[LSF/MM/BPF TOPIC] Two-Phase eBPF Program Signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The naive approach to signing eBPF programs faces a critical
limitation: programs undergo mandatory modifications by libbpf before
kernel loading, which invalidates conventional signatures. We present
Two-Phase Signing, a solution that implements sequential verification
aligned with the eBPF program lifecycle.

Our approach establishes a baseline signature during initial
compilation, followed by a secondary signature that encompasses both
the modified program and initial signature. This creates a verifiable
chain of trust while accommodating essential libbpf modifications such
as relocations and map file descriptor updates. This approach enables
precise failure diagnosis by distinguishing between compromised
original programs and unauthorized post-compilation modifications.

The Two-Phase Signing method balances security with practicality,
allowing necessary binary modifications while maintaining integrity
verification throughout the program's lifecycle. This approach
provides granular audit capabilities and clear identification of
potential security breaches in the signing chain.

We invite discussion on the implications, trade-offs, and potential
improvements of this approach for securing eBPF programs in production
environments, particularly focusing on practical impact and
integration challenges with existing eBPF frameworks.

Thanks!




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux