At the recent Linux Storage, Filesystems, MM and BPF Summit, KP Singh of Google, who is also a member of the eBPF Steering Committee, delivered a session titled “Next Steps for BPF LSM” (video follows below). The talk shed light on the current state and future direction of BPF LSM (Linux Security Module), discussing various technical updates, challenges, and new developments. Here’s a summary of the key points from the session.
1. Introduction and Industry Updates
Singh began by acknowledging the collaborative effort that goes into enhancing BPF LSM. He mentioned the appointment of a new maintainer for BPF LSM at Google, emphasizing the importance of having dedicated maintainers to manage and guide the development process. Singh also highlighted several security projects utilizing BPF for policy enforcement and monitoring, such as Tetragon and Cilium.
2. Security and Performance Challenges
A significant portion of the talk focused on the challenges of using BPF LSM in security contexts. Singh pointed out that although BPF LSM offers flexibility and more helper access, it still faces performance overhead issues. This is not enabled by default in many distributions, creating compatibility problems with older kernels and LTS versions. He discussed the ongoing efforts to address these challenges, including improving backward compatibility and reducing overhead.
3. Trusted BPF and Signed Programs
Singh delved into the concept of trusted BPF programs, which are crucial for maintaining security in systems using BPF LSM. He proposed rebranding “signed BPF” to “trusted BPF,” as signatures essentially establish trust in the BPF execution chain. Trusted BPF ensures that programs are not malicious and adhere to security principles like the least privilege. Singh described the process of signing BPF programs and loaders with private keys, which the kernel then verifies to allow BPF operations.
4. Technical Enhancements and Prototypes
The session included updates on specific technical enhancements. For instance, Singh discussed the BPF token work, which allows the creation of tokens that can pass around privileges securely within an application’s lifecycle. He also mentioned ongoing work on non-zero offset pointers to trusted arguments in LSM programs, which aims to improve how nested structures are trusted and verified.
5. Future Directions and Collaboration
Looking ahead, Singh outlined three main areas of focus:
- Trusted BPF: Ensuring that the concept of trusted BPF is clearly understood and effectively implemented.
- Static Calls: Improving the implementation of static calls in BPF to enhance performance and correctness.
- Kernel Functions Access: Expanding access to kernel functions from other subsystems to create more powerful and flexible LSMs.
Singh emphasized the need for continued collaboration with other kernel maintainers, particularly in the VFS (Virtual File System) area, to make necessary helpers available for file system operations. This collaboration is key to detecting and preventing malicious activities more effectively.