Re: [PATCH v3 0/9] bpf-lsm: Extend interoperability with IMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 3, 2022 at 11:13 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> On Thu, 2022-03-03 at 19:14 +0100, KP Singh wrote:
> >
> > Even Robert's use case is to implement IMA policies in BPF this is still
> > fundamentally different from IMA doing integrity measurement for BPF
> > and blocking this patch-set on the latter does not seem rational and
> > I don't see how implementing integrity for BPF would avoid your
> > concerns.
>
> eBPF modules are an entire class of files currently not being measured,
> audited, or appraised.  This is an integrity gap that needs to be
> closed.  The purpose would be to at least measure and verify the
> integrity of the eBPF module that is going to be used in lieu of
> traditional IMA.

Mimi,

. There is no such thing as "eBPF modules". There are BPF programs.
They cannot be signed the same way as kernel modules.
We've been working on providing a way to sign them for more
than a year now. That work is still ongoing.

. IMA cannot be used for integrity check of BPF programs for the same
reasons why kernel module like signing cannot be used.

. This patch set is orthogonal.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux