Why is that so complicated?
Why is that so complicated?
Posted Oct 29, 2025 12:33 UTC (Wed) by hailfinger (subscriber, #76962)In reply to: Why is that so complicated? by aszs
Parent article: BPF signing LSM hook change rejected
Oooh, I see potential for regulation here, e.g. by cybersecurity insurance.
"You may only run or load code which is part of the SBOM. The SBOM must be complete and signed off in advance." Admins may be obliged to desist from any ad-hoc patching of the kernel or userspace, including dynamically generated code.
Dynamically generated code also is very valuable for attackers because there is no guarantee that all such code is preserved (including timestamps for when the code was active) for forensic purposes. That may also be a strong motivation to prevent such use-cases.
"You may only run or load code which is part of the SBOM. The SBOM must be complete and signed off in advance." Admins may be obliged to desist from any ad-hoc patching of the kernel or userspace, including dynamically generated code.
Dynamically generated code also is very valuable for attackers because there is no guarantee that all such code is preserved (including timestamps for when the code was active) for forensic purposes. That may also be a strong motivation to prevent such use-cases.
Posted Oct 30, 2025 10:00 UTC (Thu)
by taladar (subscriber, #68407)
[Link]
Why is that so complicated?
That would probably run into the issue of JIT compilers again.