01-05-2022 TSC Meeting Minutes
TSC Meeting Zoom link
Meeting Recording
Attendees & Representation. Please add your name to the attendance table below.
Attendees | |
Name | Company |
@Daniel Havey | Microsoft |
@Eric Tice | Wipro |
@VM (Vicky) Brasseur | Wipro |
@Brian Merrell | Walmart |
@Karan Dalal | Walmart |
@Balachandra Kamat | Wipro |
@Dave Thaler | Microsoft |
Divya Reddy | Walmart |
@Jason Niesz | Walmart |
@Satya Pradhan | |
@Kanthi Pavuluri | |
LF Staff: @LJ Illuzzi
Agenda
Meeting note taker
Welcome to new attendees
Cross-platform signing
Private Enterprise Number (PEN) Request for L3AF- Application submitted 12/27
Developer and Testing Forum in January 2022 (virtual event)
Topic submission- L3AF: eBPF for Windows and Cross Platform eBPF programs
Tuesday Jan 11, 08:15am to 08:45am noon ET
LFN Induction
General Topics (cover as needed)
Use Cases
Roadmap
Project structure
Governance
Technical Steering Committee
Minutes/Updates
Cross-platform signing proposal:
Discuss on this list (if needed)
Discuss on the patch (required)
Details:
Matteo Croce from Microsoft joined today’s TSC call (excellent notes here, thanks to Daniel’s speedy fingers) to introduce and discuss his BPF patch to support cross-platform signing. Unfortunately, several key people were unable to make it to today’s call (that’s the holidays for you), so Matteo was able to introduce his patch but we weren’t able to get into a deep conversation about it.
A summary of today’s discussion: Matteo’s patch is cross-platform and will allow for signed BPF programs to be distributed remotely. Soon after Matteo’s patch, Alexei (maintainer of BPF) sent over a separate patch for signing BPF programs. It relies on an approve-list(*) as well as on Linux’s fs verity (meaning it’s not cross-platform).
The full discussion is in the recording of today’s call. Please give it a listen.
We were going to have an in-depth discussion of this be the topic of the next TSC call, but it seems Matteo’s patch is time-sensitive. Since the next call is January 5th, we’ll need people to have a look at the patch, the conversation in response to it, and then come up with an opinion based upon L3AF and its needs. That opinion should be expressed in the conversation on the patch.
Cross platform signing
DaveT: Was anybody able to review the patch.
Brian: Went through the conversation
DaveT: Topic will be discussed in the eBPF foundation BSC meeting. 1 Week from today L3AF will be presenting. Next meeting - design of signing needs to be cross-platform.
Two proposals:
Matteo's - cross-platform, very well aligned with L3AFd.
Would be helpful if the L3AF community supported this proposal
Other - approved list of binaries (Linux centric)
Can load anything that is on the authorized list.
Does not meet L3AF or eBPF for Windows needs.
Would be fine if both were merged
DaveT: Cisco's (Chris) opinion would be very helpful
Weigh in on the Linux discussion group and on the BSC call.
Karan could add a bullet point to presentation - collective opinion of the L3AF community.
Brian: Add a point in your document about this?
Matteo's original patch was a config option to add only signed programs.
Alexi's other patch is moving forward
John Fastabend (on Linux discussion) and Luca agreed that the features needed by MSFT could be implemented inside of libBPF and as an eBPF program
This conversation ended on Dec. 9th (Before Matteo presented at L3AF)
DaveT: Meeting with Matteo after this call
Brian: L3AF could include the signing eBPF program as part of its eBPF program chain. (According to discussion on Linux group)
Vicky: Invite Matteo to next weeks meeting.
Have L3AF call next week to discuss signing before BSC meeting.
Louis: Will not be at the L3AF call next week but will give the keys to an appropriate host.
Brian: L3AF Kernel Marketplace
DaveT suggests adding this as a PR for line-level comments (Brian will do)
DaveT: Kernel functions only diss-allows eBPF programs that can be uploaded to NICs. Suggest a name change.
Vicky: Suggest package manager as a concept for the name. Define broadly. Names have power.
DaveT: The name implies scope.
Brian: What should we name it?
eBPF is difficult to say and will probably need an acronym.
Vicky: eBPF Package Manager == EPM
Karan: EPM / eBPF package manager does make a lot of sense, in terms of scope
Brian: is the Kernel Function Marketplace part of the L3AF project?
May make sense to migrate to its own project.
In the future a platform agnostic place may be apropos for the EPM
Vicky: L3AF could be its initial client. This could really help L3AF. Define it as something standardized that a package manager can use.
This way the EPM would be a force to increase L3AF adoption and help us push towards standardization for both EPM and L3AF.
DaveT: Benefits to both ways of doing this:
Inside L3AF then it is closely located with all the other parts of L3AF. This could help widen the scope of L3AF.
Outside L3AF then it can include things that do not work with the current version of L3AF.
There isn't a BSC opinion yet. It is forming now.
Distinguish between L3AFd and eBPF.
Answer: What is the L3AF project?
Today it is the L3AFd, but in the future we will expand scope.
Vicky: EPM should be outside L3AF because there will be others working on it.
DaveT: Is it part of one of these or both?
Thing that LF sanctions - L3AFP (legal entity)
L3AFp - Github repo
DaveT: eBPF code signing portion in additional bullet point in the lifecycle management section.
Brian: 2 different layers of signing
Package contribs of compiled source code (signed). This is app layer packaging.
Signing of eBPF programs.
Doc only currently talks about package signing
DaveT: Please put that in proposal.