lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87frj6l26a.fsf@trenco.lwn.net>
Date: Fri, 21 Mar 2025 11:32:45 -0600
From: Jonathan Corbet <corbet@....net>
To: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>, David Howells
 <dhowells@...hat.com>, Herbert Xu <herbert@...dor.apana.org.au>, "David S.
 Miller" <davem@...emloft.net>, Paul Moore <paul@...l-moore.com>, James
 Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Masahiro
 Yamada <masahiroy@...nel.org>, Nathan Chancellor <nathan@...nel.org>,
 Nicolas Schier <nicolas@...sle.eu>, Shuah Khan <shuah@...nel.org>,
 Mickaël Salaün <mic@...ikod.net>, Günther Noack <gnoack@...gle.com>, Nick
 Desaulniers <nick.desaulniers+lkml@...il.com>, Bill Wendling
 <morbo@...gle.com>, Justin Stitt <justinstitt@...gle.com>, Blaise Boscaccy
 <bboscaccy@...ux.microsoft.com>, Jarkko Sakkinen <jarkko@...nel.org>, Jan
 Stancek <jstancek@...hat.com>, Neal Gompa <neal@...pa.dev>,
 linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
 keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
 linux-security-module@...r.kernel.org, linux-kbuild@...r.kernel.org,
 linux-kselftest@...r.kernel.org, bpf@...r.kernel.org,
 llvm@...ts.linux.dev, nkapron@...gle.com, teknoraver@...a.com,
 roberto.sassu@...wei.com, xiyou.wangcong@...il.com
Subject: Re: [RFC PATCH security-next 1/4] security: Hornet LSM

Blaise Boscaccy <bboscaccy@...ux.microsoft.com> writes:

> This adds the Hornet Linux Security Module which provides signature
> verification of eBPF programs.
>
> Hornet uses a similar signature verification scheme similar to that of
> kernel modules. A pkcs#7 signature is appended to the end of an
> executable file. During an invocation of bpf_prog_load, the signature
> is fetched from the current task's executable file. That signature is
> used to verify the integrity of the bpf instructions and maps which
> where passed into the kernel. Additionally, Hornet implicitly trusts any
> programs which where loaded from inside kernel rather than userspace,
> which allows BPF_PRELOAD programs along with outputs for BPF_SYSCALL
> programs to run.
>
> Hornet allows users to continue to maintain an invariant that all code
> running inside of the kernel has been signed and works well with
> light-skeleton based loaders, or any statically generated program that
> doesn't require userspace instruction rewriting.
>
> Signed-off-by: Blaise Boscaccy <bboscaccy@...ux.microsoft.com>
> ---
>  Documentation/admin-guide/LSM/Hornet.rst |  51 +++++

You will need to add that file to .../index.rst, or it won't be included
in the docs build.

Thanks,

jon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ