On 12/11/2019 02:51, Alexei Starovoitov wrote: > There > could be a 'root' bpf program (let's call it rootlet.o) that looks like: This looks a lot like what I had in mind... > We can introduce dynamic linking. The second part of 'BPF trampoline' patches > allows tracing programs to attach to other BPF programs. The idea of dynamic > linking is to replace a program or subprogram instead of attaching to it. ... as does this, particularly the "partial verification" / verify a subprog as a separate unit with its own contract. > The rootlet.o calls into firewall1.o directly. So no retpoline to worry about > and firewall1.o can use bpf_tail_call() if it wants so. That tail_call will > still return back to rootlet.o Yep, that's a really nice gain that comes out of partial verification. +1 to this whole proposal. -Ed
