How do we do signing?

[dahavey]

The overall approach to signing should be the same on Linux as it is for Windows so that the tooling to do signing works in the same manner. For example if you have two object files, one for Windows and one for Linux you should be able to use the same command and tooling. Here is an article describing this approach:
https://lwn.net/Articles/532778/

[Alan-Jowett]

LWN Module Signing articles has several articles that talk about signing kernel modules that could be relevant.

[Alan-Jowett]

I think a signed message digest is not enough. I think it makes more sense to have the signing authority produce a bundle of claims that would include the message digest as well as metadata about the signer such as what verification was performed and by what version of the verifier.

This would permit the relying party to better reason about whether or not to trust the accompanying eBPF byte code.

Proposal:
Use JSON Web Tokens to transmit claims about an eBPF program.

Possible claims might be:

1. Message digest of eBPF byte code + maps + relocation data.
2. Type information of the hook it expects to attach to.
3. Type information of the helper functions being called.
4. What verification has been performed on the eBPF program.

The execution context can then examine the claims and verify that the environment in which the program will run matches the provided claims.