TSC Meeting Zoom link
add Meeting Recording
add Meeting Chat File
Attendees & Representation. Please add your name to the attendance table below.
LF Staff: LJ Illuzzi
Agenda
Minutes/Updates
Cross-platform signing proposal:
Details:
Matteo Croce from Microsoft joined today’s TSC call (excellent notes here, thanks to Daniel’s speedy fingers) to introduce and discuss his BPF patch to support cross-platform signing. Unfortunately, several key people were unable to make it to today’s call (that’s the holidays for you), so Matteo was able to introduce his patch but we weren’t able to get into a deep conversation about it.
A summary of today’s discussion: Matteo’s patch is cross-platform and will allow for signed BPF programs to be distributed remotely. Soon after Matteo’s patch, Alexei (maintainer of BPF) sent over a separate patch for signing BPF programs. It relies on an approve-list(*) as well as on Linux’s fs verity (meaning it’s not cross-platform).
The full discussion is in the recording of today’s call. Please give it a listen.
We were going to have an in-depth discussion of this be the topic of the next TSC call, but it seems Matteo’s patch is time-sensitive. Since the next call is January 5th, we’ll need people to have a look at the patch, the conversation in response to it, and then come up with an opinion based upon L3AF and its needs. That opinion should be expressed in the conversation on the patch.
*** Minutes from 12/15/2021 ***
PEN request
- Raga: Schedule call after this meeting
- Dave: What layer of the org is the PEN assigned to?
- L3AFD project, LF, L3AFP?
- Louis: Just put it under LFN. Ramnifications?
- Dave: Next PEN would probably have a sub-delegation under the original PEN
- This is how MSFT does this so that there is a single management point.
- Lous: Difference between L3AFd and L3AFP?
- Dave: Github organization with different GitHub repos under it.
- Louis: PEN that covers L3AF as a project and all current and future repos?
- Dave: Common use of PENS is for OID and PEN is inserted into the OID with arbitrary number of layers underneath.
- OIDs are used in x.509 certificats, etc.
- Lous: How are we going to use the PEN for L3AF? Want a PEN that covers all of L3AF, but not all of LF or LFN,
- Raga: As part of flow exporter we will add custom field support identified with PEN number.
- Dave: Inventing a new slot that fields are going to go in, can it be just an array of fields of integers?
- Raga: Will dig more and find out?
- Dave: It matters to how we will fill out the application.
- Raga: This is a requirement for the flow_exporter. We will not need another PEN number for L3AF.
- Lous: Will reconsult with legal and set up call with Raga. Review by email with rest of L3AF team (if this is doable).
- Dave: It's just a simple web form and cannot be pending
- Dave: Do we use LF, L3AFP or L3AFd for the name?
- Lous: Will discuss with legal.
- Dev testing forum
- Set date and time for MSFT presentation
- Cross platform signing
- Matteo: No way to do cross platform signing with eBPF programs
- Implementation that allows loading eBPF programs to kernel that takes care of relocation
- Created patch that does this. Creates eBPF prog and adds sig to it.
- Dave: talked about 3 peices in kernel function marketplace
- Orchestrator pulls stuff from marketplace
- Can you put signed programs in the marketplace
- We are discussing an option that allows remote distribution and is compatible with L3AF.
- The other approach does not play well with the L3AF vision that we have discussed.
- Vicky: Do we have representation as the L3AF at the kernel level where these decisions will be made?
- Dave: Need Karan, Chris, ect. If we had a collective decision it would carry more weight.
- This could be a call to create new contacts.
- Dave: This discussion is happening on the Linux kernel list
- MSFT would like cross-platform
- Move to the eBPF foundation (which is cross-platform)?
- Dave: Next BPF steering committee meeting would like L3AF to present.
- Dave: BSC does not officially have an answer if the meeting is open.
- Still have time to ask. Should be a yes answer (at least for this meeting)
- Matteo: Proposed to BPF ML & then another solution appeared from the BPF maintainer
- Very different solution: create an approve-list of programs that can load BPF programs
- Only allow programs loaded from progs on this approve-list
- Suspects this solution won't be cross-platform: verification requires Linux fs verity method
- Also allows L3AFd to install anything it wants if L3AFd is in the allow list, Could be a security flaw
- Matteo's approach allows individual signing and allows individual verfication, reputation, etc.
- Raga: Where is the signature exactly? Do you still have the verification step on signed programs? Use case please.
- Matteo: XDP. SOme BPF programs take actions on packets. These can be loaded and attached to network drivers.
- Malicious programs can mangle pacet traffic (very dnagerous). Must make sure that program is safe.
- Dave: Big value add: signing instead of verification step.
- Verification step can be CPU intensive. Signature check is cheap.
- Verification and signing together does not give this benefit. This is what the patch does.
- Raga: Does this work for UM progs also? Yes.
- Dave: Other approach with white list? How is this different from cap BPF?
- Matteo: Whitelist enforces Cap BPF.
- Dave: L3AFd pushes out both kernel function as well as a program that can use the kernel function.
- Matteo: Whitelist is a list programs that can be loaded
- Matteo: Sig verification is before verification check.
- Dave: Also reduces DOS style attacks.
- If sig check fails then verification does not run and waste cycles.
- Santhosh: Verifier runs only once at load time.
- Dave: Yes, but you can spin the loader.
- Dave: That is the intro.
- If we can get several orgs to support this then we can approach the BSC.
- Vicky: Once the video for the call is available we can take this to the mailing list.
- Lous: Cancelling next weeks call on the 22nd?
- Dave: Nope, on vacation.
- Vicky: Probably most people have made plans so Jan 5th would be better.
- Matteo: PR is urgent for MSFT because we want a signature system.
- It's too dangerous to load untrusted BPF programs
- Dave: Please post opinions on Linux Kernel mailing list sooner rather than later.
- Dave: Include signing into the BSC meeting on Jan 12th at 1PM PST.
- Lous: Please register for Dev and Test Forum
Action Items
- Schdule Dev & Testing Forum L3AF session (LJ/Daniel/Poorna)
- Schedule call with Raga to fill out the PEN application. (LJ/Raga)
- Ask BSC if the meeting can be open to the public (Dave)
- Vicky: Will post to mailing list so that people can discuss signing on list after watching video.
Future Agenda Items
***** Minutes from previous call *****