Re: [PATCH 1/3] bpf: Add BPF_F_VERIFY_ELEM to require signature verification on map values

From: Alexei Starovoitov
Date: Sat Jun 04 2022 - 05:32:40 EST


On Fri, Jun 3, 2022 at 5:44 PM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote:
> >
> > Your bpf_map_verify_value_sig hard codes the type of signature
> > (bpf_map_verify_value_sig as verify_pkcs7_signature)
> > its implementation. This is not extensible.
>
> It is hardcoded now, but it wouldn't if there are more verification
> functions. For example, if 'id_type' of module_signature is set
> to PKEY_ID_PGP, bpf_map_verify_value_sig() would call
> verify_pgp_signature() (assuming that support for PGP keys and
> signatures is added to the kernel).

I agree with KP. All hard coded things are hurting extensibility.
we just need a helper that calls verify_pkcs7_signature
where prog will specify len, keyring, etc.