On Thu, Mar 3, 2022 at 11:13 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > On Thu, 2022-03-03 at 19:14 +0100, KP Singh wrote: > > > > Even Robert's use case is to implement IMA policies in BPF this is still > > fundamentally different from IMA doing integrity measurement for BPF > > and blocking this patch-set on the latter does not seem rational and > > I don't see how implementing integrity for BPF would avoid your > > concerns. > > eBPF modules are an entire class of files currently not being measured, > audited, or appraised. This is an integrity gap that needs to be > closed. The purpose would be to at least measure and verify the > integrity of the eBPF module that is going to be used in lieu of > traditional IMA. Mimi, . There is no such thing as "eBPF modules". There are BPF programs. They cannot be signed the same way as kernel modules. We've been working on providing a way to sign them for more than a year now. That work is still ongoing. . IMA cannot be used for integrity check of BPF programs for the same reasons why kernel module like signing cannot be used. . This patch set is orthogonal.
