lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8734cimbli.fsf@microsoft.com>
Date: Mon, 02 Jun 2025 08:01:29 -0700
From: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
To: KP Singh <kpsingh@...nel.org>
Cc: Paul Moore <paul@...l-moore.com>, jarkko@...nel.org,
 zeffron@...tgames.com, xiyou.wangcong@...il.com, kysrinivasan@...il.com,
 code@...icks.com, linux-security-module@...r.kernel.org,
 roberto.sassu@...wei.com, James.Bottomley@...senpartnership.com, Alexei
 Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, John
 Fastabend <john.fastabend@...il.com>, Andrii Nakryiko <andrii@...nel.org>,
 Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman
 <eddyz87@...il.com>, Song Liu <song@...nel.org>, Yonghong Song
 <yonghong.song@...ux.dev>, Stanislav Fomichev <sdf@...ichev.me>, Hao Luo
 <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, David Howells
 <dhowells@...hat.com>, Lukas Wunner <lukas@...ner.de>, Ignat Korchagin
 <ignat@...udflare.com>, Quentin Monnet <qmo@...nel.org>, Jason Xing
 <kerneljasonxing@...il.com>, Willem de Bruijn <willemb@...gle.com>, Anton
 Protopopov <aspsk@...valent.com>, Jordan Rome <linux@...danrome.com>,
 Martin Kelly <martin.kelly@...wdstrike.com>, Alan Maguire
 <alan.maguire@...cle.com>, Matteo Croce <teknoraver@...a.com>,
 bpf@...r.kernel.org, linux-kernel@...r.kernel.org,
 keyrings@...r.kernel.org, linux-crypto@...r.kernel.org, kys@...rosoft.com
Subject: Re: [PATCH 0/3] BPF signature verification

KP Singh <kpsingh@...nel.org> writes:

>> And I'm saying that they are, based on wanting visibility in the LSM
>> layer, passing that along to the end user, and wanting to be able to
>> show correctness, along with mitigating an entire vector of supply chain
>> attacks targeting gen.c.
>
> What supply chain attack?I asked this earlier, you never replied, what
> does a supply chain attack here really look like?
>
>
I responded to that here:
https://lore.kernel.org/linux-security-module/87iklhn6ed.fsf@microsoft.com/

Warmest Regards,
Blaise

> - KP
>
>>
>> So in summary, your objection to this is that you feel it's simply "not
>> needed", and those above risks/design problems aren't actually an issue?
>>
>> > Let's have this discussion in the patch series, much easier to discuss
>> > with the code.
>>
>> I think we've all been waiting for that. Yes, lets.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ