Re: [PATCH 00/12] Signed BPF programs

[PATCH 00/12] Signed BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-06
[PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing · kernel test robot <hidden> · 2025-06-09
Re: [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing · Alexei Starovoitov <hidden> · 2025-06-09
Re: [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing · Eric Biggers <ebiggers@kernel.org> · 2025-06-12
Re: [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing · KP Singh <kpsingh@kernel.org> · 2025-06-16
Re: [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing · Eric Biggers <ebiggers@kernel.org> · 2025-06-16
Re: [PATCH 01/12] bpf: Implement an internal helper for SHA256 hashing · KP Singh <kpsingh@kernel.org> · 2025-06-17
[PATCH 02/12] bpf: Update the bpf_prog_calc_tag to use SHA256 · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 02/12] bpf: Update the bpf_prog_calc_tag to use SHA256 · Alexei Starovoitov <hidden> · 2025-06-09
[PATCH 03/12] bpf: Implement exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 03/12] bpf: Implement exclusive map creation · Alexei Starovoitov <hidden> · 2025-06-09
Re: [PATCH 03/12] bpf: Implement exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-06-11
Re: [PATCH 03/12] bpf: Implement exclusive map creation · Alexei Starovoitov <hidden> · 2025-06-11
Re: [PATCH 03/12] bpf: Implement exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-06-11
[PATCH 04/12] libbpf: Implement SHA256 internal helper · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 04/12] libbpf: Implement SHA256 internal helper · Andrii Nakryiko <hidden> · 2025-06-12
[PATCH 05/12] libbpf: Support exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 05/12] libbpf: Support exclusive map creation · kernel test robot <hidden> · 2025-06-07
Re: [PATCH 05/12] libbpf: Support exclusive map creation · Andrii Nakryiko <hidden> · 2025-06-12
Re: [PATCH 05/12] libbpf: Support exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-06-12
Re: [PATCH 05/12] libbpf: Support exclusive map creation · Andrii Nakryiko <hidden> · 2025-06-13
Re: [PATCH 05/12] libbpf: Support exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-07-12
Re: [PATCH 05/12] libbpf: Support exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-07-12
Re: [PATCH 05/12] libbpf: Support exclusive map creation · Andrii Nakryiko <hidden> · 2025-07-14
Re: [PATCH 05/12] libbpf: Support exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-07-14
Re: [PATCH 05/12] libbpf: Support exclusive map creation · KP Singh <kpsingh@kernel.org> · 2025-07-14
Re: [PATCH 05/12] libbpf: Support exclusive map creation · Andrii Nakryiko <hidden> · 2025-07-14
[PATCH 06/12] selftests/bpf: Add tests for exclusive maps · KP Singh <kpsingh@kernel.org> · 2025-06-06
[PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD · kernel test robot <hidden> · 2025-06-07
Re: [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD · kernel test robot <hidden> · 2025-06-08
Re: [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD · Alexei Starovoitov <hidden> · 2025-06-09
Re: [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD · KP Singh <kpsingh@kernel.org> · 2025-06-11
Re: [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD · Alexei Starovoitov <hidden> · 2025-06-11
Re: [PATCH 07/12] bpf: Return hashes of maps in BPF_OBJ_GET_INFO_BY_FD · KP Singh <kpsingh@kernel.org> · 2025-06-11
[PATCH 08/12] bpf: Implement signature verification for BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 08/12] bpf: Implement signature verification for BPF programs · Alexei Starovoitov <hidden> · 2025-06-09
Re: [PATCH 08/12] bpf: Implement signature verification for BPF programs · Blaise Boscaccy <hidden> · 2025-06-10
[PATCH 09/12] libbpf: Update light skeleton for signing · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 09/12] libbpf: Update light skeleton for signing · Alexei Starovoitov <hidden> · 2025-06-09
[PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · Alexei Starovoitov <hidden> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · Blaise Boscaccy <hidden> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · Blaise Boscaccy <hidden> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · Paul Moore <paul@paul-moore.com> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-11
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 10/12] libbpf: Embed and verify the metadata hash in the loader · Andrii Nakryiko <hidden> · 2025-06-12
[PATCH 11/12] bpftool: Add support for signing BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 11/12] bpftool: Add support for signing BPF programs · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-06-08
Re: [PATCH 11/12] bpftool: Add support for signing BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 11/12] bpftool: Add support for signing BPF programs · James Bottomley <James.Bottomley@HansenPartnership.com> · 2025-06-10
Re: [PATCH 11/12] bpftool: Add support for signing BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 11/12] bpftool: Add support for signing BPF programs · Blaise Boscaccy <hidden> · 2025-06-10
[PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests · KP Singh <kpsingh@kernel.org> · 2025-06-06
Re: [PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests · Alexei Starovoitov <hidden> · 2025-06-10
Re: [PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests · Blaise Boscaccy <hidden> · 2025-06-10
Re: [PATCH 12/12] selftests/bpf: Enable signature verification for all lskel tests · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 00/12] Signed BPF programs · Toke Høiland-Jørgensen <toke@kernel.org> · 2025-06-09
Re: [PATCH 00/12] Signed BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-09
Re: [PATCH 00/12] Signed BPF programs · Toke Høiland-Jørgensen <toke@kernel.org> · 2025-06-10
Re: [PATCH 00/12] Signed BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 00/12] Signed BPF programs · Toke Høiland-Jørgensen <toke@kernel.org> · 2025-06-10
Re: [PATCH 00/12] Signed BPF programs · KP Singh <kpsingh@kernel.org> · 2025-06-10
Re: [PATCH 00/12] Signed BPF programs · Toke Høiland-Jørgensen <toke@kernel.org> · 2025-06-10
Re: [PATCH 00/12] Signed BPF programs · Blaise Boscaccy <hidden> · 2025-07-08
Re: [PATCH 00/12] Signed BPF programs · KP Singh <kpsingh@kernel.org> · 2025-07-10

From: KP Singh <kpsingh@kernel.org>
Date: 2025-06-10 11:18:35
Also in: bpf

On Tue, Jun 10, 2025 at 11:45 AM Toke Høiland-Jørgensen [off-list ref] wrote:

KP Singh [off-list ref] writes:

quoted

On Mon, Jun 9, 2025 at 10:20 AM Toke Høiland-Jørgensen [off-list ref] wrote:

quoted

Given that many use-cases (e.g. Cilium) generate trusted BPF programs,
trusted loaders are an inevitability and a requirement for signing support, a
entrusting loader programs will be a fundamental requirement for an security
policy.

So I've been following this discussion a bit on the sidelines, and have
a question related to this:

From your description a loader would have embedded hashes for a concrete
BPF program, which doesn't really work for dynamically generated
programs. So how would a "trusted loader" work for dynamically generated
programs?

The trusted loader for dynamically generated programs would be the
binary that loads the BPF program. So a security policy will need to
allow certain trusted binaries (signed with a different key) to load
unsigned BPF programs for cilium.

OK, so this refers to a policy along the line of: "Only allow signed BPF
program except for this particular userspace binary that is allowed to
load anything"?

quoted

For a stronger policy, the generators can use a derived key and
identity (e.g from the Kubernetes / machine / TLS certificate) and
then sign their programs using this certificate. The LSM policy then
allows verification with a trusted build key and for certain binaries,
with the delegated credentials.

And this means "add a separate trusted key on the kernel side that the
userspace binary signs things with before passing it to the kernel"?

In which case, how does that tie into the original statement I quoted at
the top of this email? The "trusted loaders are an inevitability" bit? I
was assuming that the "trusted loaders" in that sentence referred to the
light-skeleton loader program, but from your reply I'm not thinking

No trusted loaders are exactly what they mean, trusted blobs of code
that can load BPF programs, these can be loader programs in light
skeletons or trusted user-space binaries.

- KP

maybe it just means "some userspace binaries need to be exempt from any
signing requirement"? Or am I missing something?

-Toke

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help