> -----Original Message----- > From: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> > Sent: Thursday, January 11, 2024 8:17 PM > To: Maxwell Bland <mbland@xxxxxxxxxxxx> > Cc: Jin, Di <di_jin@xxxxxxxxx>; bpf@xxxxxxxxxxxxxxx; v.atlidakis@xxxxxxxxx; > vpk@xxxxxxxxxxxx; Andrew Wheeler <awheeler@xxxxxxxxxxxx>; Sammy > BS2 Que | 阙斌生 <quebs2@xxxxxxxxxxxx> > Subject: Re: [External] Fwd: BPF-NX+CFI is a good upstreaming candidate > > On Fri, Jan 5, 2024 at 8:58 AM Maxwell Bland <mbland@xxxxxxxxxxxx> > wrote: > > > > > > With the inclusion of Peter's CFI patches and the adaption of these to ARM, > there's already strong progress towards security for BPF's JIT. If the mixing > executable code with data issue gets fixed too, then it will soon become > possible to treat BPF JIT programs like any other part of the .text section, > which seems like a huge win, since BPF then gets all or many of the fruits of > standard .text section security. > > > FYI kCFI + BPF fixes for x86 have landed in Linus's tree today. > Somebody needs to do the work for arm64 JIT. > Since bpf core pieces are ready it will be a bit easier. Thanks! I am that somebody (maybe)---I am working toward this patch. Also hopefully someone beats me to it: I forwarded this to kernel security teams at MTK/QCOM (Sampath Ponnathpura <sampathp@xxxxxxxxxxxxxxxx> and Chinwen Chang <chinwen.chang@xxxxxxxxxxxx>) so they are also aware.
