On Fri, Jun 17, 2022 at 2:11 AM Roberto Sassu roberto.sassu@huawei.com wrote:
From: Alexei Starovoitov alexei.starovoitov@gmail.com Sent: Friday, June 17, 2022 5:46 AM
Adding in CC the keyring mailing list and David.
Sort summary: we are adding an eBPF helper, to let eBPF programs verify PKCS#7 signatures. The helper simply calls verify_pkcs7_signature().
The problem is how to pass the key for verification.
For hardcoded keyring IDs, it is easy, pass 0, 1 or 2 for respectively the built-in, secondary and platform keyring.
If you want to pass another keyring, you need to do a lookup, which returns a key with reference count increased.
While in the kernel you can call key_put() to decrease the reference count, that is not guaranteed with an eBPF program, if the developer forgets about it. What probably is necessary, is to add the capability to the verifier to check whether the reference count is decreased, or adding a callback mechanism to call automatically key_put() when the eBPF program is terminated.
Nothing special here. See acquire/release logic in the verifier and relevant helpers. Like bpf_sk_lookup_tcp and others.
Is there an alternative solution?
Thanks
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Yang Xi, Li He
Please remove this footer from your emails.