote:
> >
> > For all the reasons I gave previously, I can't support moving the
> > existing security_bpf_prog_load() hook at this point in time.
>
> Paul,
> it's not up to you to approve or deny where security_bpf_prog_load()
> is called within bpf subsystem as long as it doesn't affect behavior.
> Daniel's patch doesn't change observable state from LSMs pov.
> It merely moves the call from syscall.c to verifier.c.
> So we're going to proceed.
>
> > I'm guessing you still haven't looked at Blaise's patchset from last
> > September.
>
> Blaise approach was Nacked because you guys ignored TOCTOU issue.
> I pointed it a year ago before AI was a thing. Then sashiko
> pointed it again and the bot explained it in detail. It was again
> ignored.
>
Agreed, with Alexei: I like Daniel's solution because it avoids the
complexity of machine independent BTF for loader programs and still
addresses the signing goal, without the TOCTOU. I am okay with the
current implementation as well. I think having kfuncs in loader
programs would be useful, but we don't need to rush it or tie it to
the signing effort.
- KP
> Daniel's v1 sadly had the same issue and sashiko spotted it too.
> Hence v2 is moving the location of security_bpf_prog_load().
>
> > on-list. As you can see from the lore archives, he has vehemently
> > opposed the approach you are proposing for quite a while.
>
> Exactly, because you kept ignoring TOCTOU issue.
> Claiming support for signed bpf that can be easily defeated
> is a shameless security scam.
>
^ permalink raw reply
page: | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox