Hacker News new | ask | show | jobs
by mdaverde 1452 days ago
Running eBPF programs doesn't necessarily require compilation at runtime nor root privileges. Look into bpftool's skeleton generation as well as CAP_BPF.

With that being said, because eBPF programs can be compiled at runtime, it makes signing eBPF programs trickier. The kernel team doesn't want efforts such as bpftrace to be stifled.

It seems like the conversation on signing eBPF programs is still ongoing with an eye at looking at fsverity to help with the use cases here.
1 comments
NavinF 1452 days ago
Hmm I see. I’m still not sure what’s the use case and threat model.

Is this all for Secure Boot just like signed kernel modules?

link
staticassertion 1451 days ago
The threat model is that I want to deploy ebpf programs to my base amis and let devs load them as-needed without root, basically.
link
mdaverde 1443 days ago
Does loading the eBPF programs and then letting devs attach them later work for your use case?

I wrote about the possibility of this with fd passing in a recent blog post: https://mdaverde.com/posts/cap-bpf/

I'm also working on agent that allows for this at https://bpfdeploy.io/

link