One concern raised at netdev concerning XDP is how are we going to maintain code quality, security, and correctness of programs being loaded. With kernel bypass it is not just the kernel code path that is being bypassed, but also the processes that hold the quality of code being accepted to a high bar. Our users expect that quality to be maintained.
I suggest that we need XDP programs to be subject to the same scrutiny that any other kernel netdev code is. One idea is to sign programs that have been accepted into the kernel. By default only signed programs would be allowed to be loaded, the override to allow unsigned programs might be a kernel config or a least a boot parameter (enabling the override needs to be very explicit). The acceptable XDP programs should probably be under their own directory. Such a directory should only contain kernel code, not userspace code also as is currently in samples/bpf. A nice side effect of this model is when the same XDP programs are being used in non-Linux environments (HW offload, other OSes, etc.) the process could maintain quality expections in those environments also. Tom
