On Wed, Jun 11, 2025 at 2:44 PM KP Singh <kpsingh@xxxxxxxxxx> wrote: > > On Mon, Jun 9, 2025 at 10:58 PM Alexei Starovoitov > <alexei.starovoitov@xxxxxxxxx> wrote: > > > > On Fri, Jun 6, 2025 at 4:29 PM KP Singh <kpsingh@xxxxxxxxxx> wrote: > > > > > > Exclusive maps allow maps to only be accessed by a trusted loader > > > program with a matching hash. This allows the trusted loader program > > > to load the map and verify the integrity. > > > > > > Both maps of maps (array, hash) cannot be exclusive and exclusive maps > > > cannot be added as inner maps. This is because one would need to > > > guarantee the exclusivity of the inner maps and would require > > > significant changes in the verifier. > > > > I was back and forth on it early, but after sleeping on it > > I think we should think of exclusive maps as a generic concept and > > not tied to trusted loader and prog signatures. > > So any map type should be allowed to be exclusive and this patch > > can handle it fine without adding more complexity. > > In map-in-map case the outer map can be created exclusive > > to a particular program, but inner maps don't have to be exclusive, > > and it's fine. The lskel loader won't be using map-in-map anyway, > > so no issues there. > > So the idea here is that if an outer map has exclusive access, only it > can add inner maps. I think this is a valid combination as it would > still retain exclusivity over the outer maps elements. I don't follow. What do you mean by "map can add inner maps ?" The exclusivity is a contract between prog<->map. It doesn't matter whether the map is outer or inner. The prog cannot add an inner map. Only the user space can and such inner maps are detached from anything. Technically we can come up with a requirement that inner maps have to have the same prog sha as outer map. This can be enforced by bpf_map_meta_equal() logic. But that feels like overkill. The user space can query prog's sha, create an inner map with such prog sha and add it to outer map. So the additional check in bpf_map_meta_equal() would be easy to bypass. Since so, I would not add such artificial obstacle. Let all types of maps have this exclusive feature.
