> > Right, but this patch series has no mechanism for establishing a > userspace loader binary as trusted (right?). The paragraph I quoted > makes it sound like these are related, and I was trying to figure out > what the relation was. But it sounds like the answer is that they are > not? > The relation here is that no matter what we do, the kernel cannot be the only trusted blob on the system and this was aimed at answering questions people had earlier when I proposed the design. This patch does add signing support and this allows us to add the following policy, it does not directly add any user space support. bprm_committed_creds (check signature of program, if verifies with a separate key) add a blob that allows: * unsigned bpf programs * signed with a derived key security_bpf: * Check for the right attributes for signing. * restrict which program types can be loaded. (additional key hooks for restricting which keys are allowed to verify programs).
