> > > > This ensures that the loaded loader program (I_loader), including the > > embedded expected hash of the metadata (H_meta), is trusted. > > Since the loader program is now trusted, it can be entrusted to verify > > the actual metadata (M_metadata) read from the (now exclusive and > > frozen) map against the embedded (and trusted) H_meta. There is no > > Time-of-Check-Time-of-Use (TOCTOU) vulnerability here because: > > > > * The signature covers the I_loader and its embedded H_meta. > > * The metadata map M_metadata is frozen before the loader program is loaded > > and associated with it. > > * The map is made exclusive to the specific (signed and verified) > > loader program. > > > > [1] https://lore.kernel.org/bpf/CACYkzJ6VQUExfyt0=-FmXz46GHJh3d=FXh5j4KfexcEFbHV-vg@xxxxxxxxxxxxxx/#t > > > > Can we expect to see a v2 of this patchset sometime soon? We are > planning on submitting follow-up patchsets that build on this effort. > I have been on PTO due to personal stuff, will try to send this in the coming week or two. - KP
