On Fri, Dec 3, 2021 at 11:20 PM Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: > > On Fri, Dec 3, 2021 at 2:06 PM Luca Boccassi <bluca@xxxxxxxxxx> wrote: > > > > On Fri, 2021-12-03 at 11:37 -0800, Alexei Starovoitov wrote: > > > On Fri, Dec 3, 2021 at 11:36 AM Matteo Croce > > > <mcroce@xxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > On Fri, Dec 3, 2021 at 8:22 PM Alexei Starovoitov > > > > <alexei.starovoitov@xxxxxxxxx> wrote: > > > > > > > > > > On Fri, Dec 3, 2021 at 11:18 AM Matteo Croce > > > > > <mcroce@xxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > > > > > From: Matteo Croce <mcroce@xxxxxxxxxxxxx> > > > > > > > > > > > > This series add signature verification for BPF files. > > > > > > The first patch implements the signature validation in the > > > > > > kernel, > > > > > > the second patch optionally makes the signature mandatory, > > > > > > the third adds signature generation to bpftool. > > > > > > > > > > Matteo, > > > > > > > > > > I think I already mentioned that it's no-go as-is. > > > > > We've agreed to go with John's suggestion. > > > > > > > > Hi, > > > > > > > > my previous attempt was loading a whole ELF file and parsing it in > > > > kernel. > > > > In this series I just validate the instructions against a > > > > signature, > > > > as with kernel CO-RE libbpf doesn't need to mangle it. > > > > > > > > Which suggestion? I think I missed this one.. > > > > > > This talk and discussion: > > > https://linuxplumbersconf.org/event/11/contributions/947/ > > > > Thanks for the link - but for those of us who don't have ~5 hours to > > watch a video recording, would you mind sharing a one line summary, > > please? Is there an alternative patch series implementing BPF signing > > that you can link us so that we can look at it? Just a link or > > googlable reference would be more than enough. > > It's not 5 hours and you have to read slides and watch > John's presentation to follow the conversation. So, If I have understood correctly, the proposal is to validate the tools which loads the BPF (e.g. perf, ip) with fs-verity, and only allow BPF loading from those validated binaries? That's nice, but I think that this could be complementary to the instructions signature. Imagine a validated binary being exploited somehow at runtime, that could be vector of malicious BPF program load. Can't we have both available, and use one or other, or even both together depending on the use case? Regards, -- per aspera ad upstream