Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 771DAC433EF for ; Sat, 4 Dec 2021 02:02:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1384042AbhLDCGT (ORCPT ); Fri, 3 Dec 2021 21:06:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231452AbhLDCGT (ORCPT ); Fri, 3 Dec 2021 21:06:19 -0500 Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7C92C061751; Fri, 3 Dec 2021 18:02:54 -0800 (PST) Received: by mail-pl1-x633.google.com with SMTP id o14so3295689plg.5; Fri, 03 Dec 2021 18:02:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2dt/HhZYeQD2DFLA4IdY175U1ND++ujFbnP+5vOBlAA=; b=oMU49gcdvOygLCTTI6gpAwDkcix9DcSHa68rySpeANCNScTY4LuMUSOdjzMKSqXJMm /VU+XwE/YeYT7nuQf1SZWvINlgPBwndCcFAXjZMEFOxqnewOsRikwvecRqe20vTjOFTd PzDRL8Si8W6avEeiybuWxUYrIsVtIi6Ynm2k9Cl2JNzjluyM8GqXN1YH6qBi6TVxVsvy Okq3AmRWScnAxc8xIqAOd5I9cRnPcrsyhOg3GCrd1G7lmz/2+sk0H/DxKwSHUuNgXozY ERkBGO36yDMwj+4HQqvyH3UKvBnfvtfVsPBqz+rKAJfXWqVYBPZk5xbX4PPemzQ+627i 1ywg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2dt/HhZYeQD2DFLA4IdY175U1ND++ujFbnP+5vOBlAA=; b=3K71RtZ7Y8HZCOQcgFDpRp1xnFQezey3jCbbdWyzextXJNHO4BWjwrasvjEfno0dEu 8zmt1f0QuzVsWaCqakUL8Q6+kb32M8h5Ukkf2SRS2/ZSTdsJKJo7i7N1RtYmVXLPRJ9n kmxdOunV3IM6kEe1fYAjLBeFrrYgv8+N49HNmLbxYU5hTpd99pKDr5PsdPfQ06sepDyy l+rc6NYMH9j44a+HBFxmJpGGc2SyA1zK0W6Oz++KrNeFHephXUOxD0Et7b92ikYcdNU8 lApMFXxfplps6ECE99/MhXaWAXCbXJxZdlULr19v11oTMY5FJFlBw6H16Djlp7ZGEyzS d7Lg== X-Gm-Message-State: AOAM531VtzsjKvhJWz+CxH3IJkHlJT/sda8Y7Ej+9VQACskUJGe/F/yq b9sCI+QQ4lqym8cNAhNbYnXHdEK31HLQHKbpfRY= X-Google-Smtp-Source: ABdhPJyOnDkyHV7ofs6BxuWCzq095VA5AS4isx/p1BCSbvYO8OZef/xVLvN7N9eFsUeApSuCVgI2losG0qYZ1AW0a04= X-Received: by 2002:a17:90a:1f45:: with SMTP id y5mr19113499pjy.138.1638583374087; Fri, 03 Dec 2021 18:02:54 -0800 (PST) MIME-Version: 1.0 References: <20211203191844.69709-1-mcroce@linux.microsoft.com> <86e70da74cb34b59c53b1e5e4d94375c1ef30aa1.camel@debian.org> In-Reply-To: From: Alexei Starovoitov Date: Fri, 3 Dec 2021 18:02:43 -0800 Message-ID: Subject: Re: [PATCH bpf-next 0/3] bpf: add signature To: Matteo Croce Cc: Luca Boccassi , bpf , LKML , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Arnaldo Carvalho de Melo , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Jakub Kicinski , Jesper Dangaard Brouer , keyrings@vger.kernel.org, Linux Crypto Mailing List , Lorenzo Bianconi Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, Dec 3, 2021 at 4:42 PM Matteo Croce wrote: > > On Fri, Dec 3, 2021 at 11:20 PM Alexei Starovoitov > wrote: > > > > On Fri, Dec 3, 2021 at 2:06 PM Luca Boccassi wrote: > > > > > > On Fri, 2021-12-03 at 11:37 -0800, Alexei Starovoitov wrote: > > > > On Fri, Dec 3, 2021 at 11:36 AM Matteo Croce > > > > wrote: > > > > > > > > > > On Fri, Dec 3, 2021 at 8:22 PM Alexei Starovoitov > > > > > wrote: > > > > > > > > > > > > On Fri, Dec 3, 2021 at 11:18 AM Matteo Croce > > > > > > wrote: > > > > > > > > > > > > > > From: Matteo Croce > > > > > > > > > > > > > > This series add signature verification for BPF files. > > > > > > > The first patch implements the signature validation in the > > > > > > > kernel, > > > > > > > the second patch optionally makes the signature mandatory, > > > > > > > the third adds signature generation to bpftool. > > > > > > > > > > > > Matteo, > > > > > > > > > > > > I think I already mentioned that it's no-go as-is. > > > > > > We've agreed to go with John's suggestion. > > > > > > > > > > Hi, > > > > > > > > > > my previous attempt was loading a whole ELF file and parsing it in > > > > > kernel. > > > > > In this series I just validate the instructions against a > > > > > signature, > > > > > as with kernel CO-RE libbpf doesn't need to mangle it. > > > > > > > > > > Which suggestion? I think I missed this one.. > > > > > > > > This talk and discussion: > > > > https://linuxplumbersconf.org/event/11/contributions/947/ > > > > > > Thanks for the link - but for those of us who don't have ~5 hours to > > > watch a video recording, would you mind sharing a one line summary, > > > please? Is there an alternative patch series implementing BPF signing > > > that you can link us so that we can look at it? Just a link or > > > googlable reference would be more than enough. > > > > It's not 5 hours and you have to read slides and watch > > John's presentation to follow the conversation. > > So, If I have understood correctly, the proposal is to validate the > tools which loads the BPF (e.g. perf, ip) with fs-verity, and only > allow BPF loading from those validated binaries? > That's nice, but I think that this could be complementary to the > instructions signature. > Imagine a validated binary being exploited somehow at runtime, that > could be vector of malicious BPF program load. > Can't we have both available, and use one or other, or even both > together depending on the use case? I'll let John comment.