Why is that so complicated?

Posted Oct 28, 2025 8:37 UTC (Tue) by taladar (subscriber, #68407)
In reply to: Why is that so complicated? by muase
Parent article: BPF signing LSM hook change rejected

I would assume that the per version and relocation code is implemented in user space only at this point and they do not want that complexity in kernel.

But yes, that was my first thought too, your approach seems much simpler as far as signature verification is concerned.

Why is that so complicated?

Posted Oct 28, 2025 11:55 UTC (Tue) by daroc (editor, #160859) [Link]

Yes, that's more or less correct. Depending on exactly what your criteria for "in the kernel" are, it could be argued that the loader programs are what you're proposing — they do the relocations "in the kernel" using BPF.

But there has also been some work toward doing relocations in the kernel without using BPF; this is still an evolving area, and I would not be terribly surprised to see more related patch sets (and arguments) in the future.