On Fri, May 2, 2025 at 5:00 PM KP Singh <kpsingh@xxxxxxxxxx> wrote: > > > This patch series introduces the Hornet LSM. The goal of Hornet is to provide > > a signature verification mechanism for eBPF programs. > > > > [...] > > > > > References: [1] > > https://lore.kernel.org/bpf/20220209054315.73833-1-alexei.starovoitov@xxxxxxxxx/ > > [2] > > https://lore.kernel.org/bpf/CAADnVQ+wPK1KKZhCgb-Nnf0Xfjk8M1UpX5fnXC=cBzdEYbv_kg@xxxxxxxxxxxxxx/ > > > > Change list: - v2 -> v3 - Remove any and all usage of proprietary bpf APIs > > BPF APIs are not proprietary, but you cannot implement BPF program signing > for BPF users without aligning with the BPF maintainers and the community. > Signed programs are a UAPI and a key part of how developers experience BPF > and this is not how we would like signing to be experienced by BPF users. > > Some more feedback (which should be pretty obvious) but explicitly: > > * Hacks like if (current->pid == 1) return 0; also break your threat model > about root being untrusted. Speaking with Blaise off-list when that change was discussed, I believe the intent behind that Kconfig option was simply for development/transition purposes, and not for any long term usage. My understanding is that this is why it was a separate build time configuration and not something that could be toggled at runtime, e.g. sysctl or similar. > * You also did not take the feedback into account: > > new = map->ops->map_lookup_elem(map, &key); > > This is not okay without having the BPF maintainers aligned, the same way as > > https://patchwork.kernel.org/project/netdevbpf/patch/20240629084331.3807368-4-kpsingh@xxxxxxxxxx/#25928981 > > was not okay. Let's not have double standards.
