[staticassertion]

Anyone know what the status is for enforcing signed eBPF programs?

[NavinF]

Why? eBPF is usually compiled at runtime (so there’s no binary to sign) and running it inside your kernel requires root.

[mdaverde]

Running eBPF programs doesn't necessarily require compilation at runtime nor root privileges. Look into bpftool's skeleton generation as well as CAP_BPF.

With that being said, because eBPF programs can be compiled at runtime, it makes signing eBPF programs trickier. The kernel team doesn't want efforts such as bpftrace to be stifled.

It seems like the conversation on signing eBPF programs is still ongoing with an eye at looking at fsverity to help with the use cases here.

[NavinF]

Hmm I see. I’m still not sure what’s the use case and threat model.

Is this all for Secure Boot just like signed kernel modules?

[staticassertion]

The threat model is that I want to deploy ebpf programs to my base amis and let devs load them as-needed without root, basically.

[mdaverde]

Does loading the eBPF programs and then letting devs attach them later work for your use case?

I wrote about the possibility of this with fd passing in a recent blog post: https://mdaverde.com/posts/cap-bpf/

I'm also working on agent that allows for this at https://bpfdeploy.io/