Practical usage of eBPF as of the current codebase, and publicity...due to kernel signing

[mikeggh]

I am curious about Microsoft's current stance on a driver being signed which utilizes eBPF. While I understand that the existing test code base might not be accepted, I am exploring the possibility of additional signing, tied to a specific certificate from a company, to enable the public use of this technology. Is this something that could be accepted for a product in the near future, or is there a concern about potential security bugs and the risk of drivers being manipulated for malicious purposes? I am aware that some contributors are directly affiliated with Microsoft, making this a suitable platform to seek more information.

If there are already current publicly known drivers, or products then please give me more information. I have been unable to find any examples so far.

Thank you..

[dahavey]

Hi Mike,
eBPF for Windows uses standard Windows signing mechanisms that work with standard Windows delivery systems. There are two signing mechanisms that you can use. The first one WHQL as you have recognized above is used to sign for the Windows ecosystem and drivers signed in this manner can execute code on any Windows OS.
The second signing method linked below allows you to scope to a single company or tenant.
Azure Code Signing, democratizing trust for developers and consumers - Microsoft Community Hub
Thank you for your question!

[mikeggh]

Thank you for the response. I had no idea about the Azure Code Signing, and I'll follow up with the information. I am particularly considering it as a deliverable product for any Windows system though. It does however give me a direction for more targeted approaches..

My main concern is regarding Microsoft signing a driver (WHQL) for general usage on any system. In its current form, the driver could be signed and any eBPF code from any compiler could be used. This would also mean that I could find a company using the same drivers, and use their compiled, and signed driver to load my own eBPF thus being able to disable test signing. Would Microsoft currently allow this to take place? I know the project is fairly new and this is why I'm curious. Would they reject signing due to this concern? This would essentially extend the timeline of development for any projects, or products attempting to utilize eBPF due to this scenario.