On Tue, Apr 15, 2025 at 8:45 AM Blaise Boscaccy bboscaccy@linux.microsoft.com wrote:
The eBPF dev community has spent what, 4-5 years on this, with little to no progress. I have little faith that this is going to progress on your end in a timely manner or at all, and frankly we (and others) needed this yesterday.
History repeats itself. 1. the problem is hard. 2. you're only interested in addressing your own use case. There is no end-to-end design here and no attempt to think it through how it will work for others.
Hornet has zero impact on the bpf subsystem, yet you seem viscerally opposed to us doing this.
Hacking into bpf internal objects like maps is not acceptable.
Why are you trying to stop us from securing our cloud?
Keep your lsm hack out-of-tree, please.
Since this will require an LSM no matter what, there is zero reason for us not to proceed with Hornet. If or when you actually figure out how to sign an lskel and upstream updated LSM hooks, I can always rework Hornet to use that instead.
You can do whatever you want out-of-tree including re-exporting kern_sys_bpf.
code signing last week. All we are trying to do is make our cloud ever-so-slightly more secure and share the results with the community.
You're pushing for a custom microsoft specific hack while ignoring community feedback.
The attack vectors I'm looking at are things like CVE-2021-33200.
4 year old bug ? If your kernels are so old you have lots of other vulnerabilities.