BPF folks, Quick question: Has anyone considered using signing of BPF programs as compromise between completely denying non-root from loading eBPF programs and permitting non-root to load any eBPF programs? Problem statement: A large set of security issues have arisen because of permitting non-root to verify and load eBPF programs into the kernel. These range from Specter style speculative load side channel attacks to verification failures. The desire exists to permit programs that use eBPF to run as non-root as an effort to run with least privilege, but this conflicts with the desire to limit eBPF program loading to root only. Proposal: Enable signing enforcement of eBPF programs (https://lwn.net/Articles/853489/) and permit root to set a policy that permits non-root to only load eBPF programs signed by root. This would allow root to delegate permission to load specific eBPF programs to a non-root entity while continuing to block loading of arbitrary eBPF programs. Root could then verify the provenance of eBPF programs and then sign them only if they are from a safe source and have been compiled with appropriate speculative load hardening. This approach would appear to give the benefits of least privilege while also controlling what is loaded into the kernel address space. Background: The eBPF for Windows (https://github.com/microsoft/ebpf-for-windows) team is exploring security hardening options and one of the options on the table is to use signing to restrict loading of eBPF programs to those designated as trusted. The desire exists to maintain a similar security model on all platforms on which eBPF is supported, hence reaching out to you folks. Thoughts or feedback? Regards, Alan Jowett
