On Thu, Mar 3, 2022 at 11:13 AM Mimi Zohar [off-list ref] wrote:

On Thu, 2022-03-03 at 19:14 +0100, KP Singh wrote:

quoted

Even Robert's use case is to implement IMA policies in BPF this is still
fundamentally different from IMA doing integrity measurement for BPF
and blocking this patch-set on the latter does not seem rational and
I don't see how implementing integrity for BPF would avoid your
concerns.

eBPF modules are an entire class of files currently not being measured,
audited, or appraised.  This is an integrity gap that needs to be
closed.  The purpose would be to at least measure and verify the
integrity of the eBPF module that is going to be used in lieu of
traditional IMA.

Mimi,

. There is no such thing as "eBPF modules". There are BPF programs.
They cannot be signed the same way as kernel modules.
We've been working on providing a way to sign them for more
than a year now. That work is still ongoing.

. IMA cannot be used for integrity check of BPF programs for the same
reasons why kernel module like signing cannot be used.

. This patch set is orthogonal.