dthaler
commented
2 years ago Proposal is to require gatekeeper to be in native (not JIT) mode, and introduce a service dependency from ebpfcore.sys to the native gatekeeper if any exists.
Open dthaler opened 2 years ago
dthaler
commented
2 years ago Proposal is to require gatekeeper to be in native (not JIT) mode, and introduce a service dependency from ebpfcore.sys to the native gatekeeper if any exists.
dthaler
commented
2 years ago This is related to issue #182 and indeed a solution might address both.
Describe the feature you'd like supported
As noted in my ebpf summit talk https://ebpf.io/summit-2022 on "Signed eBPF Programs: A Cross-Platform Analysis", the gatekeeper concept would apply to Windows.
Proposed solution
A gatekeeper hook would ideally need to run prior to relocation, which today is done in ebpfsvc. That means either a gatekeeper needs to run in ebpfsvc or else make a kernel call to run the gatekeeper in the kernel execution context, prior to submitting the program to the kernel.
Additional context
No response