Well, you would still need "superuser" privileges for things like adding new capabilities to the proof verifier. Of course this might open you up to security problems if you're relying on incorrect assumptions while doing that. But then, this project also has trusted components of its own, such as the JIT. A proof verifier can be a lot simpler than a JIT.
> you would still need "superuser" privileges for things like adding new capabilities to the proof verifier.
You mean to upgrade EBPF itself? Well of course. Same as any kernel upgrade.
> Of course this might open you up to security problems if you're relying on incorrect assumptions while doing that.
I don't follow. It's giving the system a full proof of safety. What assumptions are there? It seems very similar to Java's class verification, which doesn't suffer from issues with ungrounded assumptions.
> this project also has trusted components of its own, such as the JIT. A proof verifier can be a lot simpler than a JIT.
Interesting point. It might reduce the total amount of highly-trusted kernel code to approach things that way.
You can use proof-carrying code. There is a residual "online" verification of course, but it ought to be quick and efficient.