lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 12 Oct 2021 21:00:26 +0200
From:   Matteo Croce <mcroce@...ux.microsoft.com>
To:     bpf@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        Luca Boccassi <bluca@...ian.org>,
        "David S. Miller" <davem@...emloft.net>
Subject: [RFC bpf-next 0/2] bpf: sign bpf programs

From: Matteo Croce <mcroce@...rosoft.com>

Add a field in bpf_attr which contains a signature for the eBPF instructions.
The signature is validated bpf_prog_load() in a similar way as kernel modules
are checked in load_module().

This only works with CO-RE programs.
The signature is generated by bpftool and embedded into the light skeleton
along with the instructions.
The bpftool crypto code is based on sign-file, supports the same interface,
and is compiled only if libcrypto is available, to avoid potential breaks.

Possible improvements:
- Add a knob which makes the signature check mandatory,
  similarly to CONFIG_MODULE_SIG_FORCE
- Add a dedicate key_being_used_for type instead of using
  VERIFYING_MODULE_SIGNATURE, e.g. VERIFYING_BPF_SIGNATURE

This depends on the kernel side co-re relocation[1].

[1] https://lore.kernel.org/bpf/20210917215721.43491-1-alexei.starovoitov@gmail.com/

Matteo Croce (2):
  bpf: add signature to eBPF instructions
  bpftool: add signature in skeleton

 include/uapi/linux/bpf.h       |   2 +
 kernel/bpf/syscall.c           |  33 ++++-
 tools/bpf/bpftool/Makefile     |  14 ++-
 tools/bpf/bpftool/gen.c        |  33 +++++
 tools/bpf/bpftool/main.c       |  28 +++++
 tools/bpf/bpftool/main.h       |   7 ++
 tools/bpf/bpftool/sign.c       | 217 +++++++++++++++++++++++++++++++++
 tools/include/uapi/linux/bpf.h |   2 +
 tools/lib/bpf/skel_internal.h  |   4 +
 9 files changed, 336 insertions(+), 4 deletions(-)
 create mode 100644 tools/bpf/bpftool/sign.c

-- 
2.33.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ