Re: [PATCH 1/3] bpf: Add BPF_F_VERIFY_ELEM to require signature verification on map values

From: Alexei Starovoitov
Date: Sat Jun 04 2022 - 05:32:40 EST

Next message: syzbot: "[syzbot] INFO: task hung in hwrng_register (2)"
Previous message: kernel test robot: "[linux-stable-rc:linux-5.10.y 499/6004] arch/powerpc/kernel/smp.c:1380:14: error: variable 'ret' set but not used"
In reply to: Roberto Sassu: "RE: [PATCH 1/3] bpf: Add BPF_F_VERIFY_ELEM to require signature verification on map values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 3, 2022 at 5:44 PM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote:
> >
> > Your bpf_map_verify_value_sig hard codes the type of signature
> > (bpf_map_verify_value_sig as verify_pkcs7_signature)
> > its implementation. This is not extensible.
>
> It is hardcoded now, but it wouldn't if there are more verification
> functions. For example, if 'id_type' of module_signature is set
> to PKEY_ID_PGP, bpf_map_verify_value_sig() would call
> verify_pgp_signature() (assuming that support for PGP keys and
> signatures is added to the kernel).

I agree with KP. All hard coded things are hurting extensibility.
we just need a helper that calls verify_pkcs7_signature
where prog will specify len, keyring, etc.

Next message: syzbot: "[syzbot] INFO: task hung in hwrng_register (2)"
Previous message: kernel test robot: "[linux-stable-rc:linux-5.10.y 499/6004] arch/powerpc/kernel/smp.c:1380:14: error: variable 'ret' set but not used"
In reply to: Roberto Sassu: "RE: [PATCH 1/3] bpf: Add BPF_F_VERIFY_ELEM to require signature verification on map values"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]